2FA is now MFA and MFA is fast becoming the norm, even though nobody really likes it and attackers have figured out new ways to get around it too. Given the obvious need for stronger authentication, experts project the overall market for MFA solutions to grow at a CAGR of 18.5% over the next 5 years, but barring a fundamental shift, it may never be enough.
It’s true that having any type of MFA makes for a major improvement versus no MFA at all. Yet, some subtleties are emerging with regard to when and how you implement it.
The single most important distinction may be that the overwhelming majority of MFA being rolled out today still begins with users entering passwords as Factor One in the authentication process. Better than nothing, yes, but not the way you want to go.
The challenges with MFA today
Regular MFA does not:
- Stop phishing and more elaborate man-in-the-middle (MITM) attacks
- Create a better user experience (UX)
- Optimize use of IT budget and resources
Passwordless MFA on the other hand delivers all of these benefits—more security with less work for everybody—so why isn’t everyone doing it? We believe the hesitance stems from three basic misconceptions that we’re going to debunk here so you can connect the dots and see why it pays not to procrastinate doing what we all know must be done: removing “what users know” from the authentication equation.
This first blog post will introduce the three “big bucket” reasons companies who already know they’d like to do passwordless MFA “eventually” aren’t doing it now. The pushback typically takes the form of one of three questions:
- Why should we make it a top priority (when we already have top priorities)?
- Why isn’t what we have good enough (when we already went through the hassle of doing it)?
- Won’t it just add more complexity (nuff said)?
In future posts, we’ll get down to the brass tacks of each of these challenge areas with the intent to demonstrate that passwordless MFA should be and in fact, already is a priority for 2023 and that making the leap will pay for itself and start saving you money, grief, and wasted skills by year two.
Here we go . . .
1. “Why can’t it wait ‘til next year?”
We know the drill: Budgets are set, timetables are tight, and “spare time” is the mystical unicorn of cybersecurity. So, why should senior IT and business leaders shuffle stated priorities to fund passwordless MFA sooner? And if you happen to be the Identity, Security, or IT leader who knows it’s the right thing to do, why should you put your neck on the line telling them to?
We wouldn’t be writing this blog if we didn’t think IT would end up being everyone’s hero—and we’re seeing it happen with customers of all sizes—so we hope you hang with us. The short answer is: There are three very good reasons not to wait.
The first is esoteric and worth mentioning, even if it won’t sway decision-makers. Namely, if you get MFA wrong the first time, you might be wasting time and money and setting yourself up for a rip-and-replace of something you rolled out (at great pain) to users. That means Going Through It All Again, which anyone who’s lived through a bad service rollout or cloud migration rollback knows is an IT nightmare.
If passwordless isn’t a priority, what is?
A more practical and compelling case can be made by showing how passwordless MFA is a critical enabler or component of initiatives that are already stated priorities for 2023, such as:
- Phishing/ransomware prevention
- Upleveling cyber skills
- Zero Trust
- Hardening remote/worker UX
We list phishing and ransomware first because, well, they go first. Regulators, cyber insurance liability providers, and standard cybersecurity frameworks like MITRE ATT&CK all stress the need for MFA to be phishing-resistant, and for good reason:
- CISA found 90% of successful breaches start with phishing
- The Verizon DBIR reports that a whopping 63% of breaches involve phishing attacks
- Employees clicking on phishing emails remains static at around 2.9% over the last decade (even with all the education) and regular MFA
All this while the vast majority of companies surveyed already say they’re already doing MFA (many even think they’re doing passwordless). The obvious conclusion: regular MFA doesn’t do what we need it to. It doesn’t shut down the one threat vector that’s directly linked to the vast majority of disasters.
Phishing-resistant passwordless MFA does close the door on attacks involving credentials, which forces attackers to move to spend more, and move on to other targets. As phishing resistance raises the bar on MFA organically, the next step is to realize the only viable phishing-resistant MFA for the workforce is passwordless MFA.
“Phishing-resistant” MFA increasingly means “passwordless” MFA
According to the SANS Institute:
Three of the most common ways we see MFA implemented . . . all share a weakness, human interaction is required. And where human interaction is required, people can be phished. In other words, these approaches to MFA are “phishable.”
The analyst concludes, “Phishing-resistant MFA is nothing more than the same authentication process [we just described], but people are removed from the equation.”
Now we know that the industry as a whole has yet to reach this same conclusion, but it’s happening. It must.
Phishing-resistant MFA is the new gold standard, soon to be mandated worldwide. Passwordless MFA is the best if not the only viable way for the workforce to achieve phishing-resistant MFA that makes sense for everybody—users, IT, and senior management alike.
We’ve already written a lot about this, and we’ll touch on it a bit more in our next post but suffice it to say that, wherever stopping phishing, malware, and account takeover attacks is a priority, passwordless MFA should be a priority. Now.
Some lists of CISO’s top priorities for 2023 include MFA itself near the top. That includes doing it, and getting it right the first time, and/or fixing what’s wrong with it, which is usually some combination of “it doesn’t work” and “everyone hates it.”
If MFA is already a goal, passwordless should be a no-brainer: Investing in MFA that piles steps, devices, and techniques on top of passwords is like investing in a skyscraper built upon a sinkhole. Or, as we like to say at SDO, your infrastructure is moving and MFA needs to keep pace. That means creating a single, acceptable user and IT experience across the board now—on-prem and remote, legacy and cloud, third-party ecosystems/M&A, etc.
Zero Trust as a “directional” priority
Emerging mandates and frameworks such as the Biden administration’s Executive Order 14028, Improving the Nation’s Cybersecurity, and MITRE ATT&CK all prescribe rapid adoption of a Zero Trust approach to security. Basically, this means treating anything and everything as though it might carry risk, even after it enters your environment.
