Solving the Challenge of Multi-Factor Authentication Adoption

istock 658008000

With the move to the cloud, and the increasingly hostile threat landscape, protecting the enterprise network using positive user authentication is more critical than ever. However, as security threats multiply and morph, and user devices and locations diversify, multi-factor authentication (MFA) has emerged as a trusted method for preventing misuse.

While adopting and deploying MFA solutions requires a careful and thorough approach, with most challenges also come opportunities and potential new benefits. We reached out to influential IT leaders to understand their views regarding adoption of MFA in the cloud era. Here’s what they said:

The User Comes First

One thing is clear – the user experience plays a big role in successful MFA adoption.

“I think some of the key challenges to adopting MFA is the perception of the user experience and ease of use. Users just want to use the services or get to the data they want, without jumping through too many hoops,” says Andrew Kalat (@Lerg), co-host of The Defensive Security podcast.

Guy Bunker (@guybunker), SVP of products at Clearswift, explains further. “The key challenge around adopting MFA is what the ‘multi factor’ is,” he says. “Even with soft tokens on mobile devices, there is a challenge for people to manage the additional authentication requirements. True MFA will only be successful for individuals when the technology is ubiquitous and as transparent/easy-to-use as possible. If this doesn’t happen it will be like having a keyring with dozens or hundreds of keys on, creating more complexity for people.”

User education is also essential, say tech leaders. “In an age of instant gratification as the norm, even a two-step process for anything can become psychologically burdensome,” says Christina Ayiotis (@christinayiotis), cybersecurity and information governance consultant. “Organizations need to infuse security into their corporate culture such that a zero-tolerance policy for violations of security protocols, such as MFA, seems a reasonable way to protect the viability of the business.”

The Added Complexity of Cloud

User experience is one factor; the complexity of moving to the cloud and securing the extended network perimeter is another.

“Cloud/SaaS adoption means that rather than connecting to a single corporate network from inside that network (one's office), employees are connecting to several networks from anywhere on the planet,” explains Wayne Sadin (@waynesadin), CIO at Affinitas Life. “This complexity now [requires IT to] implement new and more complex tools and procedures to provide overarching security without impeding user access.”

In addition to security, managing multiple vendors further complicates the situation. “Coordination among multiple vendors is a challenge for implementing multi-factor authentication,” says James Townsend (@jamestownsend), president of InfoStrat. “Also, the move to widespread reliance on SaaS and cloud solutions means that organizations no longer control their security infrastructure in the same way that they did when all solutions run in the confines of the corporate server room.”

Don’t forget the pressure of limited or shrinking budgets. “I suspect the biggest immediate challenges with organizations moving quickly forward on MFA is cost and complexity,” says Jonathan Reichental (@Reichental), CIO for the City of Palo Alto. “Cost and complexity relative to change management.”

And there are myths to overcome. “The use and value of MFAs are so misunderstood and busting the myth that MFAs are an overkill and hard to use is the biggest challenge,” says Ravi Ravishanker (@ravishan), CIO and Associate Provost at Wellesley College.

“While MFA is quickly moving up on the list of security ‘must haves,’ fear of change and unexpected costs continue to slow the pace of adoption throughout enterprises,” adds Mark Carrizosa (@cautela), director, information security at Akamai. “The introduction of a new way of ‘logging in’ is a culture change and can quickly become an operational burden, incurring more time and money than planned.”

What’s the Answer?

Thankfully, there are answers to overcoming these challenges, say respondents. Step 1: Ensure top-down support for your MFA strategy and decisions.

“The lack of tech understanding of the board is the limiting factor to the adoption of MFA,” says Jon Hall, PhD (@thinkaholic_me), consultant and complex problem solver. “Indeed, visible full adoption of all security measures is led from the top of the organization, irrespective of the technology chosen.”

Others say the use of new and emerging types of technology for “authentication” will help.

“When the second factor was 'what you have' (e.g., token or card), the problem was managing the physical objects (issuing, retrieving, troubleshooting, etc.). That's why I'm happy that biometrics ('who you are') security is maturing quickly,” says Sadin.

Sargent concurs. “Leading identity cloud companies are looking beyond simple whitelists and measuring network reputation, geographic location, device fingerprinting, and time anomalies, to build more accurate authentication risk scores, and prompt for MFA when risk scores are high,” he notes.

Kayne McGladrey (@kaynemcgladrey) ‏director of information security services at Integral Partners, offers another view. “The proliferation of SaaS in the modern enterprise means there are more services to protect, and companies should consider a deploying a CASB with their IDP to maintain and protect an up-to-date inventory of the SaaS applications in use,” he says.

Add Up the Benefits

The benefits of adopting MFA clearly outweigh the short-term challenges, respondents say.

“Adoption of SaaS and cloud adds complexity – but there is also opportunity,” says Guy Bunker (@guybunker), SVP products at Clearswift. “In cloud-based collaboration applications, verified identity will make collaboration both simpler and safer. However, for this to be effective there needs to be a solution which can be used globally, or have multiple systems that can interoperate securely. Individuals need to have control over their identity, and systems need to support multiple personas to accommodate the different needs people have – whether at work, or at home.”

“A common concern with SaaS or Cloud adoptions is the ability to control access to data and resources residing outside corporate boundaries,” adds Akamai’s Carrizosa. “To their credit, SaaS/Cloud companies have integrated MFA natively as standard practice, reducing much of the fear and costs normally associated with MFA implementations. This allows organizations to rapidly add a much-needed layer of security to their environment.”

MFA clearly represents the future, says Mark DiFraia (@mdifraia), senior director, digital credentials & ecosystems at Morpho Trust. “Multi-factor authentication is the path forward for organization looking to improve our security online,” he says. “The true power of MFA can only be realized by matching the proofing strength of the identity with the strength of the factors being used.”

Michal Kadák (@MichalKadak), product owner at Kentico, sums it up. “Once you know how to integrate user authentication into your site you're ready to take a leap of faith with MFA.”

Multi-factor authentication in the cloud era needn’t be complicated. Learn more about Akamai’s approach here