Considering MFA? Concentrate on what really mattersSecurEnvoy 19/09/2017, Security
With a lot of “young pretenders” in the market, there’s a real risk companies will choose hyperbole over real security benefits.
If you’re only now looking at implementing multi-factor authentication (MFA) to protect your business, you might be surprised to learn just how long the technology has been around: we created the very first tokenless two-factor platform over 20 years ago, and, while we’ve seen our share of changes – and more than a few “competitors” come and go, there are a number of core truths around authentication which have remained constant.
There seems to be a lot of sudden interest in MFA at the moment – and that has to be a good thing for everyone’s data security – but when even the biggest companies start to misunderstand what they are implementing at the risk of their customers’ data, it’s time to stop, take stock and concentrate on the fundamentals of what makes good, proper multi-factor authentication such a powerful tool.
For us at SecurEnvoy – and the CIOs we talk to, there are a number of common concerns that dominate our approach to user authentication:
Keep things simple:
The very concept of MFA is simple: using multiple authentication points – something you know, something you (and only you) have – makes unwanted access to data and systems much more difficult. So why make using MFA any more difficult than it needs to be?
Think about the effort both your system and Admins and your end users will need to make to use and manage your chosen solution: if using it makes a noticeable dent in their ability to do their jobs, then it’s likely to fail: the best solutions are both easy to roll out and maintain, and offer a true single login to ALL users’ applications and devices.
Be flexible to user needs
When as much as 63% of all data breaches involve weak passwords, it’s pretty important to ensure your security solutions encourage good user behaviour. Forcing users to jump through hoops, simply to be able to do their day job rarely ends well – if logging in remotely is made difficult for example, users will quickly result to email or USB sticks to transport data, blowing a big hole in your security. And yet, I still see companies forcing users to carry dongles, or use phone-signal dependent SMS messages to log in. The solutions that work best aren’t dependent on one, narrow method of operation, but instead flex to the individual’s preferences: They want to use a mobile app? Or a QR code? Or even NFC? Then why not let them. They’ll be happier and more likely to act securely as a result.
Focus on the things that matter
The feature sets of some MFA solutions are starting to read like the options in a new car brochure – it’s sometimes difficult to work out what really makes you more secure, and what’s marketing fluff. Is contextual data (something that no regulatory body recognises as beneficial) really going to make your business more secure? Or would focusing on meeting real regulatory and industry compliance criteria be a better bet? Make sure you understand exactly where your authentication data is held (i.e. on your servers, on your providers’ servers, or on Google’s or Amazon’s) and what that could mean for your business. Make sure you understand that your provider is in charge of their own destiny and not tethered to a third-party technology provider’s development pathway, and make sure they’ve got a track record of success. The last thing you want is to be tied to a provider who holds you back.
Technology changes fast – keep an eye on the future
BYOD, Cloud computing, remote working, the march of technology is transforming the way we work at an astonishing rate. And with that comes new challenges for data security: 13% of data breaches last year came form lost or stolen laptops, while an additional 4% came from BYOD devices (this last stat is sure to grow in the years to come) Now it’s far from uncommon for an employee to access work documents from his or her own laptop at home, their mobile device while on the train, and a company machine when they reach the office. Not to mention the advent of entirely new platforms such as wearables.