Passwords Need Fixing. Adaptive MFA Everywhere is the Solution.
To verify every user in a Zero Trust approach, apply adaptive MFA everywhere.
Ask an average person to identify the most common cause of data breaches and they are more likely than not to echo the terrifying headlines they’ve read about: sophisticated state-sponsored attacks, stolen NSA tools, or zero-day flaws in popular operating systems. Yet, the truth is that stolen, weak, or default passwords are actually to blame most of the time.
In fact, research clearly shows too many apps are secured by passwords alone. While improvements have been made to how we use and secure passwords today (I’ll touch on those below) the fact remains average business users now manage upwards of 200 passwords. For businesses, it’s a delicate balance: one-step authentication makes it simple for unwanted guests to slip through, gain access and infiltrate systems. But introduce too many onerous security steps, and then users rebel and find workarounds — or worse, avoid work altogether. That’s how corners get cut. So, what’s the answer?
Read our blogs and it’s already known: a Zero Trust strategy enabled by Next-Gen Access technology. Next-Gen Access can’t remove all security steps on the user’s log-in path, but it can choose when (and how much) friction needs to be applied to either let that user pass through easily or take further action to confirm their identity.
Previously, I wrote that the core principle guiding Zero Trust is to “never trust, always verify” and that starts with users. But how do organizations take those critical first steps toward improving security posture? Let’s break down how to verify every user in the Zero Trust approach.
Apply MFA here, there, and everywhere
It’s no secret that multi-factor authentication (MFA) is the single best line of defense against unwanted guests wielding compromised credentials. Yet, it’s not widely deployed. Why not? Well, the short version is that it has traditionally been complex to use and hard to integrate – making it a burden to end users and IT.
At its core, MFA requires at least two of three different factors to verify user authenticity: something you know, something you have, and something you are. An example of “something you know” is a pin code or secret question. “Something you have” is a prompt to another device in the users’ possession such as a key fob that generates a one-time code, or a USB key, smart card, or smartphone. Last but not least, “something you are” is a bit more sci-fi and includes biometrics like an iris scan or thumbprint.
The big issue holding back the adoption of MFA is that these capabilities are not applied consistently across apps and services we use. For example, many of us have multiple financial accounts for banking, credit and investments. We enable MFA for each, but they all use different approaches and we have to know how to do each one otherwise we’re locked out. That’s a pain.
So, we do it because in a few places because we’re afraid of being breached, not because it’s an ideal user experience and limits more extensive use. However, the cybersecurity industry, including companies like Idaptive, has spent hundreds of millions of dollars to improve MFA for a better out-of-the-box experience for business. By providing a consistent, approachable, and secure login experience across all apps and devices businesses can enforce MFA everywhere in their organization without placing a burden on IT or exposing a less than optimal experience to end users.
Still, extra steps from MFA, no matter how smooth the user experience, can lead to adoption issues through added friction that frustrated users. For a truly Next-Gen Access approach, MFA needs to be combined with other features to improve users’ productivity rather than hinder it.
Shine the spotlight on single sign-on
This is where single sign-on (SSO) comes into play. SSO saves users hundreds of hours managing logins and saves businesses millions of dollars when it comes to productivity. Alone, as SSO has traditionally been sold to enterprises, it is a double-edged sword that greatly reduces an organization’s attack surface — but also may increase the impact of a breach because of the centralized access it offers to users. SSO, when combined with MFA, becomes much safer and incredibly powerful.
Only needing to sign-in once eliminates the need to enter passwords and send them across networks. At the same time, when integrated with another security step through MFA, businesses need not worry that a single password unlocks the keys to the kingdom. With multi-step verification, additional layers of security reduce the attack surface by an order of magnitude.
It’s not perfect though. There’s one final ingredient — the cherry on top of the cybersecurity pie — that Next-Gen Access technology provides to Zero Trust adopters.
Leave it to Behavior (-based access)
Together MFA and SSO allow for a much higher degree of confidence for security, but we still can’t trust that every user is who they say they are without the right context. Access decisions are simple when it comes to recognized devices and networks, but what happens when someone attempts a login from a new laptop or remote location? And for enhanced protection, you may choose to prompt users more often than necessary for MFA because you want to err on the side of security rather than convenience.
In a Next-Gen Access approach to Zero Trust, context is what determines whether to add friction to that user’s path. When an employee uses their recognized device, during their normal routine or hours, from their usual locations, access systems and apps they always use — then we don’t add friction. However, if someone is not doing those things, then we restrict or block that access until the user can verify that they are, in fact, who they say they are.
In the past, rules like this had to be written for each individual by IT teams. Often a herculean, if not impossible, effort. Take for example the accountant that works every day from headquarters, on the corporate network, using the same laptop, and uses the same three applications from 9-5. We could write a rule for any user that is on the corporate network, using a known device, accessing a familiar app, during office hours should be allowed silent sign-on without extra steps. But what about the salesperson traveling up and down the coast, never on the corporate network, using their own device from a Starbucks to access Salesforce.com. That would obviously require some more rules. Taken to the extreme, you would need rules for every individual user. Something IT is loathe to do and often gives up and just adds friction for everyone.
Today, however, Idaptive does the heavy lifting using machine learning to understand and assess user behavior, develop a unique behavior model for each of them, and then make intelligent access decisions in real-time based on risk. Your IT organization only has to determine what is required based on the risk level if this user is not acting according to their own behavior profile. This is the benefit of behavior-based access technology – the ability to automate access decisions and greatly reduce the attack surface, eliminate the IT burden of managing myriad rules, while at the same time not destroying the spirit of the user.
Security improvements should always be balanced against the end user experience, whether that’s a customer, partner, or employee. There must be a consistent way for these people to discover and access their apps, alongside an intelligent approach to limit or increase friction based on risk level.
Passwords are just one piece of the cybersecurity puzzle. Any device that has access to your systems needs to have trust established just as the user does. In my next blog post, I’ll dive into the ways organizations can “validate every device” as part of their Zero Trust strategy.
Read the Zero Trust series here:
Zero Trust Series – 1 What Is Zero Trust and Why Is it So Important?
Zero Trust Series – 3 Imposter Syndrome: Why You Can’t Separate the “Good Guys” from the “Bad Guys”
Zero Trust Series – 4 Passwords are Just one Piece of the Cybersecurity Puzzle
Zero Trust Series – 6 Protect, Detect, Deter, Respond is Not a Security Strategy.
Zero Trust Series – 7 Upping the Security Ante: How to Get Teams’ Buy-in for Zero Trust
Zero Trust Series – 8 Next-Gen Access and Zero Trust are the PB&J of Security
Zero Trust Series – 9 Passwords Need Fixing. Zero Trust is the Solution.
Zero Trust Series – 10 The One-Two Punch of Zero Trust. Verify Every User, Validate Every Device.