Story image

Multifactor Authentication: Is it still enough on its own?

25 Sep 2018

Multifactor authentication (MFA) solutions have become a popular weapon in the ongoing battle against cybercrime, as evidenced by its market forecast expected to top $12.51 billion by 2022 globally. According to PWC’s report, 47% of respondents in Asia named MFA as the advanced authentication technology their organisation is currently using.  

Yet we’ve known for many years that, on its own, MFA isn’t enough to detect and block fraudsters. And, these solutions can also cause customer friction. However, that doesn’t mean MFA should be discarded. When used in conjunction with digital identity-based authentication solutions, MFA can play a role in the fight against cybercrime.

At its most essential, MFA is designed to verify identity based on any number of independent factors. For example, two-factor authentication (2FA) requires at least two of three demonstrable elements—something you know, something you have, or something you are.

An ATM card is 2FA, requiring a physical card (something you have), and a PIN code (something you know). In the digital realm, along with a username and password, 2FA typically requires a one-time passcode (OTP) sent to the user’s mobile phone. Some organisations use USB-based cryptographical security keys.

However, cybercriminals have the tactics and tools for stealing everything they need to bypass 2FA — from passwords to secret questions, to token-generated codes, to device ID data and more. Cyber thieves can use tools to steal credentials that report OTPs in real time so they can log in before the victim does, or they can hijack active sessions remotely. As if that wasn’t bad enough, 2FA has received some bad publicity in the past few years. In light of recent data breaches, regulators and authorities across the region are urging organisations to strengthen their customer verification processes.

For example, to address any risk that the information stolen from a massive data breach in Singapore, Monetary Authority of Singapore has directed financial institutions to tighten their customer verification processes. 

Similarly, in Australia, since the new Notifiable Data Breach rules came into play in early 2018, local organisations have been encouraged to adopt verification policies. These now  not only demand tighter access control around data, but also ensure that there are multiple factors in play to stop it from being lost or stolen. 

It’s also no secret users want frictionless access to their web-based accounts, and they want seamless checkout experiences from their e-commerce providers. Adding a step (or five) through various forms of MFA isn’t going to win many fans. Some consumers are even willing to overlook cybersecurity risks all together for the sake of convenience. The truth is, it’s pretty reckless to risk losing customers over forms of authentication that can’t secure a business or customers on their own — especially when the technologies exist to render such trade-offs.

The answer lies in frictionless, highly accurate fraud prevention that is completely invisible to the user and can work seamlessly with MFA to streamline the user experience and help reverse cart abandonment due to fraud. In other words — digital identity-based authentication. This type of authentication unites online and offline user attributes in real time enabling organizations to establish the true digital identity of their customers. Such a unique identifier can work across any website or app, within all industries, anywhere in the world, based on tokenized data to protect privacy.

If there is anything we can learn from the current development, it is that businesses must stay vigilant in their cause and be able to accurately detect and block potential fraud activity. It’s easy to see that MFA alone can’t help organizations strike the perfect balance between fraud and friction. But MFA combined with digital identity-based authentication can.

Article by Alisdair Faulkner, Chief Identity Officer, ThreatMetrix

SecOps: Clear opportunities for powerful collaboration
If there’s one thing security and IT ops professionals should do this year, the words ‘team up’ should be top priority.
Interview: Culture and cloud - the battle for cybersecurity
ESET CTO Juraj Malcho talks about the importance of culture in a cybersecurity strategy and the challenges and benefits of a world in the cloud.
Enterprise cloud deployments being exploited by cybercriminals
A new report has revealed a concerning number of enterprises still believe security is the responsibility of the cloud service provider.
Ping Identity Platform updated with new CX and IT automation
The new versions improve the user and administrative experience, while also aiming to meet enterprise needs to operate quickly and purposefully.
Venafi and nCipher Security partner on machine identity protection
Cryptographic keys serve as machine identities and are the foundation of enterprise information technology systems.
Machine learning is a tool and the bad guys are using it
KPMG NZ’s CIO and ESET’s CTO spoke at a recent cybersecurity conference about how machine learning and data analytics are not to be feared, but used.
Seagate: Data trends, opportunities, and challenges at the edge
The development of edge technology and the rise of big data have brought many opportunities for data infrastructure companies to the fore.
Popular Android apps track users and violate Google's policies
Google has reportedly taken action against some of the violators.