SecureAuth introduces another take on multi-factor authentication

SecureAuth announces Symbol-to-Accept, a mobile MFA approach that aims to improve security without placing an undue burden on users

SecureAuth is in the business of adaptive access control. What that means in plain (or at least more plain) English is that the company offers security solutions that balance strength with ease of use and that adapt to different use cases.

An example of adaptive access control might be requiring a simple username and password for regular access, but requiring a higher level of authentication when the user (for example) logs in from another geography.

+ Also on Network World: 5 trends shaking up multi-factor authentication +

As data breaches have gained massive prominence in recent years, due in part to some celebrities' dual proclivities for poor password control and a penchant for naked selfies, the public has become increasingly aware of multi-factor authentication (MFA) a process that requires a subsequent authentication entry beyond simply username and password.

While MFA is certainly more secure than single factor, it’s also kind of a pain and customers are looking to have far more granular control over authentication—which is where this adaptive access control notion comes in. Previously MFA has been in the form of a physical token, which generates a random number, or alternatively the sending of an SMS to a paired mobile device. These methods, however, are still too inflexible, and vendors and customers alike are looking for different flavors of MFA that better meet their particular use cases.

Mobile MFA approach: SecureAuth's Symbol-to-Accept

And so we have SecureAuth today announcing Symbol-to-Accept, a mobile MFA approach that aims to improve security without placing an undue burden on users.

Symbol-to-Accept moves on from Push-to-Accept, an MFA approach that offers a single button users click on to validate the authentication attempt. SecureAuth has determined that users are, in some cases, routinely pressing “Accept” even when they didn’t actually initiate an authentication attempt. SecureAuth's take is that while Push-to-Accept has exploded due to its simplicity and speed, it exposes enterprises to risk that users may inadvertently approve login requests they did not initiate. This could allow an attacker to bypass the intended protection of MFA and breach the user’s account:

“Push-to-Accept is arguably one of the most convenient forms of multi-factor authentication,” said Keith Graham, CTO at SecureAuth. “Unfortunately, while traditional Push-to-Accept authentication provides a great user experience, it is prone to exploit by attackers who may bombard the user with Push-to-Accept requests—to the point where the user will eventually hit 'accept' to make the requests go away. And for cybercriminals, it’s a numbers game: Bombard as many users with requests as necessary until the desired outcome is achieved.”

How Symbol-to-Accept works

Symbol-to-Accept, on the other hand, allows mobile push authentication with fewer risk factors. With Symbol-to-Accept, the user is presented a small number of “accept” buttons displaying single, randomly selected symbols (such as letters). To successfully log in, the user selects the correct symbol that matches one displayed on their computer’s login screen.

SecureAuth speak directly to this perennial tension between security and ease of use and the need to continually move goal posts in terms of the systems and processes that organizations use.

“To satisfy today’s changing enterprise landscape, it’s essential for security solutions to evolve at the pace of new emerging threats, as well as meet practical organizational needs,” Graham said. “Some organizations are already moving to stronger methods of user authentication, including adaptive access control techniques, safeguarding critical areas such as Single Sign-On (SSO) portals and self-service password reset applications. It is imperative that more organizations take this lead and look to implement adaptive access in a way that, in addition to Symbol-to-Accept, performs risk analysis as part of the authentication process. Adaptive techniques such as device recognition, geo-location, the use of threat services and even behavioral biometrics enable organizations to take control of their authentication process without compromising user experience.”

I like the idea of Symbol-to-Accept. While the term is a mouthful that, thankfully, won’t get much traction beyond the security vendors, the idea is yet another arrow for security teams to put into heir continually changing quiver of authentication options.

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

Copyright © 2016 IDG Communications, Inc.