Now, before you ask, I'm not here to cast doubt on the effectiveness of multi-factor authentication (MFA). Along with many other authentication experts, I believe that MFA is a very secure way to protect your data, and to ensure that whoever is attempting to log in is exactly who they say they are.
Its strength comes from layers of security that rely on different aspects — in other words, what you know (a password) with what you own (a smartphone or token). The more of these layers you have, the safer your data becomes. However, if MFA is such a great tool, why did a recent study of 250 British organisations by IS Decisions find that only 24 percent use it? When we asked why, the biggest reasons they cited were ‘infrastructure complexity' and ‘time to manage and oversee'.
Let's look at the first reason — infrastructure complexity. It's easy to understand that in organisations with multiple users and dense network structures, implementing new security measures isn't going to come without its complications. Any new piece of technology needs to work well alongside existing infrastructure, and needs to be malleable to fit with existing business processes. Unfortunately, MFA doesn't always do that and so makes IT infrastructures even more complex.
The second reason — time to manage and oversee — is perhaps a more obvious one. IT teams already have enough on their plate without having to deal with employees continually losing their smartphones or tokens. What IT teams want is something simple that works without too much supervision, much in the same way organisations like to hire people who get on with their job without too much hand-holding.
The problems with MFA also extend beyond its rollout and management to users themselves. Research of 250 British organisations by IS Decisions found that employees waste 15.27 minutes every week because of complex IT security procedures. That figure equates to 127 days of lost productivity per year for firms of 250 people, and 15.3 days for firms of 30 people. If you apply a monetary cost to each day, that figure quickly builds up. So if you're set on rolling out MFA throughout your organisation, you'll need to consider more than the cost the actual solution itself, and consider the cost implications of losing productivity.
Of course, the counter argument to employees losing productivity through security is that they waste more time making tea or catching up with colleagues. The cost of MFA is simply a cost organisations have to bear for effective protection. But in industries where fast access to data is critical, for example healthcare, MFA can genuinely be the difference between life and death. Security is important, but not at the expense of safety.
But even if you work in an industry where fast access isn't essential, today's workers expect to be able to simply get on with their job, rather than deal with IT security procedures. And when you couple this cost with the hassle it takes to roll out and manage, MFA can potentially become this untameable beast that gets in the way more than it helps.
If there's an alternative available to MFA that achieves the same high level of security, but is easy to roll out, simple to manage, and doesn't impede the end user by forcing them to jump through hoops, that alternative has to be worth a look.
Context-aware security — a viable alternative to MFA
Many organisations are starting to turn to context-aware security to authenticate users. This form of authentication comes with all the security benefits of MFA but without the drawbacks.
Context-aware security uses supplemental information to decide whether access is genuine or not when someone attempts to connect. This supplemental information includes what device the user is logging in on, what geographical location they're logging in from, what the time of day is, and many other factors that build up a profile of the person logging in.
Administrators can set rules based on this supplemental information to automatically grant or deny access. For example, admins can set rules restricting an individual's network access to certain workstations located in particular departments on your office premises. Or admins could set up rules restricting access to certain connection types (IIS, Wi-Fi, VPN) so employees can continue to work on the go, or even restrict access to particular times of day, location or by a maximum number of concurrent sessions. Restricting access in this way means that even if a cyber-criminal gets their hands on an employee's password, they still won't be able to get access (one of the strengths of MFA) meaning data remains safe. Any attempt to access systems outside of these rules can also send a notification to administrators immediately who can investigate and modify access rules with a single click.
Crucially, this form of transparent access security doesn't impede the end user like MFA does, and can complement any existing security technology you've already got in place. Therefore, you no longer need to think in terms of striking a balance between security and productivity. The two now go hand in hand.
Contributed by François Amigorena, CEO, IS Decisions