How To Make MFA Protocol Usage Less Annoying

Mary Ann Miller, fraud & cybercrime executive advisor and VP of client experience at Prove advises organizations on why tools like multi-factor authentication and one-time passwords need to be supplemented with seamless solutions to avoid user frustration and defend against threats seeking to exploit MFA. 

Often when using digital services – whether it be signing into a bank account, checking your cryptocurrency wallet, browsing social media or making a purchase – consumers only have multifactor authentication (MFA) standing between them and becoming a victim of fraud. And yet, a recent series of surveys from Prove reveals that 33% of consumers do not even enable MFAOpens a new window because they find it to be an annoying process. What’s more, with today’s threat landscape, MFA technology itself can become targets that leave consumers and businesses open to fraud.  

Does this mean that we should abandon MFA and other login security solutions altogether? No. However, organizations do need to supplement their MFA tools and one-time passwords with seamless digital identity verification solutions, both to avoid user frustration (while making sure available tools are actually being leveraged for their intended purpose) and to defend against the threats which would exploit MFA. 

Multifactor Authentication: Risk and Reward 

In the current threat landscape, MFA ought to be a baseline cybersecurity requirement for companies of every size. However, just as ransomware and phishing attacks have continued to evolve, so too should your security standards.  

Hackers and phishing scams have now developed workarounds that allow them to get at MFA and one-time password users. These include a few types of fraud that use processes against companies or consumers to transfer an account or phone number to a new device. When targeting an individual, the bad actors will divert or forward MFA/OTP passcodes to other phone numbers and, using malware or social engineering techniques, convince the victim that they are the organization that sent the original code to have it repeated back.  

For businesses, the types of fraud may not look the same, but are just as much of a threat—and sometimes even more devastating, due to the sensitive nature of the industries that businesses deal with. Properly implemented MFA (i.e., installed, functioning, and understood by its users) may be able to stop some of these frauds in their tracks – but despite this, many organizations seem disillusioned with the tech and may not be requiring or ensuring that their employees are utilizing it at all. The data shows that only 21% of consumers report using MFA more on work accounts than they do personal accounts, and only 19% of consumers are required to use MFA across work accounts.

This is both an indication of a severe lack of trust in MFA, and of the fact that one solution alone is not enough to secure an organization, and it never will be. Even with the best training, there will always be people who can get taken in by a phishing scam. Security needs to be multifaceted in order to be as effective as possible, and organizations should especially be thinking about how to implement additional security solutions that do not require action from the user to be secure (which MFA typically does). That way, businesses will have additional layers of protection, and so will individuals.

See More: Debunking 5 Myths about Policy-based Access Control

Seamless Identification 

As organizations become more aware of the sophistication of the threats they are dealing with, they are looking for ways to shore up the MFA systems they may have in place. After all, sign-on verification is only one line of defense against fraud. One of the best ways to think about strengthening the process is to consider a solution that continually reconfirms the identity of the user – seamlessly – through their entire session. While this might seem like a cumbersome concept, solutions like behavioral biometrics can ensure that the sessions remain secure and will oftentimes operate without the user even knowing.  

Static biometrics many of us are familiar with from our smartphones – eliminating the password altogether in favor of fingerprint or facial recognition. Behavioral biometrics are the next evolution in authenticating digital identity by continually confirming in the background, through patterns detected from the user of the device, that the one accessing the account is still the one who was initially authenticated. It creates a clear picture of the user by actively examining a range of physical and cognitive behavior and is able to distinguish between a legitimate user and cybercriminal activity.   

Behavioral biometrics are able to continuously improve as well when coupled with learning capabilities so that it is always widening its range of knowledge of the pattern elements of a particular user. This learning and verifying is always going on in the background, without the user having to be involved in reauthenticating repeatedly during their session, while also providing that background layer of security to what was already verified through MFA. 

Tackling the New Threat Landscape 

When MFA first arrived on the scene, it was considered the gold standard of security solutions – and it still can and should play a vital role in any security strategy for online transactions and account access. However, the evolving threat landscape requires security solutions to evolve as well. 

Fortunately, the cybersecurity landscape has evolved right along with cyber threats, and it is possible now for organizations to supplement their existing MFA solutions to provide additional layers of security that actually reduce user friction. These solutions can enable organizations to upgrade their authentication processes to make the experience more seamless for their users, encouraging better security hygiene and retaining customers.  

A company is only as secure as the protective solutions they employ, and those are only effective when leveraged correctly by users. By staying on top of all the latest developments, you can ensure a seamless identity verification and security process for your organization, employees and customers.

How are you ensuring a seamless identity verification process for your employees and customers? Share with us on FacebookOpens a new window , TwitterOpens a new window , and LinkedInOpens a new window . We’d love to know!

Image Source: Shutterstock

MORE ON MULTI-FACTOR AUTHENTICATION (MFA)

• Mobile Two-factor Authentication: Get Ready for the Next Phase
• MFA Is Not Enough: Eliminate Passwords to Simplify the Security Stack
• 4 Reasons Why Multi-Factor Authentication Should Be Deployed Across the Enterprise
• Deep MFA: A Smarter Way to Protect Backups from Ransomware Attacks
• The Current State of Passwordless Authentication