Authentication is frustrating for today’s users.
Another notification. Another multi-digit code to type in. Another occasion to reach for the mobile phone—just a minute or two after the last one. And remember not to lock your keys in your car along with your hardware token!
Yes, MFA should be the minimum standard for authentication today, but most current solutions are far too intrusive.
Between onerous password policies and frustrating MFA tools, companies and their users are paying a heavy “productivity tax” to achieve basic cybersecurity.
Worse, most of today’s MFA solutions can be compromised by simple theft, whether of a token or of a mobile device.
We think it’s time for companies to rely on authentication solutions that don’t require additional devices or multiple steps.
Device-Free Authentication the Wrong Way
The complexity, frustration, and cost associated with most MFA methods causes a certain amount of understandable resistance. As a result, continued reliance on passwords alone is remains a popular, though misguided, choice.
Passwords, after all, are easy to implement, broadly understood, and convenient. That’s why ninety percent of Gmail users still protect their accounts with passwords alone.
But the average business user now has 191 passwords to remember. This leads to problems like password reuse and the selection of obvious, dictionary-based passwords—both of which make breaches close to trivial for hackers to achieve.
Most standards bodies and security experts now agree that password rules and security questions (which are effectively just several passwords in series) won’t fix the fundamental problems that bedevil passwords of all kinds.
That said, there’s no reason for companies and users to continue to spend time and dollars on device-based MFA when other, better solutions now exist.
Device-Free Authentication the Right Way
The science behind device-free solutions that provide invisible multi-factor authentication—not just new layers of passwords and password rules—is well over a decade old now. Shipping products based on this science are becoming more and more common.
In general, all of these solutions rely entirely or in part on behavioral-biometric data—individual micro-patterns in keyboard and mouse activity—to identify users.
The result is a bundle of passively observed, real-time data about a particular user that is fingerprint-unique, yet nearly impossible to steal, duplicate, or reproduce.
Today, these solutions come in two basic categories—a static one that authenticates user interaction in key moments and workflows, and a continuous one that authenticates user interaction throughout the day, as users work.
Static Invisible MFA
Static invisible MFA can be deployed “behind” UI elements like login prompts or important text entry boxes. It stands in for older, device-encumbered MFA solutions like mobile phone apps or SMS delivery, fingerprint or iris scans, and YubiKey, RSA, or other hardware tokens.
It’s able to add strong, out-of-band multi-factor authentication to login and privilege escalation flows without requiring the user to know or provide anything but their username and password.
As the user enters these, the properties outlined above are silently captured and evaluated in the background. If they don’t match the user’s previous profile, the login or privilege escalation is denied—even if the username and password are correct.
In general, static invisible MFA solutions protect a particular series of applications, workflows, or UI prompts, and are deployed in a focused way around them.
Continuous Invisible MFA
Continuous invisible MFA solutions run at a lower level, just above the OS layer and prior to any particular application or workflow. They remain active on a host computer system, device, or endpoint, and monitor activity in all of the workflows and authentication flows that occur on it throughout the day.
As the user works, they are authenticated every few seconds, regardless of the application in use. If at any point their observable behavior and context deviates too far from past behavior and context, they are either blocked or prompted for other forms of authentication before work can continue.
Plurilock™ offers static invisible MFA solutions in our ADAPT and AWARE products, and a continuous invisible MFA solution in our DEFEND product.
The Time for Device-Free is Now
Concerns about the insecurity of SMS MFA continue to emerge. Worry about the trustworthiness of mobile devices continues to multiply.
Meanwhile, companies are finding that more and more valuable labor time from skilled workers is being consumed by authentication processes—managing an endless list of passwords, a cumbersome bundle of mobile authenticator apps and flows, or a series of easy-to-lose and easy-to-damage hardware tokens and fobs.
Everyone would like to achieve the security benefits that accrue with MFA, but without the costs and frustrations that it typically causes.
It’s now 2019 and device-free MFA isn’t just science any longer—it’s on the market and shipping. So if your company hasn’t looked into it, there’s no better time than the present.
Because no one will miss fumbling around all day with MFA devices. ■
