Compromised credentials continue to be a top risk for breach with enterprises. It is not really that surprising when you consider the number of enterprises that still count on passwords as the single factor to authenticate users. Still others have moved to traditional two-factor authentication (2FA), but user experience and adoption can be poor with hard-tokens, not to mention very expensive. Enterprises must move to a more secure, more usable and more cost-effective model for authentication.
Step-up multi-factor authentication (MFA) is a dynamic authentication model where the user—either a customer or an employee—is required to perform additional authentication operations, as needed, based on policy.
Some typical examples of step-up MFA include:
• A customer, having signed on with a password to a banking site, wants to transfer money. The bank sends an SMS to the customer’s
previously registered phone number to establish the required additional assurance
• An executive, trying to purchase a birthday gift for her child while traveling in Africa, is prompted to authenticate to her iPhone with her
fingerprint to approve the transaction
• A parent of a teenager receives a notification to approve a new channel that’s been added to the family’s cable TV package
• A customer, signing on to an e-commerce site from her iPad at home, sees no visible authentication step until she has to change her
• An employee is attempting to access a native SaaS application from the office. Because he’s on the corporate network, he’s not asked to
perform any additional authentication
• A customer wants to link a smart thermostat she purchased to her home automation platform account. She uses an application on her
Android phone to provision credentials to the thermostat, and she’s notified that the thermostat is being installed and asked to approve
this sensitive operation
Consider a risk-based approach that combines dynamic step-up authentication with passive contextual mechanisms, such as geolocation and time of day. A risk-based approach provides a holistic assessment of users, their computing environment and the nature of the transaction they’re attempting to perform, with the end goal of applying proportionate authentication and authorization.
Here are some of the advantages of a risk-based, step-up MFA approach:
• It creates an optimal user experience by demanding the minimum acceptable level of authentication for a given operation
• If there is a cost-per-use of higher assurance mechanisms, risk-based models can be cost effective since more expensive options are
used only when needed
• It improves fraud detection relative to traditional binary rule sets
• It creates a flexible and future-proof architecture than can adapt to emerging technologies and data assets