Reputations at Stake: Passwordless MFA Protects Privileged Data On-premises

Don Shin | February 12, 2024

Financial services providers and enterprises in other highly regulated industries maintain more legacy applications and systems on-premises than companies in other sectors. Many also face greater risk from cyberattacks, insider threats, bad publicity, and stringent data privacy regulations.

In this blog, we’ll see how businesses can roll out modern phishing-resistant MFA across their entire workforce while maintaining the sanctity of specialized, custom applications and systems onsite. Done right, passwordless identity verification delivers three compelling advantages essential to any effective, forward-looking identity and access management (IAM) strategy:

  • Highest-assurance authentication for web, cloud, and on-premises custom and legacy applications
  • A unified login experience for all workers and authorized third parties
  • Streamlined compliance and backend operations

But let’s back up . . .

Why do enterprises still run legacy systems on-premises?

Consumers barely react anymore when their data gets exposed in security breaches at retail giants the likes of Target and Home Depot, or even healthcare providers, but it’s a different story when money itself gets threatened. No one takes it well when financial services organizations, brokerage houses, accounting and investment firms mishandle or fail to protect data, which is why these industries get held — and hold themselves — to higher standards for protecting data.

And it works. The financial services sector seems to do a measurably better job of protecting data than other industries. A recent recap of 2023 attacks on financial services organizations by ThinkAdvisor found the top 12 attacks on financial services companies exposed around 35M accounts combined — less than half of just one 2023 healthcare provider breach that affected more than 88 million individuals.

Data stays where IT can see it

Financial services institutions and other enterprises maintain a delicate balance between rolling out modern digital offerings and maintaining tighter control over data. These companies typically allocate more budget to implementing the latest cybersecurity best practices (like zero trust frameworks and least-privilege access) and invest in attracting top-tier cyber skills.

On the conservative side, some businesses hesitate to store customer data in the cloud beyond the watchful eye of in-house IT teams and the reach of their own security controls. On-premises storage and operation may continue to leverage custom applications, legacy server infrastructures, and even old mainframe computers of data center legends.

“Who wants to mess with a legacy?”

From a sheer operations standpoint, maintaining older systems becomes more costly and impractical as the talent pool of experts versed in those technologies shrinks year after year. That said, these behemoth systems fall under the heading of, “If it ain’t broke, don’t fix it.” Most organizations and IT leaders hesitate to disrupt complex infrastructures built years, even decades before the current team was put in place.

CAVEAT: “On-prem” doesn’t always mean “old” 

Before we look at the challenges and evolving solutions for securing access to on-premises systems, it’s worth noting that enterprises across many industries — banking, accounting, law firms, brokerages, healthcare providers, educational institutions, government, and critical infrastructure providers — continue to invest in building core business applications on-prem. Bloomberg recently reported that more than half (54%) of new applications are being deployed locally[i] while a study by Dimensional Research showed 92% of companies said on-prem software sales were growing.[ii]

Continuing to run applications on already-paid-for systems also reduces costs associated with network and cloud service utilization. But companies can’t afford to look “archaic,” either.

At the end of the day, doubling down on running systems in data centers means companies need to find new ways to strike the balance between competing in today’s heavily targeted digital marketplace, protecting data, and streamlining the user experience. The logistics of striking that balance create formidable challenges because, at first look, no one solution seems to do it all.

Modern IAM technologies focus on the cloud

Most IAM strategies, and even most MFA solutions, heavily target cloud and Web-based applications. For example, FIDO2 only works with web apps, Windows Hello for Business (WHfB) only works with (some not all) Microsoft systems, etc.  

Partial use case coverage and the lack of support for legacy and custom applications leave enterprises at a loss to deliver a unified high-assurance login for all remote and local users and systems. To achieve broad use case coverage — and avoid serious coverage and compliance gaps — IT needs to support multiple authentication approaches in parallel.

Redundant efforts mean redundant cost, skills requirements, and a greater burden on Help Desk teams. Instead of reducing risk, the added complexity of fragmented IAM solutions adds risk that can delay the benefits of mergers and acquisitions (M&A), digitalization, and other transformation initiatives.

