Posted by Ed Macnair / 19 December 2016
Cyber Security is now well and truly on the map. Politicians wax lyrical about how they’re fighting it, entire supplements of every major Sunday newspaper are dedicated to it and in general, the world is that little bit more savvy, I’m delighted to say.
The by-product of the popularity and trend has also meant the industry has given birth to a whole slew of new vendors, all brandishing themselves as experts; which is a worry, particularly when it comes to Multi-Factor Authentication.
You see, MFA is a solution that has finally come of age in a way that can be meaningfully applied in the real world but alarmingly it appears the market is distracted by two types of solutions that need to be put well and truly back in their virtual box; some old and some new.
The future is bright (and token free)
For some time now, our old friend the security token has been on its virtual knees but still you see them swinging from the occasional key ring. Tokens are to MFA what the ‘car-phone’ is to the smart phone; So when I see one, I naturally assume it is either being wielded by an ironic tech-retro-hipster or somehow, it’s doubling as a flux capacitor that has magically transported its owner fresh from 1996. What I do know is that it can’t be being used in earnest as a modern-day method of security. My point is, we’ve moved on and the token was a good idea that has served its time; it has also inspired new technology that has evolved and taken its place both in context and relevancy…but I’ll come back to that.
One step forward, Deux steps back
With adaptive MFA finally getting the industry column inches it deserves, I for one am naturally happy; predominantly because it slams home the point that I’ve been telling anyone who will listen for as long as I can remember; keep users secure without inhibiting their productivity and you can’t go wrong. Simple, right? You’d think so.
Simple messaging and a simple solution doesn’t mean cutting corners; beneath the cool exterior must lie substance or you’ve basically just created virtual window dressing; not a solution fit for an evolved market.
One authentication vendor that springs to mind has a ‘slick user interface’, and a cool traffic light system that allows you to hit either a red or a green button to verify that it’s you that’s logging in; there’s just one small issue, it ignores the fact that since time immemorial, users will do what they want to get the job done.
Will they hit the green button regardless of the risk in the valiant name of productivity? I’ll hazard a guess they will and we all know where that leads.
Experience isn’t for sale
I get that security has become an exciting new virtual playground for new entrepreneurial companies and I for one, embrace it; the more intelligent solutions out there, the better the likelihood we have of making the internet a safe place to be and that’s a good thing in my book. The trouble is though, before you jump on the shiny bandwagon, it’s worth understanding the learnings on where the industry has come from and that includes the well-trodden path of enabling users while making sure they don’t hurt themselves in the process. I’m all for simplicity but not at the cost of intelligence and certainly not at the cost of security.
The middle-ground is also the higher ground
Two factor token-based authentication has clearly earned its place in technological history and not to mention, can be hacked by either a simple phishing attack or by a determined toddler. With that in mind, you would hope that any forward-thinking organization would have discounted them as a viable solution.
Equally, the optimist in me hopes that any mature professional wouldn’t opt to give their users the ability to hit a red or a green button as a security strategy.
Effective MFA uses a number of variables to identify users; from IP addresses and geographical location, to time and day session-ID’s…to name a few. And guess what? It’s perfectly possible to use contextual information to assess threat levels, adjust the level of authentications needed without compromising the intuition of the solution or the convenience of the users. I know, it’s like magic; only it’s not. It’s experience, credibility and an evolved product that serves what the market needs today in the real world.
A sexy interface alone doesn’t cut the mustard; you need to bring flexible policy administration to protect multiple platforms on a global scale, that can seamlessly integrate with remote access and cloud applications. In other words, beneath that shiny façade, needs to conceal a credible underbelly that does the job and does it well.
Protect in real-time, make it session specific and use contextual information when validating your users; that way, you stand a strong fighting chance of protecting against identity theft, not to mention the ever-increasing sophistication of the modern day cyber-criminal; who I can assure you, knows his green buttons from his red ones.