If you’ve been reluctant to adopt multi-factor authentication (MFA) for your business because of concerns that it’s too complicated to administer or inconvenient to use, it’s time to take another look.
Data breaches due to password theft are now a weekly news item. Yet despite years of warnings about the weaknesses of password security, people continue to cling to this dangerously vulnerable form of access control without changing their behavior.
An analysis of a half billion pilfered passwords by the UK’s National Cyber Security Centre recently found that the character string “123456” constituted nearly 5% of all passwords in the sample, followed by “123456789” at 1.4%. Altogether, the five most commonly used passwords comprised about 8% of the database. The results are consistent with dozens of similar studies that have been conducted over the years.
Meanwhile, cyber criminals haven’t been standing still. The password-cracking software they use now employs technologies like machine learning to improve guess accuracy based upon information gleaned from public sources like social network profiles. In one test, “brute force” cracking software in the hands of a skilled professional was able to compromise 90% of the contents of a sample password file just by using common character combinations. And that was six years ago.
Security administrators understand the limitations of passwords but have struggled to come up with reasonable options. Many companies require users to change the passwords every 30 to 90 days. That’s an effective way to cut down on people’s dangerous tendency to reuse passwords, but it can actually introduce new vulnerabilities. For example, researchers have found that many users simply make minor alterations to existing passwords rather than changing them entirely, a practice that does nothing to improve security.
Commercial password manager such as LastPass, Dashlane and Keeper, which store passwords in an encrypted vault to eliminate the need for people to memorize or write them down, are an excellent option, but only 15% of people use them. Many simply fall back to asking for a password reset, an option that Gartner estimates consumes between 20% to 50% of all help desk calls and Forrester Research estimates costs enterprises about $70 per incident.
Time for MFA
A better approach is to use multi-factor authentication (MFA). This technique combines two or more authentication factors – such as a password in concert with a personal identification number, a code delivered via a text message or a biometric scan – to provide an additional layer of verification. It’s sometimes said that MFA combines something you know – such as a password – with something you have – such as a cell phone. While no access control technology is perfect, MFA has been shown to all but eliminate vulnerability due to password compromise.
A growing number of websites and social networks now offer MFA as an option, but consumer uptake has been low, due to a combination of lack of understanding and the perception of inconvenience. However, that shouldn’t be the case for businesses in which everyone is responsible for protecting sensitive information.
In fact, the combination of MFA and single sign-on (SSO) can be both more convenient and secure than conventional password-based solutions. For example, the line of MFA solutions from Okta gives organizations the flexibility to choose how they protect applications and data combined with the benefits improved user convenience.
For example, administrators can choose any combination of authentication factors and assign them to groups or even individual users. Once users authenticate to the directory, they have access to a full range of on-premises and cloud services as determined by policies. There is never a need to log in again, and because the system is MFA-based, they don’t need to remember convoluted passwords or be required to change them often.
Okta has even applied machine learning to make the authentication process smarter. For example, a user attempting to log in from a recognized IP address or a known device on the company network may not be required to enter a password, whereas one attempting to authenticate from an unknown device over an insecure connection might be subjected to triple authentication. Okta’s software can even learn to recognize behavior patterns – such as people who work from home every Wednesday – and adjust authentication factors accordingly.
Services such as these are available at a subscription price that’s within the budget of every organization. The combination of cost, convenience and protection should make MFA an easy decision for any business.