Story image

Multifactor Authentication: Is it still enough on its own?

25 Sep 18

Multifactor authentication (MFA) solutions have become a popular weapon in the ongoing battle against cybercrime, as evidenced by its market forecast expected to top $12.51 billion by 2022 globally. According to PWC’s report, 47% of respondents in Asia named MFA as the advanced authentication technology their organisation is currently using.  

Yet we’ve known for many years that, on its own, MFA isn’t enough to detect and block fraudsters. And, these solutions can also cause customer friction. However, that doesn’t mean MFA should be discarded. When used in conjunction with digital identity-based authentication solutions, MFA can play a role in the fight against cybercrime.

At its most essential, MFA is designed to verify identity based on any number of independent factors. For example, two-factor authentication (2FA) requires at least two of three demonstrable elements—something you know, something you have, or something you are.

An ATM card is 2FA, requiring a physical card (something you have), and a PIN code (something you know). In the digital realm, along with a username and password, 2FA typically requires a one-time passcode (OTP) sent to the user’s mobile phone. Some organisations use USB-based cryptographical security keys.

However, cybercriminals have the tactics and tools for stealing everything they need to bypass 2FA — from passwords to secret questions, to token-generated codes, to device ID data and more. Cyber thieves can use tools to steal credentials that report OTPs in real time so they can log in before the victim does, or they can hijack active sessions remotely. As if that wasn’t bad enough, 2FA has received some bad publicity in the past few years. In light of recent data breaches, regulators and authorities across the region are urging organisations to strengthen their customer verification processes.

For example, to address any risk that the information stolen from a massive data breach in Singapore, Monetary Authority of Singapore has directed financial institutions to tighten their customer verification processes. 

Similarly, in Australia, since the new Notifiable Data Breach rules came into play in early 2018, local organisations have been encouraged to adopt verification policies. These now  not only demand tighter access control around data, but also ensure that there are multiple factors in play to stop it from being lost or stolen. 

It’s also no secret users want frictionless access to their web-based accounts, and they want seamless checkout experiences from their e-commerce providers. Adding a step (or five) through various forms of MFA isn’t going to win many fans. Some consumers are even willing to overlook cybersecurity risks all together for the sake of convenience. The truth is, it’s pretty reckless to risk losing customers over forms of authentication that can’t secure a business or customers on their own — especially when the technologies exist to render such trade-offs.

The answer lies in frictionless, highly accurate fraud prevention that is completely invisible to the user and can work seamlessly with MFA to streamline the user experience and help reverse cart abandonment due to fraud. In other words — digital identity-based authentication. This type of authentication unites online and offline user attributes in real time enabling organizations to establish the true digital identity of their customers. Such a unique identifier can work across any website or app, within all industries, anywhere in the world, based on tokenized data to protect privacy.

If there is anything we can learn from the current development, it is that businesses must stay vigilant in their cause and be able to accurately detect and block potential fraud activity. It’s easy to see that MFA alone can’t help organizations strike the perfect balance between fraud and friction. But MFA combined with digital identity-based authentication can.

Article by Alisdair Faulkner, Chief Identity Officer, ThreatMetrix

JASK prepares for global rollout of their AI-powered ASOC platform
The JASK ASOC platform automates alert investigations, supposedly freeing the SOC analyst to do what machines can’t. 
Pitfalls to avoid when configuring cloud firewalls
Flexibility and granularity of security controls is good but can still represent a risk for new cloud adopters that don’t recognise some of the configuration pitfalls.
Securing hotel technology to protect customer information
Network security risks increase exponentially as hotels look to incorporate newer technologies to support a range of IoT devices, including smart door locks.
Why total visibility is the key to zero trust
Over time, the basic zero trust model has evolved and matured into what Forrester calls the Zero Trust eXtended (ZTX) Ecosystem.
Gartner names Proofpoint Leader in enterprise information archiving
The report provides a detailed overview of the enterprise information archiving market and evaluates vendors based on completeness of vision and ability to execute.
WatchGuard appoints new channel distributors in A/NZ
The appointments will enable WatchGuard to expand its regional channel reseller footprint.
Tensions on the rise after Huawei CFO arrest
“Recently our corporate CFO, Meng Wanzhou, was provisionally detained by the Canadian authorities on behalf of the United States of America."
Palo Alto Networks integrates RedLock and VM-Series with AWS Security Hub
AWS Security Hub is designed to provide users with a comprehensive view of their high-priority security alerts and compliance status.