The level of cyber threat to businesses is higher than ever.
Personal data held by businesses is increasingly valuable, meaning bad actors are always looking to gain access by any means possible.
As a result, the approaches to security used as recently as five years ago are no longer sufficient to protect the valuable personal data businesses hold. Security methods like Multi Factor Authentication (MFA) have become crucial for businesses who want to protect and secure user data and accounts.
End users meanwhile, whilst undoubtedly valuing the security of their personal data also expect a good user experience. Businesses therefore need to strike a fine balance between security and ease of access. Understanding when to implement MFA techniques and which situations don’t require rigorous authentication will be crucial.
Business Matters spoke to Jacob Ideskog, CTO, Curity, to ask for his top five techniques that have evolved and been adopted for MFA that will help businesses achieve strong data protection and ease of access.
Always On and Opt In
Always On is consistent with its name – MFA is always on and is always a user requirement. At every log-in opportunity, users will be prompted to use two or more identifying factors in order to access the account in question. While this method is the most rigorous in terms of security, it is the least user-friendly. The repeated demands for re-authentication can become tiresome to users, particularly if they accidentally close a webpage and need to quickly re-access the information. It is also important to note that not all information requires the same level of protection. Whilst such a stringent approach works for many applications, there are different MFA methods that offer more flexibility that are more suitable for certain applications.
Opt In MFA is a more flexible approach. It strikes an important balance between helping users to protect their data and offering more flexibility. In these instances, customers are prompted to set up MFA, but can decide for themselves whether to do so. Opt In MFA also allows companies to always require two factors while giving users more options to improve their own security by adding additional factors.
As briefly mentioned with Opt In, sometimes data does not require a rigorous authentication process and a single log-in is the only authentication necessary. Consequently, the end user does not have to engage in a complex process, providing an improved and frictionless user experience.
However, if a user then needs to access more sensitive information, they will receive a series of authentication questions, “stepping up” from one form of authentication to multiple. Step Up is initiated by an OpenID authentication request with a higher privilege scope, particularly prevalent in the financial industry. Here, the initial log-in may be to just check a bank balance or when a credit card bill is due, but if a customer then chooses to make a payment or update their personal information, the additional authentication process will prompt them to answer a security question, or use a secondary authenticator for example a biometric input. Step-up authentication can offer a good balance between user experience and security.
Time Sensitive Re-Verification
This approach is becoming increasingly common, particularly for access to email or cloud-based document accounts such as Google Drive, or Microsoft 365. With this approach, users are required to log-in using multiple factors the first time they access their account, however if a user continues to access their account regularly, and via the same browser they are rarely prompted to re-enter their verification information. This process requires fine-tuning of the Time To Live (TTL) for different authentication factors, so the trusted device can be established at the initial log-in. The TTL for the different authentication factors is set for different time periods, meaning the password expires before the coding of the verification, so that while users will need to change their password for security reasons on a semi-regular basis, they will not need to continuously enter the password to access their information. However, if a user changes the device they access the account from, or their browser (ie. from Google Chrome to Microsoft Edge) they will need to go through the MFA process.
This approach gives cyber security professionals the option of flexibility, allowing them to set the TTL to the time period that works best for their business model in order to optimise user experience while protecting the necessary data.
New Country and Changed Country
It is also possible to use geolocation to support the MFA process. While geolocation isn’t able to exactly pinpoint a user’s location to the exact house number or to identify them as an individual, it can determine the country where the user request pings from.
For this to work seamlessly, identity access will be behind a reverse proxy. The X-Forwarded-For header will be used as an identifying factor, as the original IP will be behind the proxy. The proxy will also need to be white-listed with identity servers, as it will need to be trusted and not flagged as a potential security alert.
New Country as an action can be as simple as businesses need. It only requires a Bucket to store and a boolean subject attribute that will be related to the geolocation. If this attribute is not set, the boolean value will change to True and it will be considered a new geolocation, requiring additional log-in and authentication. However, once the user continues to log-in from this geolocation, the boolean value will be set to False, and they will no longer need to go through the MFA process.
The Changed Country functionality offers similar simplicity. It also requires a Bucket to store data and an attribute name for a boolean subject attribute. In this instance however, the boolean value will be set to True every time the user logs in from a different country, meaning that previous geolocations will be forgotten and if the country is different from the previous, they will be required to re-authenticate.
These two actions are useful tools to support the MFA. While the actions are similar, the crucial difference lies in the Changed Country “forgetting” geolocations once they change, while New Country will only change the boolean value to True if the location is brand new and not been used before as an access point.
The Impossible Journey Authentication Action
The Impossible Journey serves as an authentication action, or prompt, and adds additional authentication layers where necessary. This MFA functionality is also fairly straightforward to use. As with the New Country and Changed Country, a data source is needed to store the geolocation, along with an attribute name, with the Boolean subject attribute set to True if an impossible journey has been identified. This identification process also includes speed as a determining factor.
As previously mentioned, the geolocation is not enough to serve as an identifying factor, however the Impossible Journey will capture longitude and latitude which is then stored (Point A). When the same user authenticates again (Point B), the action verifies the speed it would take to move from Point A to Point B, and if the speed is slower than the configured speed, the Boolean value will be set to False. If the speed is faster it will be considered an Impossible Journey and the boolean value will be set to True and the user will be required to go through additional authentication.