The level of cyber threats to businesses is higher than ever.
Personal data held by companies is becoming increasingly valuable, which means bad actors are always looking to gain access by any means possible.
As a result, the approaches to security used as recently as five years ago are no longer sufficient to protect the valuable personal data companies hold. Security methods such as Multi Factor Authentication (MFA) have become essential for companies that want to protect and secure user data and accounts.
End users, meanwhile, while undoubtedly valuing the security of their personal data, also expect a good user experience. Companies must therefore find a fine balance between security and easy access. Understanding when to implement MFA techniques and which situations do not require strict authentication will be critical.
Business Matters spoke with Jacob Ideskog, CTO, Curity, to ask for his top five techniques developed and adopted for MFA that will help companies achieve strong data protection and ease of access.
Always on and sign up
Always on is consistent with the name – MFA is always on and is always a user requirement. At each login option, users will be prompted to use two or more identification factors to access that account. Although this method is the most stringent in terms of security, it is the least user-friendly. The repeated re-authentication requirements can become tiresome for users, especially if they accidentally close a web page and need to quickly access the information again. It is also important to note that not all information requires the same level of protection. Although such a strict approach works for many applications, there are various MFA methods that offer more flexibility that are more suitable for certain applications.
Sign up for the MFA is a more flexible approach. It strikes an important balance between helping users protect their data and offering more flexibility. In these cases, customers are prompted to set up MFA, but can decide for themselves whether they want to do so. Opt In MFA also allows businesses to always require two factors while giving users more options to improve their own security by adding additional factors.
As briefly mentioned with Opt In, data sometimes does not require a strict authentication process and a simple log-in is the only authentication required. As a result, the end user does not need to engage in a complex process, provides an improved and frictionless user experience.
However, if a user then needs to access more sensitive information, they will receive a series of authentication questions that “step up” from one form of authentication to several. Step Up is initiated by an OpenID authentication request with a higher privilege scope, particularly prevalent in the financial industry. Here, the initial login may be simply to check a bank balance or when a credit card bill is due, but if a customer then chooses to make a payment or update their personal information, the further authentication process will prompt them to answer a security question, or use a secondary authentication, for example a biometric input. Step-up authentication can offer a good balance between user experience and security.
Time sensitive reconfirmation
This approach is becoming increasingly common, especially for accessing email or cloud-based document accounts such as Google Drive or Microsoft 365. However, with this approach, users are required to sign in using multiple factors the first time they access their account . if a user continues to access their account regularly and through the same browser, they are rarely asked to re-enter their verification information. This process requires fine-tuning the Time To Live (TTL) for various authentication factors so that the trusted entity can be established on the first login. The TTL for the different authentication factors are set to different time periods, meaning that the password expires before the encoding of the verification, so even if users need to change their password for security reasons on a semi-regular basis, they don’t need to constantly enter the password to access their information. However, if a user changes the device they access the account from or their browser (ie from Google Chrome to Microsoft Edge), they must go through the MFA process.
This approach allows cybersecurity professionals flexibility, allowing them to set the TTL to the time period that works best for their business model to optimize the user experience while protecting the necessary data.
New country and changed country
It is also possible to use geolocation to support the MFA process. Although geolocation is not able to pinpoint a user’s location to the exact house number or identify that person as an individual, it can determine the country from which the user request is pinged.
For this to work seamlessly, identity access will be behind a reverse proxy. The X-Forwarded-For header will be used as an identifying factor since the original IP will be behind the proxy. The proxy must also be whitelisted with identity servers as it must be trusted and not flagged as a potential security alert.
New country as an action can be as simple as businesses need. It only requires a Bucket to store and a boolean topic attribute that will be related to the geolocation. If this attribute is not specified, the boolean value will change to True and it will be considered a new geolocation requiring additional login and authentication. However, when the user continues to log in from this geolocation, the boolean value will be set to False and they no longer need to go through the MFA process.
The Changed Country feature offers similar simplicity. It also requires a Bucket to store data and an attribute name for a boolean topic attribute. In this case, however, the boolean value will be set to True every time the user logs in from a different country, meaning that previous geolocations will be forgotten and if the country is different from the previous one, they will be asked to authenticate again .
These two actions are useful tools to support the Ministry of Foreign Affairs. Although the actions are similar, the key difference is that Changed Country “forgets” geolocations when they change, while New Country will only change the boolean value to True if the location is brand new and has not previously been used as a access point.
The Impossible Travel Authorization Act
That Impossible journey acts as an authentication action or prompt and adds additional layers of authentication where needed. This MFA functionality is also quite straightforward to use. As with the new country and changed country, a data source is needed to store the geolocation along with an attribute name, with the boolean subject attribute set to True if an impossible trip has been identified. This identification process also includes speed as a determining factor.
As previously mentioned, the geolocation is not enough to serve as an identifying factor, but the impossible journey will capture the longitude and latitude, which are then stored (point A). When the same user authenticates again (Point B), the action verifies the speed it would take to move from Point A to Point B, and if the speed is slower than the configured speed, the boolean value will be set to False. If the speed is higher, it will be considered an impossible journey and the boolean value will be set to True and the user will be asked to undergo further authentication.