The disdain for passwords is well-trodden ground on this site: employees and users frequently forget them, they’re either easily cracked or easily stolen, and when used independently of other authentication factors they’re remarkably weak. Yet there remains some confusion surrounding whether the issue is with passwords themselves or with single-factor authentication as a concept. If the entirety of your identity and access management protocols hinge on a single point of verification, would anything you use truly stay secure?
Enterprises and solution providers alike are therefore turning to two-factor authentication to provide a more layered approach to their identity management. This may involve incorporating hard tokens into the authentication processes or factoring in device recognition and geofencing as factors. But even this may not be enough. The way forward, according to some privileged access management solution providers, might be contextual multifactor authentication.
Theoretically, contextual multifactor authentication only differs from two-factor authentication by asking for more than two factors. Logically, so long as the factors are sufficiently distinct from one another, the compromise of one will not translate into data breaches or compromised accounts. Yet it is so much more than that
To understand contextual multifactor authentication in greater detail, we read through the “Multifactor Authentication: Best Practices for Securing the Modern Digital Enterprise” whitepaper by PAM vendor Ping Identity.
Here’s what we found:
Contextual Multifactor Authentication Begins with Policy
Moreover, those contextual multifactor policies do not need to kick in immediately at the sign-on phase. They could trigger when the employee or privileged user is outside their normal geographic or temporal parameters for work, as just one example. Similarly, these policies could trigger when a user executes a sensitive task like a financial activity or when they make an account settings change.
Moreover, these policies can also define safe areas or parameters in which the contextual multifactor protocols do not trigger i.e. the employee is in the office on an approved endpoint when making a setting change.
Contextual Multifactor Can Improve your Bottom Line
Surprisingly, risk-based contextual multifactor can prove far more flexible than single-factor authentication in its digital architecture. It can thus more comfortably adapt to new technologies, resulting in less time dealing with integration issues in the future.
In the short term, contextual multifactor authentication also limits the usage of the more elaborate high assurance mechanisms like fingerprint scans. This can reduce the cost-per-use of the more expensive tools in your access management arsenal, ultimately saving on your enterprise’s security budget.
Hard Tokens Aren’t Always the Solution
Even in a contextual multifactor authentication scheme, hard tokens can prove difficult to adopt. They can put a damper on user experience and can prove expensive.
However, Ping Identity does describe a new form of hard token operating within the endpoint’s USB slot. With the push of a button on this token, it sends a one-time passcode to a user’s registered device.
There are Myriad Authentication Factors To Select From
These can include passwords, hard tokens, soft tokens (which involve generating one-time passwords via mobile devices), biometric authentication, mobile authentication, and device identification.
However what matter more than the factors you select (which is still quite important) is the risk assessment systems and models you establish to trigger contextual multifactor authentication. What situations, locations, user behaviors, or access requests will mandate more restrictive authentication demands? And how will you scale those authentication demands?
You can download the full “Multifactor Authentication: Best Practices for Securing the Modern Digital Enterprise” whitepaper for free courtesy of Ping Identity to learn more about contextual multifactor, step-up multifactor, and authentication in general.