Multi-factor authentication (MFA) is certainly far more secure than just a username and password, however, today’s cyber criminals are finding easy ways through password-based MFA to gain unauthorized access

Criminals are breaking into password-based MFA-protected systems with surprising regularity. They know that at the core of MFA, the password still exists and that most MFA factors like SMS text messages, magic links, and push notifications are all phishable and hackable.

It’s time to rethink MFA based on these new realities. We believe there are five essential features that any secure, modern MFA should have to truly protect users and a company’s sensitive data and systems.

1. It should use unphishable factors.

MFA that uses passwords, one time passcodes (OTPs), push notifications and SMS text messages was flawed from the start by using phishable factors. While adding an additional factor is better than just using a password, hackers can easily intercept these authentication methods using free kits for man-in-the-middle attacks. Attackers have shifted their focus to these authentication methods and attacks are on the rise. 

• Push notifications aren’t secure, especially if the passcode is delivered within that notification. If you must use notifications, it should be in concert with an unphishable factor (confirming with biometrics, etc.).
• SMS text messages are a popular method to deliver passcodes to users, but attackers can intercept these codes, along with methods like SIM swapping.
• Magic links are less secure since the link is e-mailed to the user. Anyone with that magic link can log in, leaving you wide open for an attack.
• OTPs are a poor user experience and a pain to use. As a result, most of your users will opt to receive these codes through SMS or e-mail, instead of a hardware token, which carries its own risks. 

There is a time and a place for these factors, especially when more secure methods are unavailable or fail. But they shouldn’t be the primary methods you employ to authenticate your users.

Phishing resistant MFA uses secure authentication factors that cannot be spoofed, copied, or altered. Examples include:

• Cryptographic keys: these are generated and tied to device and user. This allows IT security to know exactly who and what is accessing network resources at any time. Using modern military-grade encryption, there’s virtually no way to crack them.
• Local biometrics: this factor can be used to positively identify the user’s identity and are all but impossible to fool. Modern MFA solutions make use of on-device features like facial recognition or fingerprints to provide certainty of identity.
• Device-level security checks: these are another factor used by modern MFA. Here, the device is checked for potential vulnerabilities and issues, and access is either granted, limited, or blocked. Examples of some checks might be whether all security updates are installed or if the device was modified in some way.

2. It should be passwordless

The password tells you nothing about the user accessing your network other than that they have the correct credentials. Replacing the password with some type of credential tied to the user and device is one way to eliminate the need to use magic links, SMS, notifications, or OTPs, and dramatically improve security. 

The benefit to organizations is immense. You know who accesses your network, and on what device. If your organization has transitioned to remote work, it’s more important than ever to have granularity. Password-based MFA typically only attempts to answer who accesses your network and assumes that identity is confirmed. In today’s threat landscape, that is asking for trouble.

Compromised passwords are also the source of the vast majority of cyberattacks. If you’re still using passwords, only your MFA sits between you and the attacker. If that fails, which it often does, your network is compromised. With passwordless authentication, without one of the secure factors above, there’s no way in. 

3. It should continuously assess for risk

While passwordless MFA eliminates the risk of password-based attacks, it won’t prevent insider threats on its own. Companies such as Microsoft, Cisco, and Tesla have all been victims of insider attacks. In some cases, these attacks cost millions in recovery.

It’s essential for modern MFA to assess risk at login and throughout the session. What device is logging in? Is it tied to an authorized user? Does the device have all the required security updates installed? Is the device rooted or jailbroken? Where in the world is the device located? Has something changed during the session?

You’ll want the answers to these questions to keep your company resources in the cloud secure. Modern MFA platforms offer continuous risk assessment, limiting the risk of insider threats, as well as password-based attacks.

4. It should be invisible

MFA that uses passwords, OTP, push notifications and SMS adds friction. Either the user is reaching for their device or searching through their e-mails to find the code. There is evidence this additional friction limits adoption and often leads to users looking for insecure workarounds to avoid it or refusing it altogether (that happens, too). IT security teams also limit which resources are protected by MFA because they know their users hate it. 

Modern, passwordless MFA is invisible almost all the time, only becoming visible if necessary to ensure the user is who they say they are when other security checks fail. Adoption skyrockets if MFA is easier to use than the traditional username and password, and modern passwordless MFA delights users because of its seamless nature.

After all, nobody likes to remember passwords.

5. It should help enable a zero trust strategy

Adopting a modern MFA platform is often a key part of building an overall zero trust strategy. At its core, zero trust follows the mantra, “never trust, always verify.” 

At its core, zero trust has three pillars:

• Eliminating the concept of implicit trust in a network
• Employing key preventative security measures
• Enabling responsive real-time monitoring techniques to deal with breaches

Modern MFA treats any connection as a potential threat and continuously assesses user and device risks, and enabling a passwordless MFA solution is a one step in the zero trust journey. With most password-based MFAs, you authenticate only once, but with modern, passwordless MFA, the user is continuously authenticated. The solution will also often adjust access based on risk levels and signals. 

It is also the only solution that provides certainty of identity. Password-based MFA cannot, as there is still a level of trust that the password or another phishable factor made it to the legitimate user. 

Lastly, as mentioned previously, with password-based MFA users will look for workarounds or be slow to adopt. Implementing zero trust measures won’t matter if users don’t adopt. Passwordless MFA removes that friction and speeds up the adoption process.

Invisible and modern MFA with Beyond Identity

Effortless yet secure authentication is the cornerstone of our platform, something we call “invisible MFA.” Our Secure Work product makes authentication frictionless, yet offers a level of protection far superior to password-based MFA.

Users are issued an immutable cryptographic credential tied to the device and user upon registration. Logging in after registration is as simple as a click. It’s equally simple to install and deploy, supporting top SSO solutions like Okta, Ping, Forgerock, OneLogin, Microsoft ADFS, and more with just a few lines of additional code. 

Secure Work doesn’t just protect you at login: best-in-class monitoring and risk-based authentication protect your data during the user session. The risk of password-based attacks is eliminated, and the risk and scope of any insider attacks are drastically reduced.

Ready to ditch passwords once and for all and learn more about passwordless MFA? Let us show you how Beyond Identity’s invisible MFA will revolutionize how both you and your users think about modern secure authentication. Get your free demo today.