The effectiveness of MFA solutions continues to be a big debate, following the news of Microsoft urging users to abandon telephone-based multi-factor authentication (MFA) solutions in favour of newer MFA technologies, it poses the question – what more can organisations be doing?
Multifactor authentication (MFA) provides an extra layer of security, it does so by adding an extra step in the authentication process and must be implemented in a way that provides meaningful increase in security without causing an impact on productivity and positive user experience. One of the most common method of MFA is SMS text messages. The problem is that SMS is not a secure or reliable method of delivery. So while adding an additional step in the authentication process, it’s not actually increasing security in a meaningful way to justify the inconvenience perceived by the user – SMS hijacking is a common issue and there is no guarantee that an SMS message is even delivered. It’s recommended to use an application based, encrypted delivery of MFA tokens.
Even with a secure and reliable implementation of multi-factor authentication (MFA), you’re still limiting your security of application and data access to an event. Meaningful and productive security requires Continuous and Contextual Authentication for securing sessions post logins. MFA alone cannot address security issues like insider risks and session hijacks, and the MFA device itself could also be compromised.
Continuous Authentication leverages passive biometrics and other usage-based patterns to continuously verify user identity in an unobtrusive fashion. For example, the level of security would change depending whether the user is requesting VPN access from a hotel (high risk) or their usual home office (lower risk). A malicious user is automatically blocked from accessing apps when they exhibit anomalous behaviour, regardless of a successful authentication event. This enhances the security posture and at the same time, improves the end user experience over having a static timeout.