We have all heard the old adage, “Two heads are better than one.” Similarly, two factors are better than one in the security authentication landscape.
In fact, a recent study conducted by the Pew Research Center illustrates why reliance on the single factor of ID and password may not provide sufficient protection. The study found that 39% of online adults have shared their password to one of their online accounts with a friend or family member. In addition, 25% admit that they often use passwords that are less secure because simpler passwords are easier to remember.
While many online consumers do not follow cybersecurity best practice to protect their passwords, the availability of malware along with the ease and relatively low cost to launch phishing attacks have made commandeering IDs and passwords an elementary task for fraudsters.
In recent years, credential breaches have become so common, with compromised accounts numbering in the tens and hundreds of millions for some services, consumers can go to websites like HaveIBeenPwned.com to search for their username or email address to see if any breaches impacted them.
In response, companies are stepping up their game to strengthen authentication to their services. This could mean requiring stronger passwords, or more frequent password changes, as well as offering forms of multi-factor authentication (MFA). MFA generally requires a user to authenticate using an item from at least two of the following categories:
- Something that the user knows (ex. ID/password)
- Something that the user possesses (ex. Security token, Bank Card etc.)
- Some physical characteristic of the user (biometrics) such as fingerprint, voice or retinal scan
Based on our experience, there are several factors to consider when rolling out MFA with as little impact to end users as possible. To protect online services with hundreds of thousands of users globally, we elected to use ID/password as one factor (something the user knows) and a one-time-passcode (OTP) delivered via email/text/phone (something that the user possesses).
Whatever combination of factors you select, the cost and how well your customers accept the control will dictate your final project scope. For us, in a world in which end-users access from many locations and devices, versatility was an essential element. With that said, we included the ability to receive the OTP via multiple delivery methods.
Regardless of the size of your organization or customer base, you will encounter challenges. Here are some of the challenges we encountered.
Ensuring the control is on by default for all targeted customer accounts. To reduce the amount of manual intervention, it is recommended that the control is set on all accounts, but coded to become active-aggressive when an account/user ID meets a certain level of criteria. The concept of “active-aggressive” means the control is always active, but is only triggered when specific features and/or data are accessed.
If certain criteria are not met (i.e. user does not attempt to access sensitive features and/or data during the session), the control remains in a passive mode (i.e. the user is not prompted with an OTP). Features and/or data deemed less sensitive can be accessed without interruption. The primary benefit is that all accounts are protected. There is no need to turn the control ON/OFF for certain types of customer accounts. The end result is that users are only prompted when they access the features or data deemed as sensitive. This strategy can help reach a balance between preserving a positive customer experience and providing adequate protection.
Ensure that the delivery elements are protected by multi-factor. The initial setup of the delivery methods was one of our biggest challenges. At some point, we had to allow the end-user to define their email and phone number for this to be a success. The model of having both the end user and an internal administrator add the delivery elements during ID creation worked well. In most cases, the delivery element added was correct and the end-user did not have a need to do any updates. Once the user accesses from the multi-factor (i.e. approved device), they are free to make their own updates.
Implement alternate vetting options for updating delivery methods. To request changes to delivery options, it is imperative that end-users have a way to contact your company (i.e. Customer Support). For example, in the instance that the phone number used to deliver an OTP via text has changed, vetting procedures commensurate with your risk threshold must be in place to accommodate the end user.
Sufficient key event logging needs to be in place to understand when multi-factor authentication was successful or failed. As you review and investigate the success of the control, having event logs will help determine the success rate of your multi-factor control. It will also help in determining if enhancements are needed to bolster a previously unknown weakness in the control.
The need for an alternate multi-factor control cannot be underestimated. We have found that there will always be a few corner-cases in which your mainstream multi-factor control will not suffice. One example is accounts that demand an alternative and are key contributors to your company's revenue.
In conclusion, we recognized and accepted the fact that the days of protecting accounts with a single factor have come and gone. Our team invested time and resources to determine the right multi-factor for our customers at an acceptable cost. Yes, the journey got a little bumpy along the way, but it was well worth the trip! After we overcame all the challenges, we can conclude that “Two is better than one!”