Unfortunately, however, passwords don’t provide the level of protection required in today’s online, interconnected world. Once stolen or guessed, they can be used by criminals to log in to applications and business systems, bypass other access controls, and wreak serious havoc.
There are also a concerning variety of attack vectors hackers can use to steal passwords or gain access. These include phishing attacks, brute-force attacks, web app attacks, point-of-sale intrusions, and even stolen hardware.
For this reason, it’s important that organisations move beyond passwords and embrace a different method of authenticating users. One of the most effective is multi-factor authentication (MFA).
The mechanics of MFA
MFA is used to ensure that digital users are who they say they are by requiring that they provide at least two pieces of evidence to prove their identity. Each piece must come from a different category:
Something you know: The most common example in this category is a password, but it could also be a PIN, a passphrase, or the answer to a question. It needs to be something known only to the individual being identified.
Something you have: The second category comprises items an individual is likely to have with them when trying to gain access to IT systems. Examples can include mobile phones, physical tokens, key fobs, and smartcards.
Something you are: This factor is often verified by a fingerprint scan on a mobile phone, but also includes anything that would be a unique identifier of your physical person. This could include a retinal scan, voice or facial recognition, or any other type of biometrics.
If one of the factors used been compromised by a hacker, the chances of another factor also being compromised are low. This, therefore, provides much stronger security than just a password alone.
MFA and mobility
As well as providing improved security for centralised IT systems and devices, MFA is also an effective way to enable enterprise mobility – something that is high on the priority list for any organisation undergoing a digital transformation strategy.
Studies show that productivity is increased when employees can use their preferred devices to easily and securely access all of the resources they need without being tied to a central office.
By using MFA to log via a VPN, they are able to have the flexibility and on-demand access that they require, while organisations can ensure their infrastructure remains protected.
MFA and customers
While usage of MFA tends to focus on an organisation’s staff, many are also extending its usage to customers. Organisations are encouraging customer use of MFA by explaining how it can not only enhance account security without significantly impacting their sign-on experience, but also make their other interactions more streamlined.
Some organisations are even opting to make an MFA capability available through their own customer-facing mobile applications. This makes it more appealing to use as customers don’t have to download and install a separate app on their chosen device.
Some may not feel the need to require customers to use MFA in all cases. For example, they might choose to bypass MFA in low-risk scenarios, while requiring stronger security in high-risk situations.
For example, a bank may allow a customer to log into their account online with just a password but then require a second authentication factor before any transactions can be completed. A retailer may allow access to their website but require stronger authentication before a purchase can be made or account details viewed.
Overall, an effective MFA strategy will balance the risks of compromised credentials against the impact on customer engagement. Any system needs to be easy to use and not become a barrier to interactions.
It’s clear that passwords can no longer provide the levels of security needed to protect IT systems and data. By embracing MFA, organisations can ensure they have vastly improved security for their infrastructure, staff and customers. Consider whether MFA is right for you.