As cyber criminals continue to improve and advance their methods of attack, organizations and businesses need to keep up. Bob Burke, Vice President of Security and Infrastructure at Beyond Identity, explains why legacy multi-factor authentication (MFA) systems are no longer enough protection and how selecting a modern, current, phishing-resistant MFA allows organizations to better safeguard sensitive information.

Security: What is your background, current role and responsibilities?

Burke: As Vice President of Security and Infrastructure at Beyond Identity, I am responsible for infrastructure, cloud operations and security across all products and business lines. As both a security practitioner and a product architect, my primary mission is to ensure the availability, performance, scalability and security of our internal corporate systems and Software as a Service (SaaS)-based external software offerings. I studied at Pennsylvania State University where I received my Bachelor of Science in Aerospace Engineering and at the University of Michigan where I received my Master of Science in Aerospace Engineering. I first started my career in software development and made my way up to the roles of Director of Engineering and Chief Technology Officer for various tech companies to where I am now as VP of Security and Infrastructure at Beyond Identity.

Security: Does MFA technology help protect organizations and businesses from phishing and other methods of cyberattack? Is it the best technology for this type of security?

Burke: Identity has become enterprises’ largest attack surface, especially as work moves away from the office in favor of a hybrid approach. Even the most rudimentary cyber criminal now has the tools to launch a successful phishing campaign. To effectively address this growing vulnerability, MFA technology has absolutely become the standard for businesses to place another line of defense between threat actors and their own data, applications and networks. But there’s a catch — we’re increasingly seeing a line being drawn in the sand between “good” and “bad” MFA.

Security: You mention “good” and “bad” MFA, what is the distinction?

Burke: MFA technology is only as strong as its weakest factor and, with that in mind, legacy MFA solutions simply cannot keep up with today’s threat landscape. These technologies rely on phishable factors like passwords, one-time codes, push notifications and magic links, all of which can fall into the wrong person’s hands while ultimately adding friction to the user experience. The solution is to remove these vulnerabilities once and for all in favor of phishing-resistant factors like local biometrics or PIN, device-bound passkeys and device security posture checks.

Security: Is there a method that cybersecurity professionals can employ to determine what type of MFA will protect their company’s data and assets?

Burke: Unfortunately, there are a lot of legacy solutions out there that can simply not keep up with the modern threat landscape and, if cybersecurity professionals don’t understand MFA best practices, they’ll select a technology that doesn’t meet their needs.

When selecting their MFA solution, one place cybersecurity professionals should start is by evaluating their compliance with new regulations and security recommendations. In May 2021, following high-profile data breaches at organizations like Solarwinds, Colonial Pipeline and Microsoft Exchange, the U.S. government went as far as to give its federal agencies and contractors 180 days to implement zero trust architecture. Less than a year later, the Office of the Management and Budget (OMB) took this a step further by releasing a memo explicitly calling for federal agencies to adopt phishing-resistant, passwordless MFA. Whether organizations work with the federal government or not, it’s highly recommended that cybersecurity professionals create a comprehensive threat model and understand the relevant organizational risks. This, along with the regulations, will serve as a pulse check for where identity security is heading and will enable security professionals to apply their own strategies when selecting an MFA solution.

Security: Are there other options or is it possible to stack security technologies? Is this cost prohibitive?

Burke: Fundamentally, selecting the proper MFA solution is about minimizing a large threat surface by replacing traditional detection activities with strong prevention through higher levels of authentication assurance. Traditional stacking or defense in depth is just adding significant operational burden with incremental risk reduction. The right passwordless, phishing-resistant MFA should be easily integrated on top of existing technology stacks for rapid deployment and time to value.

The right tool should ultimately save organizations capital by maximizing productivity through frictionless user experiences, reduced help desk calls for password resets and providing the tools to avoid identity-related breaches. These breaches can rack up thousands of dollars in fines, require expensive remediation that pulls security teams away from other mission-critical matters, and can damage reputations. By investing in advanced MFA and preventing these negative outcomes, organizations can actually save dollars down the line.

Security: In a perfect world, what would be the best solution to the problem?

Burke: In a perfect world, identity would be 100% impenetrable and organizations wouldn’t have to give MFA a single thought. Unfortunately, we don’t quite live in that world yet, but organizational leaders can move as many of their security controls as possible from detection to prevention. In doing so, they equip their employees with the best possible tools to work safely in the world we do live in.

By removing phishable factors like passwords from the equation in favor of phishing-resistant MFA, organizations can mitigate some of their greatest vulnerabilities to safeguard their most sensitive information. The ideal authentication solution will establish high trust in both the user identity and the endpoint being used to access resources. Ensuring that endpoints meet device security posture policies is critical to preventing attacks. By incorporating additional risk signals in the authentication equation from tools like endpoint detection and response (EDR), organizations can extend their value by using detection and response signals for enhanced protection.