In 2016, usernames and passwords are as much a part of your identity as your driver’s license. social security number, and birth certificate.
You’re asked for them every day and you’ve probably got several combinations, maybe even dozens. For decades, the password has been the de facto standard for digital authentication, but as it turns out, passwords aren’t very secure at all.
But the problems with passwords are well-known—even the most complex passwords may be as useless as using “password” as your password, according to some recent reports. On top of that, passwords can be sold and exchanged easily, which makes them a massive liability for large organizations. Research has shown that employees could sell their passwords for as little as $150—pocket change compared to the average cost of a data breach. So when the traditional means of authentication are clearly flawed, what’s the next step?
Multi-factor Authentication Best Practices for Securing the Modern Digital Enterprise
In this white paper, you’ll learn about:
- Authentication in depth, including its vocabulary, mechanisms, and signals.
- Choosing the right MFA mechanisms for your environment.
- Applying a risk-based model to step-up MFA.
- Best practices in step-up MFA, including risk analysis, choice of authentication factors, privacy, lock-out, registration, user opt-in, suspension and bypass, self-service, native applications, initial authentication and multiple touch points/channels.
Generally, the best practices is to step-up your security with step-up Multifactor Authentication (MFA).
Multifactor Authentication, or MFA, adds an additional step (or factor) to the authentication process, typically by pairing something the user knows, such as username and password, with an action, or something the user has, such as an SMS message to their phone, an email, or a token.
Most of us have some experience with this. For example: say you want to transfer money from your bank account online. Instead of simply requiring a password, your bank probably sends an SMS to your phone to establish the required additional assurance.
MFA quickly becoming a commonplace,essential part of the information security toolkit. In fact, it’s often required in order to meet compliance requirements, depending on your business. But choosing the right solution and vendor for you is a complicated process—one that requires in-depth research and often comes down to more than just the solutions and its technical capabilities.
So how do you choose the right step-up MFA mechanism for your environment?
For starters, consider these 5 variables, courtesy of Ping Identity’s new whitepaper Multi-factor Authentication Best Practices for Securing the Modern Digital Enterprise, when making your choice:
- Does it support flexible, risk-based step-up authentication? Applying only the necessary amount of security depending upon the associated risk allows you to provide an optimal user experience, while controlling costs, improving fraud detection and creating an architecture that can flex to future demands.
- Can it be extended with passive contextual authentication? Utilizing passive user information—like geolocation, IP address, time of day and device identifiers—is the wave of the future. It provides better security and a better user experience, making it particularly suited to consumers.
- How easy is it for your customers to use? Providing a positive customer experience is key. Consider the limitations that your users may have, from non-smart phones to disabilities, as well as their potential resistance to new or invasive technologies.
- How can you mitigate the risk of opt-outs? Having a choice of authentication methods—like voice, SMS and email—can mean the difference between adoption and abandonment. Anticipating objections is another important step in increasing adoption. Planning to maximize usability and flexibility will yield the best outcomes.
- How easy is it for your employees to use? Employees can no longer be expected to go along with a less-than-optimal user experience, or one that is overly obtrusive. For customers and employees alike, be sure to balance usability with cost and security to increase adoption.
Those five questions provide a solid foundation for the solutions assessment process, but to learn more about MFA, I strongly suggest checking out the Multi-factor Authentication Best Practices for Securing the Modern Digital Enterprise white paper from Ping Identity.
This straightforward white paper proposes best practices for customer and enterprise deployments of step-up multi-factor authentication (MFA), without getting too jargony and convoluted.
More Identity and Access Management Resources:
And watch this for the 10 Best Resources for Evaluating IAM solutions:
Editor, Cybersecurity at Solutions Review
Jeff Edwards is an enterprise technology writer and analyst covering Identity Management, SIEM, Endpoint Protection, and Cybersecurity writ large.He holds a Bachelor of Arts Degree in Journalism from the University of Massachusetts Amherst, and previously worked as a reporter covering Boston City Hall.
