MFA Graveyard

Is it finally time to kill traditional Two-Factor Authentication and Multi-Factor Authentication?

Categories: Thought Leadership

The traditional two-factor or multi-factor authentication (2FA/MFA) solutions that companies are currently using, or evaluating, can and should be replaced by something that is far more secure and much easier to use.

Now, don’t get me wrong, I completely understand why organizations are deploying or evaluating traditional 2FA/MFA. It makes perfect sense. I’ve been in “cybersecurity” (still not in love with the term) for more than 20 years on both the practitioner and vendor side. A few years back, at a previous employer I will not name, I was the guy who walked into the CEO’s office and demanded we implement 2FA/MFA immediately – specifically for G-Suite where we were storing important customer information.

I had been pestering IT for a while and it was not getting done, and I wasn’t about to let some avoidable incident harm our customers or the brand trust we were working so hard to establish. We implemented MFA the following week. I was happy we mitigated the risk, and the destruction of the user login experience just seemed like the price we would have to pay.

Fast-forward a few companies, and I had the opposite experience. The company took cybersecurity very seriously, and I was quite happy about that – I like working at a “do as we say and as we do” sort of company. They were using Okta and required a 2FA/MFA login to get into the Okta portal, and then for every app. The sequence was: username, password, pick up the phone, grab the code to get into Okta, and then repeat the sequence for each app. When your session timed out (after 8 hours), it was rinse, wash, and repeat. There were many long days, so this sucked.

The experience was more secure but just awful. Everyone hated it. Unfortunately, at the time, there were just no good alternative authentication methods to traditional 2FA/MFA. But now there is, so we don’t need to weigh usability tradeoffs for strong security.

We all understand that passwords are a fatally flawed authentication method and are the primary root cause of breaches. We will spare you the usual Verizon Data Breach Investigation Report quotes about how insecure passwords are, since you can see the results in the news almost daily. You are also likely aware that traditional 2FA/MFA has become a “go-to” for organizations facing an onslaught of cyberattacks, particularly account takeovers from password reuse (phishing, credential stuffing, etc.), and ransomware attacks (RDP brute force attacks are a leading threat vector for ransomware attacks).

However, traditional 2FA/MFA falls short of the ideal secure authentication method, particularly in our “new normal” where employees need to work from home (or anywhere for that matter), and at a time when secure access to cloud-based apps and other resources has increasingly become the norm.

There is a much better way than traditional 2FA/MFA to implement strong authentication that users will like – you can have your proverbial cake and eat it too! Beyond Identity’s passwordless authentication is fundamentally more secure, easier to deploy and use, and it addresses essential new cloud access control requirements. This is not a theoretical “thought exercise” solution to the shortcomings of MFA, this is technology that can be deployed today.

2FA/MFA doesn’t solve the password problem

In a nutshell, 2FA/MFA is simply a “Band-Aid” for passwords. It never actually cured the password disease. 2FA/MFA only marginally improved security and provided an abundance of friction for end users, depending on what flavor of a second factor the team deployed on top of the password. So, other than that, Mrs. Lincoln, how was the play?

First, 2FA/MFA does not eliminate passwords, and therefore it does not eliminate the risk that passwords and password databases extend to organizations. Passwords get stolen and reused in credential stuffing attacks that result in account takeovers. Password databases are stolen en masse and sold, creating significant liability for the business.

Second, 2FA/MFA is not as secure as it is cracked up to be. To be clear, almost any form of 2FA/MFA is better than using passwords alone, but attackers easily compromise too many 2FA/MFA forms.

Third, users hate 2FA/MFA. And for good reason, it’s clunky and inconvenient. Users need to locate their second device, fish a code out of email or text, type it into the login screen or respond to a push notification. 2FA/MFA is yet another case of security controls that make the user experience worse. It does not need to be this way, and I am hearing, quite often, from CISOs these days that the “user experience” for both employees and customers matters to them. This new focus on UX is a very welcome and healthy change of attitude, in my humble opinion.

2FA and MFA doesn’t provide adequate access control

2FA/MFA simply doesn’t stand up to the job requirements for a modern access control solution. 2FA/MFA only helps you validate a user’s identity, and with some of the security vulnerabilities, it only does a modest job on this front.

There are additional requirements for controlling access today, particularly in light of work from home (or anywhere), where secure, convenient, and streamlined access to a rising number of cloud applications and cloud resources is our “new normal.” I hate using that overused term, but it tracks for now.

The new access control job spec includes positively identifying the user and the device, and then deciding if the device the user is bringing to the party is secure enough to access a given app or resource. Now security teams want to enforce continuous, risk-based authentication decisions based on user behavior and the security posture of the device.

Users log in from various devices (PCs, Tablets, Phones) and need access to a variety of web-based (browser) and native applications. Given the current and likely future IT support constraints associated with working from home, companies need to enable or extend bring your own device (BYOD) programs.

Today this goes beyond phones and includes non-work-issued devices like home desktops, laptops, or tablets – for example, when a work issued device is broken. Trusting the endpoint is not an all-or-nothing proposition. Instead, security teams want to enforce an appropriate level of security hygiene of the device and base access decisions on whether the security posture of the device being used is proper at the time of the login.

So the bar for a complete, modern authentication and access control solution is much higher than the minimal requirements old-school 2FA/MFA was designed to accomplish. The bar now requires a solution that eliminates passwords, positively validates the identity of users, but also a solution that can:

  1. Determine whether the user requesting access is logging in from a known endpoint and whether it is a work-issued or BYOD device
  2. Assess whether the device being used is secure enough given the application or resources for which access is requested
  3. Gather user behavioral inputs from the device (e.g., user location)
  4. Natively collect granular device posture data without requiring the presence of security controls like MDM and EDR
  5. Determine if endpoint security controls are still running and collect additional information from MDM and EDR systems that can be used in the access control decision
  6. Enforce continuous risk policy-based authentication decisions using the information gathered above
  7. Be much simpler and much more streamlined for a better UX
  8. Be easily configured to work with existing identity management systems – SSOs, Directories, etc.

There is a much better alternative to traditional 2FA/MFA today, and it is available now from Beyond Identity.

We provide solutions for both your workforces and customers. The system uses a new type of authenticator that replaces passwords with the technology underpinning TLS (X.509 certificates). Our innovative architecture eliminates our customers’ need to run a certificate authority, or spend any time or resources managing certificates.

The advanced authenticator is paired with our Intelligent Authentication Cloud, which enforces continuous, risk policy-based decisions and meets all the requirements listed above. Our cloud-native platform provides simple “snap in” integration with identity infrastructure, including single sign-on systems from Okta, Ping Identity, Forgerock, ADFS, and more.

You can learn more about Beyond Identity’s Passwordless Authentication platform and learn how you can use the passwordless tier of our platform for FREE – for an unlimited number of users, for an unlimited time, and fully supported. Explore the free passwordless solution or request a demo.