 Most leading IAM solutions can’t protect many legacy and custom applications without IT having to recode the entire access front end. Even if they could, migrating all applications to a single solution could still take years because cloud-focused IAM solutions offer no viable alternative to using Active Directory (AD) to manage identity verification on the backend.

Legacy apps must meet modern standards

Data may be safer onsite, but profitability could still be at risk. On the compliance side, older systems may not prove able to support newer technologies and zero-trust policies aimed at elevating cyber and national security. These include requirements stipulated in mandates from the White House Executive Orders and other governments worldwide requiring providers to implement phishing-resistant authentication, some as early as EOY 2024.

Along with potential fines or loss of revenues caused by breaching compliance, important account relationships with state and federal agencies may be in jeopardy. Cyber liability insurance premiums also may rise posing perhaps the greatest long-term threat to staying competitive.

Passwordless MFA upholds a legacy of trust

MFA aims to verify that those attempting to access company resources is who they say they are, but approaches that still use passwords as the foundation first step carry forward a fatal flaw. Passwords that can be shared, lost, leaked, stolen, and now purchased on the black market still enable modern, automated phishing and man-in-the-middle (MITM) attacks to succeed despite investments in MFA.

Phishing for should-be-secret credentials (which wouldn’t exist in a passwordless approach) remains one of attackers’ favorite and most profitable techniques used to perpetrate ransomware attacks, account takeover (ATO), and front-page data breaches.

To overcome the pitfalls of traditional MFA, the right passwordless approach:

Stops phishing to avoid 80% risk

The recap of 2023 cyberattacks on the financial services industry mentioned earlier described attacks on CapitalOne, PayPal, TD Bank, as well as some smaller players and technology providers to the industry. Attacks involved a range of tactics such as phishing, credential stuffing, and automated campaigns hoping to reuse stolen passwords from system to access others — all techniques that can be eliminated with a passwordless approach to MFA.

Avoids 40% of Help Desk calls

Password management, resets, and rotation create a huge pain for identity managers and Help Desk teams alike. Huge investments in cybersecurity training haven’t stopped users from taking the bait during phishing attacks but may have convinced some to stop sharing and writing them down—which means they forget and call the Help Desk to perform more resets (to the tune of $75 per call).

Creates a better user experience

Users become annoyed by MFA when they’re forced to use multiple approaches to log into apps they need throughout the day. Redundant solutions may mean learning several different authenticator apps or juggling smartcards and hardware devices. The time and effort taken up by MFA can be as frustrating as managing passwords, so much so that modern “push bombing” attacks target authentication itself. MFA fatigue attacks trust users will get annoyed by too many push notifications requesting and eventually hit “OK” to grant access.

The right passwordless MFA streamlines avoids all this complexity to deliver higher assurance with fewer steps.

Octopus wraps its arms around any application

Any enterprise can turn first-rate data privacy into a competitive advantage by going the extra mile to safeguard payment, account, and personal identity information (PII). Octopus makes achieving “above and beyond” protection faster and easier than what most companies do now.

Octopus Passwordless MFA reconciles the tension between leveraging modern cloud services and maintaining essential operations on-premises with three essential advantages:

Complete use case coverage — out of the gate — to stop phishing

The SDO approach decouples front-end login experience and backed identity verification workflows.

Octopus works with any application on the front-end and with any IAM or directory infrastructure behind the scenes. Companies can achieve all the desired benefits of passwordless MFA very quickly without IT tackling the premature rearchitecting of legacy apps and infrastructures.

A safe, simple, unified login

Octopus protects access everywhere, anytime from desktops (with or without SSO) to on-premises apps and the cloud. Login workflows feature biometrics and user-preferred mobile push to reduce login times by 70% – with fewer steps for users to take.

Government-caliber identity verification

With its recent announcement of AAL3-compliant identity verification, SDO delivers the industry’s highest-assurance desktop MFA and phishing-resistant MFA for highly regulated industries. The unique combination of ease of use, simplicity, and government-caliber identity verification makes it possible for financial services providers, government agencies and suppliers, and other businesses at the forefront of cybersecurity to answer ‘yes’ to the inevitable question, “Did we do everything possible to avoid a breach”? (within reason.

Learn more, start now

For more information about passwordless MFAwatch this short video to learn how you can get started in about an hour. Or, run an ROI calculation to see how much you can save within the first year.