Several times a year I receive notification that there has been another mass password breach with an online database. Whether from a pwned (compromised) website or successful phishing attempts, this proves how insecure simple password access can be. Many of us have been compromised at one point in our life, simple passwords just aren’t cutting it anymore. Where is the technology headed, are we going to need retinal eye scans going forward to access our information?
Multi-Factor Authentication is considered the solution to passwords. In a recent study by Symantec, it was determined that 80% of breaches would have been prevented by including MFA with a password.
A strong password should be the first barrier for access, but proving it is really you, and not someone else, is a stronger defense.
Over the past few years, biometrics has assisted MFA in keeping data secure. Fingerprint readers and retinal scans are now mainstream. So much for Sci-fi.
I remember when I couldn’t buy gas on the east coast for a few days. Long lines at the pumps for the few gas stations that had short supply. According to Bloomberg, the Colonial Pipeline was hacked in April 2021 due to a compromised password allowing VPN access. The pipeline system was not secured with MFA for administrative access. This allowed fraudulent access to shut down the pipeline simply from a password breach.
There are many companies that now require MFA. These include Bank of America, Microsoft, Apple, Google, PayPal, Drop Box, and Salesforce. As more companies increase their security requirements each month, bad players looking to capture your data must adapt to this level of sophistication. This is leading to MFA itself needing to become more robust. So, what should we expect in the months ahead?
The Future: Adaptive Multi-Factor Authentication
Standard MFA can decrease efficiency when over implemented. Adaptive MFA can reduce the burden of constantly having to prove who you are by 80%. It also helps reduce bad actor login access to near zero. Adaptive MFA bridges the gap between user experience and account security by providing a secondary factor for logins but only prompting for secondary verification when the primary factor login looks suspicious or unusual. Typically, I logon to check certain websites each morning at 8:00 am from a work IP address utilizing the same machine. But what if I was to login at 10:00 pm from a different state? This pattern is new, so it should be challenged. Most likely, I am just traveling. But what if my device was stolen?
Behavioral Analytics can score events, including login attempts at unusual hours, login attempts from unusual locations, or login attempts from unknown devices, etc. Higher risk scores would require additional authentication methods.
My example shows utilizing an approved device, but from a new Geo location and during an odd time of day. Thus, additional Multi-Factor Authentication would be required for this new login attempt.
The future of Authentication will be security driven by artificial intelligence. Adaptive Multi-Factor can be configured to allow low risk patterns to require simply a username and password. Medium risks would require additional authentication, such as that retinal scan. A High-risk AI assessment could deny access all together. Implementing some Adaptive Multi-Factor Authentication could have kept that Colonial pipeline open. Nobody wants another national security risk. The future is being streamlined for user experience, and heightened security. I would call this a win-win.