Multifactor Authentication: Is it still enough on its own?
Multifactor authentication (MFA) solutions have become a popular weapon in the ongoing battle against cybercrime, as evidenced by its market forecast expected to top $12.51 billion by 2022 globally. According to PWC’s report, 47% of respondents in Asia named MFA as the advanced authentication technology their organisation is currently using.
Yet we’ve known for many years that, on its own, MFA isn’t enough to detect and block fraudsters. And, these solutions can also cause customer friction. However, that doesn’t mean MFA should be discarded. When used in conjunction with digital identity-based authentication solutions, MFA can play a role in the fight against cybercrime.
At its most essential, MFA is designed to verify identity based on any number of independent factors. For example, two-factor authentication (2FA) requires at least two of three demonstrable elements—something you know, something you have, or something you are.
An ATM card is 2FA, requiring a physical card (something you have), and a PIN code (something you know). In the digital realm, along with a username and password, 2FA typically requires a one-time passcode (OTP) sent to the user’s mobile phone. Some organisations use USB-based cryptographical security keys.
However, cybercriminals have the tactics and tools for stealing everything they need to bypass 2FA — from passwords to secret questions, to token-generated codes, to device ID data and more. Cyber thieves can use tools to steal credentials that report OTPs in real time so they can log in before the victim does, or they can hijack active sessions remotely. As if that wasn’t bad enough, 2FA has received some bad publicity in the past few years. In light of recent data breaches, regulators and authorities across the region are urging organisations to strengthen their customer verification processes.
For example, to address any risk that the information stolen from a massive data breach in Singapore, Monetary Authority of Singapore has directed financial institutions to tighten their customer verification processes.
Similarly, in Australia, since the new Notifiable Data Breach rules came into play in early 2018, local organisations have been encouraged to adopt verification policies. These now not only demand tighter access control around data, but also ensure that there are multiple factors in play to stop it from being lost or stolen.
It’s also no secret users want frictionless access to their web-based accounts, and they want seamless checkout experiences from their e-commerce providers. Adding a step (or five) through various forms of MFA isn’t going to win many fans. Some consumers are even willing to overlook cybersecurity risks all together for the sake of convenience. The truth is, it’s pretty reckless to risk losing customers over forms of authentication that can’t secure a business or customers on their own — especially when the technologies exist to render such trade-offs.
The answer lies in frictionless, highly accurate fraud prevention that is completely invisible to the user and can work seamlessly with MFA to streamline the user experience and help reverse cart abandonment due to fraud. In other words — digital identity-based authentication. This type of authentication unites online and offline user attributes in real time enabling organizations to establish the true digital identity of their customers. Such a unique identifier can work across any website or app, within all industries, anywhere in the world, based on tokenized data to protect privacy.
If there is anything we can learn from the current development, it is that businesses must stay vigilant in their cause and be able to accurately detect and block potential fraud activity. It’s easy to see that MFA alone can’t help organizations strike the perfect balance between fraud and friction. But MFA combined with digital identity-based authentication can.
Article by Alisdair Faulkner, Chief Identity Officer, ThreatMetrix