The need for multi-factor authentication in the enterprise
As cyber attacks continue to threaten networks around the world, organizations are scrambling to ensure that their most sensitive data is safe and secure. But simply building bigger walls isn’t enough to protect networks today, since cyber threats can come from both outside and inside the enterprise, increasing the likelihood of an eventual breach.
To help mitigate security breaches, enterprises are increasingly turning to multifactor authentication, which requires users to pass by multiple, separate stages of authentication to ensure their identity.
The Access Granted editorial team recently had an opportunity to sit down with Dante DeWitt, the former CIO of financial services company, BMO-Harris, and a member of the Authomate advisory team, to discuss the threat landscape and challenges facing enterprises today, and why IT decision makers are interested in multi-factor authentication.
Here is what Dante had to say:
Access Granted: What security challenges are enterprises experiencing right now? Why are they interested in multi-factor authentication and why is it a viewed as a solution for the problems they’re experiencing?
Dante DeWitt: Enterprises are currently facing the challenge of knowing who is getting on their network and what they’re doing, and that has to do with authorization and access control. Enterprises need to know who is getting on their network. They need to ensure that these individuals really are who they said they were when they logged-in. They also need to establish what authority these individuals have to do things to the network, access data and conduct transactions.
The challenge that they have is that with all of this data – and with organizations and networks getting so complex – it’s hard to know who is getting in and doing what. Even if an account has the authority to perform the actions that they are performing, it is very possible that the person on the other end is not – in fact – the person or company associated with that account as a result of not being sufficiently authenticated. To avoid this problem, network access control needs strong, robust authentication that can ensure the person looking to access the network is who they say they are.
Single-factor authentication is obviously simpler, but multi-factor authentication is more effective because it gives the security manager more confidence that the individual getting into the network is actually the person that they say they are. By adding a second factor – like a cell phone validation text response after entering your user ID and password – you’re making it more difficult for someone to impersonate you. It gives us more confidence that you are who you say you are.
Access Granted: If multi-factor authentication is this effective at controlling who is getting into networks, how come all companies haven’t embraced it? Why isn’t it an industry standard?
Dante DeWitt: A standard for authentication simply doesn’t exist yet. Chances are it’s going to come out in piecemeal fashion from different vendors, in multiple waves. A long time ago, banks began including RSA chips in credit cards, which included a pin you needed to type in. Other banks included a picture of the customer that could be verified by the person taking the card, and still others would text something that needed to be validated – maybe an answer to a personally identifiable question. And now there’s even fingerprint authentication solutions.
All of these can be happening, but there hasn’t been a single solution that’s come out that has been consistently successful, is easy to use and confirm it is being used, can not be easily hacked. Without meeting those criteria, no solution can become that standard for the industry.
The more authentication factors the better, but every time you add another one, there’s likely another company involved, requiring additional integration and expertise, making it difficult for a standard to solidify in the industry.
It’s difficult to embrace a solution because the technology keeps on changing and evolving. Companies are afraid to adopt one technology, only to have another new industry component or solution in a few short years that could require a big monetary investment to effectively integrate.
Access Granted: What are the features and benefits that companies look for when adopting multi-factor authentication solutions?
Dante DeWitt: Mobility is critical today, so it has to support mobile users. It also has to have encryption – at least for any data at rest – and would be even better if it was encrypted in transit.
It definitely needs to support out-of-band authentication and use identifiers that are exclusive to the user, so that even if the data is hacked, or someone is able to implement a keystroke logging or recording solution on one band, they would not have the complete set of factors needed to break the authentication.
And we can’t forget about ease-of-use, which is critical; it has to be so easy that it is second nature and people forget that they are actually doing something that is more secure.
Access Granted: You were recently named to the Authomate advisory team. What made you interested in Authomate and why do you feel they’re set up for success?
Dante DeWitt: For one, I have a lot of respect for the leadership over at Authomate. But mainly, it’s the ease-of-use of the multi-factor and multi-band authentication solution. This is definitely the right solution at this time. The need is immediate and the risks and losses if companies do not have this solution are substantial. Companies are already losing – directly to thieves or indirectly through law suits – billions of dollars annually.
As of now, Authomate’s solution strikes me as the best in class, and there are a lot of ways to expand the product because of the approach and architecture that they have created. For now, they’re functionally the best and most easy to use – and I have a feeling Authomate is going to be successful for a long time to come.
For additional information about Authomate’s strong authentication solutions that are also easy-to-use, go to www.authomate.com. To try out Authomate’s StrongPass solution – which combines strong security with a simple user experience – click HERE.