A Zero Trust model further assumes you may already have been breached and applies a “never trust, always verify” policy to each new request.
People as a perennial priority
Prioritizing people used to mean keeping users happy. Now executives recognize they need to think strategically about retaining and up-leveling premier IT skills as well.
Users hate regular MFA because it piles on a bunch of annoying steps—and “things”—to juggle on top of remembering rotating, and managing passwords. Authenticating all day long becomes a real drag, especially in the absence of single sign-on (SSO).
IT hates the reality of users managing passwords because it wastes time, promotes tons of complaints, and still leads to 80% of the messes IT has to find, fix, and clean up after. Plus, it’s really boring.
Once they know what it looks like, everyone likes the idea of transferring management of secrets to IT. Depending on how you implement it (we’ll look at this in our next three posts), passwordless MFA delivers stronger authentication than today’s 2FA/MFA with users possibly only taking one step to authenticate. Even better, the one remaining step (or whatever steps IT chooses) all seem lightning-fast compared with typing in passwords and OTPs over and over to start the process all day long.
To summarize, passwordless MFA rolls up into many broader initiatives aimed at buying down security risk, and in turn cyber insurance premiums.
2. “We have MFA and SSO. Isn’t that enough?”
Because X% of companies already perceive their companies as having invested in something that constitutes passwordless MFA, pushback may take the form of:
- “We already have SSO and it works”
- “We already have Mac Touch ID and/or Windows Hello – it has the appearance of passwordless and people are doing it already”
- “We already use the Microsoft Authenticator app. Can’t we just build on that (whenever)?”
No one likes rocking the boat, but the answer to all of the above is “no.” Much of what’s in place right now falls short both in terms of phishing resistance (standards compliance), and the ability to deliver a cohesive UX:
- SSO requires a password every day
- WHfB and Mac Touch ID require passwords during startup and for admin tasks
- WebAuthn only works for web-based resources
- Apple’s newly announced support for physical keys requires hardware that would be hugely expensive to roll out in the workforce and could result in users being locked out of devices for good
The drawbacks of most of these approaches cannot be overstated as they:
- Don’t work for all your applications
- Still require users to enter passwords (that can be phished) at certain times if not many times
Now, if you’re just trying to make it harder for attackers to exploit users to sneak in, what you have may be enough. If you need to demonstrate phishing resistance (or sincerely wish to prevent phishing) the best and safest approach is passwordless MFA.
Education isn’t enough, and MFA isn’t enough. In our deeper dive into popular approaches to MFA, we’ll look at things like:
- What happens when something goes wrong
- Why nothing is “free”
- Issues with emerging FIDO approaches like tokens and security keys
We’ll also outline a vendor-agnostic approach that will bridge the gaps, both between regular and passwordless MFA, and between solutions have in place now and vulnerable services still relying on passwords and security questions (What Users Know²).
3. “It’s not worth the effort.”
Virtually every major investment in cybersecurity bumps up against this one, and too often, companies wait for something to go wrong before they take the inevitable next step. And this objection is hard to argue with because it’s hard to measure the value of something not happening. All you can do is look at what didn’t happen—a breach, ransom, or fine—and what it might have cost.
It can also be argued that it makes sense to defer a major revamping of your infrastructure because things haven’t quite “gelled” yet. Who wants to be the early adopter who moves too far too fast before you really, really had to?
The questions within the question here are:
- How hard is it really to do passwordless MFA right?
- When is the ideal time to do it?
The good news is that experts, standards, and leading vendors all agree: the future of authentication is passwordless powered by migration to a public key infrastructure (PKI). We use the word “migration” instead of “adoption” here because that’s what PKI is, and why all the experts who extol its virtues agree that it’s still a ways off. Maybe decades.
PKI requires more than the obvious tweaks on the front end—voice recognition, iris scanners, fingerprint readers, FIDO keys, and mobile apps. It requires extensive effort on the backend to rearchitect directories to work with pairs of keys instead of passwords. In sectors like healthcare, government supply chain, and critical infrastructure, many business-critical applications cannot be rearchitected to provide private keys, and many directories cannot easily be rearchitected to speak PKI.
Often the wizards who developed or configured custom or legacy systems are long gone, having taken their tribal knowledge with them, and who wants to risk breaking that stuff?
But what if it was easy?
The ideal migration strategy for implementing “Passwordless MFA Everywhere” right now and “PKI Everywhere” later would be one that decouples user authentication from directory infrastructures. It would be vendor-agnostic, standards-compliant, and FIDO-driven. It would take password management off users’ plates today and equip IT to do PKI later—or whenever both PKI and IT are ready.
The last blog in our series will look at the issue of complexity, and the breadth and depth of what needs to happen and when. In that last post, we’ll talk about how you can have passwordless MFA in an hour—for real—with no disruption of user workflows or IT modernization timetables.
And last but not least, we’ll look at the issue of what happens when something goes wrong.
The bottom line: Not waiting pays
If you’d like to see for yourself, take a few minutes to run the ROI Calculator using your own data right now. If you’re not there yet, but your organization already knows passwordless MFA is the best way to go, be sure to check out the remaining three blogs in this series.
When you do passwordless MFA matters almost as much as how you do it, because this one change eliminates the single most costly threat vector in your attack surface. And, it saves everyone’s time and effort from that point on. Not just a little, a lot.
So, stick with us to see how you can:
- Reduce friction vs. regular MFA
- Stop phishing and reduce risk of malware
- Free up 70% of your Help Desk’s time
- Stay ahead of the mandates and cyber insurance premiums
Schedule a demo with us so we can field any questions or objections you may have about passwordless MFA.