Put Password Pain in the Past with Multi-Factor Authentication
How to ease security fatigue with multi-factor authentication.
Feeling reckless? Hopeless? Frustrated and impulsive?
You’re not alone. Employees around the world are fed up with trying to do their work efficiently without exposing their networks to hackers. In fact, restless, hopeless and frustrated were the exact words people used to describe their feelings in a study about cybersecurity published by NIST. These emotions are the result of security fatigue, which is the feeling of being overwhelmed by security requirements.
The negative attitudes users have about security protocols threaten more than just workforce morale. People are ingenious when it comes to finding workarounds to systems they don’t like, and many of those workarounds are sources of risk. Users who cannot remember multiple passwords may use the same password across multiple systems, write down their passwords in easily-accessible places and share passwords with colleagues. Security fatigue is real, and it’s a vulnerability that’s hard to fight with traditional password protocols. Effective authentication is built around redundant systems that are easy to use.
The use of redundant systems is a balancing act. Not enough layers and hackers can penetrate a network with little resistance; too many layers and the system becomes unusable. These days, companies are far more likely to err on the side of overbuilding security than underbuilding it; after all, nobody ever gets fired for having too much security. However, maybe they should be. When a network is locked down so tightly that users need sticky notes to manage their passwords, corporate assets are exposed.
Re-Use, Re-Set and Regret
Targeted companies don’t like to call password-based breaches “hacking,” preferring the more gentle term “fraud” (we’re looking at you, Groupon), but stolen data is stolen data by any name, and headline writers don’t care about subtleties.
Every time a LinkedIn or a Yahoo is breached, all of their customers’ stolen emails are offered for sale on the dark web. Hackers snatch up those stolen credentials because they know many of them will work on other sites. Citrix and GitHub both experienced attacks last year that utilized credentials compromised in LinkedIn, Tumblr and other social site breaches. And Citrix and GitHub were not alone; this problem has become so widespread that Microsoft has banned any password that appears on a list of compromised emails from being used to access its Azure systems.
Data breaches are the worst possible outcome of security fatigue. A less drastic but more certain problem is the impact of lost passwords on a company’s productivity.
IT managers know that 20 to 50 percent of help desk calls are password reset requests. Those calls can cost anywhere from $30 to $70 dollars each while diverting resources from more strategic work. On the other end of all those calls are workers who are unable to do their jobs because they’re locked out of their systems. On average, companies lose more than 9,500 hours each year to complicated security procedures.
Today’s Best Practice: Multi-Factor Authentication
Authentication is accomplished through the use of control factors, which are sorted into three categories:
- Something you know, like a password
- Something you have, like a card, fob or smartphone
- Something you are, like a fingerprint, iris or retina
If one control factor is good, two is better, as long as they’re easy to use. The use of more than one control factor is called multi-factor authentication, or MFA. The most common form of MFA is two-factor authentication, called 2FA. Three-factor authentication is 3FA.
Early MFA solutions involved a password and a physical token in the form of a card or a fob. This was better than passwords alone, but physical tokens get lost, cost money to manage and replace, and often require card readers or other data capture devices to function.
Everything changed in just a few short years. Multi-factor authentication has achieved mass adoption thanks to smartphones that combine something you have and something you are into a single device managed by the user. Workers now carry their own fingerprint readers everywhere while remaining in control of their own biometric data.
People-First Planning for Your MFA Solution
MFA can provide relief from security fatigue, but only if it’s set up thoughtfully. A first instinct may be to apply the highest level of authentication – three-factor logins – for everyone. But that creates complications, cost and management loads that are unnecessary for the majority of users.
Classify your workforce like you classify your data, and then determine which roles need which level of security. Most users will need a standard secure login because they have limited privileges on the systems they access and their roles do not make them particular targets for bad actors. Only power users like the CEO, CFO, technical staff with administrative privileges and any high-profile employees will need extra layers of security.
The MFA process has to be convenient for all users. Temporary passcodes should be sent to people in a way they’re accustomed to receiving messages, such as via a smartphone alert or text message. The entire MFA system should be intuitive; if it’s hard to use, security fatigue will set in, and you’ll be back where you started with shared passwords, stupid passwords and the dreaded sticky notes. Self-service capabilities are part of a good user experience and part of a good IT experience as well; over time, people will upgrade their phones and laptops, and they should be able to make changes to their credentials without having to open a support ticket.
After you understand your human requirements, inventory your technology environment, including cloud apps, on-premise software, hybrid environments and BYOD. Once you have an inventory of approved systems, dig deeper to expose all the shadow IT running inside your corporate boundaries. Inventory those unauthorized apps as well and include them in your MFA program.
MFA as a Service
Your company is going to grow. Sometimes, it may shrink. Your MFA solution needs to scale without a lot of cost or effort. One way to ensure that your MFA is always working in your environment is to choose an Authentication as a Service (AaaS) provider.
AaaS enables companies to integrate remote access and network technologies, as well as the existing directory service and be flexible enough to provide security in cloud, hosted and on-prem environments. It can be stood up quickly by existing development staff through the use of APIs, but the burden of maintenance is shifted to the vendor.
Outsourcing authentication is a smart choice for most companies, but be careful to perform rigorous due diligence before signing a contract.
Energize Your Authentication
You don’t have to worry about security fatigue when you choose an authentication system that’s intuitive for users and covers all your systems, whether on-prem or in the cloud. Passwords will always be with us, and for the imaginable future, but the use of MFA will please users and free your IT team for more strategic projects.