Callsign commercial director – Asia Pacific, Frank Tan noted that historically organisations rely on usernames and passwords to authenticate users. But it quickly becomes apparent that these were easy to bypass. Bad actors habitually steal, or even guess this information, making access to a user’s account available to anyone with the skills to overcome its basic authentication controls.
Despite all these conditions, passwords remain in use today.
Tan says more security is required to ensure that a user’s account remains secure.
Gartner vice president analyst, Ant Allen says by 2022, Gartner predicts that 60% of large and global enterprises, and 90% of midsize enterprises, will implement passwordless methods in more than 50% of use cases — up from 5% in 2018.”
What was the original intent for multi-factor authentication?
Frank Tan: With the explosion of smartphone usage, it became possible to gather more evidence that a user is who they claim to be by sending an SMS one-time passcode (OTP) to their mobile device.
The theory is that, even if a bad actor was able to get hold of the user’s password, it is unlikely that they would be simultaneously intercepted, or steal, an OTP sent to that user.
The obvious benefit of this is that it makes authentication attempts far more secure against bad actors, particularly those deploying brute force or credential stuffing attacks designed to overcome a user’s password.
Rapidly OTPs, coupled with a password, became the most common form of multi-factor authentication. Unfortunately, this process has proved itself to be little more than an insecure, and expensive sticking plaster.
SMS was never designed to carry or be used to convey secret or sensitive information nor was it designed to be an authentication mechanism. Therefore, it should come as no surprise that SMS has several easily exploited flaws and, on top of this, presents the user with a clunky digital journey.
Thanks to improved technology, there are now several better ways to authenticate a user.
Where is MFA failing in its mission?
Frank Tan: Although the concept is sound, multi-factor authentication, in its current form, is failing.
The most common form of achieving MFA (via SMS OTP) is not nearly as secure as we like to pretend. Signalling System 7 (SS7), SIM Swap, and social engineering attacks are endemic. An individual user is more likely to receive an SMS from a fraudster than they are a member of their family!
Fundamentally, we are quickly losing faith in SMS as a delivery mechanism for authentication events and it should not be relied upon to authenticate any interaction or transaction that you deem important for authentication, promotions, alerts, or anything else.
SMS OTP offers an extremely poor user experience. What if you’ve lost your device, or changed your phone number? Its main vulnerabilities lie in the onboarding processes and anything that takes you out of this – such as checking another app or email for the OTP SMS code – adds friction and may even cause the user to abandon their transaction completely and take their business to a competitor.
Using SMS OTPs is expensive. Every day millions of customers conduct millions of transactions requiring millions of OTP SMS’. Even though each OTP represents quite a small cost, over the course of a year, those costs quickly spiral out of control. There are cheaper, more secure, and more engaging ways of doing business.
How does MFA fit (if any) as organizations look to implement zero trust?
Frank Tan: Multi-factor authentication is an important component of any zero-trust system. The zero-trust concept is most used for a company’s internal systems.
The idea is that a company will never ‘trust’ a user, and will seek to authenticate, or run a security check on the user at each stage of their interaction, be that logging in or accessing a particular document.
In theory, this process ensures that the session has not been hijacked by a bad actor and keeps the organisations’ internal systems secure.
Typically, a company will achieve this, at least in part, by imposing an MFA requirement on a user. They may for example ask the user to input both their password and an OTP generated via an app on their mobile device when logging in, countering the risk that an opportunistic bad actor would log into the genuine user’s machine whilst they’re away from their desk.
Of course, this method of authentication adds friction to the company’s workforce. There are fortunately several new, intelligent ways of adding a second factor without adding friction.
Behaviour biometrics for instance, which can identify a user through both the password they type, and the way they type it, makes the whole process less onerous for the user, without compromising on security.
In today’s remote work as the norm environment, how should enterprises modernise/update their use of MFA as part of their identity access management process?
Frank Tan: All enterprises should look to make their identity and access management procedures as streamlined and easy to use as possible.
Is Microsoft’s Passwordless authentication the panacea to solve the authentication challenges facing organisations?
Frank Tan: Although a move in the right direction in the prevention of fraud, Microsoft still requires consumers to check an app for an authentication code. This takes the user away from their desktop experience, adding extra, unnecessary friction.
How would Microsoft’s implementation of passwordless authentication impact current practices around access management?
Frank Tan: There is no doubt that Microsoft passwordless authentication capabilities are a step in the right direction. I believe however that it can be improved upon, and friction can be completely removed from the journey by leveraging the passive authentication technology described above.
Any final thoughts on what lies ahead with identity access management post-covid-19?
Frank Tan: There is now no such thing as non-digital service. Even digital laggards in the business world have had to embrace the digitisation process that traditionally relied on human administration staff. Identifying customers, users, and citizens via their digital IDs are now more important than ever.
Governments have likely identified the strategic importance these digital IDs provide state resilience. I, therefore, predict that there will be a greater national and international effort to standardise what is meant by digital ID to allow it to be readily consumed by organisations in the public and private sector.
I think that this effort will be galvanised as governments seek to learn lessons from the pandemic. Many governments around the world introduced stimulus packages to help businesses. Although their intentions were good, there was, unfortunately, a huge amount of abuse of the system as fraudsters began exploiting weaknesses in the hastily established systems and processes.
To protect their digital services from future abuse, Governments are likely to seek 21st-century solutions to a 21st-century problem. Importantly, we are in the age where consumers distrust anything delivered by SMS which is why artificial intelligence-driven multi-factor authentication delivers on so many fronts namely it’s frictionless, convenient, and, above all else, secure.