Latest posts by Jeff Edwards (see all)
Authentication is the act of confirming the truth of an attribute of a single piece of data (a datum) claimed true by an entity. Out of different types of authentication two-factor authentication is a method that provides identification of users by means of the combination of two different components. There are number of two-factor authentication and multi-factor authentication methods. Multi-factor authentication products can provide significant benefits to an enterprise, but the methods are complex and the tools themselves can vary greatly from provider to provider.
The term phishing refers to attempt to acquire sensitive information such as usernames, passwords, and credit card details (and sometimes, indirectly, money), often for malicious reasons, by masquerading as a trustworthy entity in an electronic communication.
Malware, short for malicious software, is any software used to disrupt computer operations, gather sensitive information, gain access to private computer systems, or display unwanted advertising.
Password guessing refers to cracking a password, which is the process of recovering passwords illegally from data that have been stored in or transmitted by a computer system.
A man-in-the-middle attack (often abbreviated to MITM, MitM, MIM, MiM attack or MITMA) is an attack where the attacker secretly relays and possibly alters the communication between two parties who believe they are directly communicating with each other
Server side data breaking refers to an incident in which sensitive, protected or confidential data has potentially been viewed, stolen from servers or used by an individual unauthorized to do so.
Shoulder surfing refers to using direct observation techniques, such as looking over someone's shoulder, to get information. It is commonly used to obtain passwords, PINs, security codes, and similar data.
One-time password (OTP) interception refers to a service provider sending a one time password to user's contact (SMS, E-mail, etc.) for authentication purpose, but that doesn't reach the user, possibly intercepted by a fraudulent person.
Side channel vulnerabilities allow attackers to infer potentially sensitive information just by observing normal behavior of a software system. The attacker is a passive observer.
A hardware token is an authenticator in the form of a physical object, where the user's interaction with a login system proves that the user physically possesses the object. Proving possession of the token may involve one of several techniques.
A software token is a type of two-factor authentication security device that may be used to authorize the use of computer services. Software tokens are stored on a general-purpose electronic device such as a desktop computer, laptop, PDA, or mobile phone and can be duplicated. This is in contrast to hardware tokens, where the credentials are stored on a dedicated hardware device and therefore cannot be duplicated (absent physical invasion of the device).
TOTP - Time-based one-time password
EOTP - Event-based one-time password
Mutual authentication or two-way authentication refers to two parties authenticating each other at the same time, being a default mode of authentication in some protocols (IKE, SSH) and optional in others (TLS).
Biometric authentication is a type of system that relies on the unique biological characteristics of individuals to verify identity for secure access to electronic systems.
Scalability is the capability of a system, network, or process to handle a growing amount of work, or its potential to be enlarged in order to accommodate that growth.
Transaction signing is a term used in internet banking that requires customers to digitally "sign" transactions in order to preserve the authenticity and integrity of the online transaction.
|Provider||Phishing||Malware||Password guessing||Man in the middle||Re-used password attacks||Server-side Database Break-in||Shoulder Surfing||Theft of Authenticator||OTP Interception||Channel vulnerabilitiess|
|Azure Multi-Factor Authentication||Yes||Yes||N/A||N/A||N/A||N/A||N/A||N/A||N/A||N/A|
|SAT Mobile ID||N/A||N/A||N/A||N/A||N/A||N/A||N/A||N/A||N/A||N/A|
|VASCO Data Security||Yes||N/A||N/A||Yes||N/A||N/A||N/A||N/A||N/A||N/A|
|Provider||SMS||Phone Call||Email||Hardware token||Software implementation||Recovery method|
|Authen2cate||Yes||Yes||Yes||Yes||Yes||Email, Mobile App, Support Desk|
|RSA Security||Yes||Yes||Yes||Yes||Yes||Email / helpdesk|
|Azure Multi-Factor Authentication||Yes||Yes||No||No||Yes|
|Google Authenticator||Yes||Yes||No||No||Yes||Paper TAN|
|privacyIDEA||Yes||No||Yes||Yes||Yes||Email / helpdesk|
|SAT Mobile ID||Yes||Yes||No||Yes||Yes|
|VASCO Data Security||Yes||Yes||Yes||Yes||Yes|