Enterprises are under attack, and credentials are a primary target. According to the 2015 Verizon DBIR, 95% of all web app attacks involve credentials that were harvested from customer devices. Most enterprises use authentication to determine if someone (or something) is who or what it claims to be. However, single-step authentication with a username and password can no longer serve as secure authentication (if it ever did).
Many leading enterprises are enhancing their security and control with multi-factor authentication (MFA), allowing them to move away from a high-risk, password-based security approach. This also improves user experience across the enterprise. Taken even further, step-up MFA provides a dynamic authentication model where users–customers, partners and employees–are required to perform two or more levels of authentication, depending on policy. Based on a preconfigured authentication hierarchy, this enforces a specific level of authentication according to the policy set on a resource. In basic terms, if you have permission to access something, you need to verify your identity a couple different ways to prove you’re not just someone with stolen credentials.
Here are some typical examples of step-up MFA:
A customer signs on to a banking site with a password and wants to transfer money. The bank sends an SMS to the customer’s previously registered phone number to establish the required additional assurance.
A customer signs on to an e-commerce site from her iPad at home and doesn’t have to authenticate until she has to change her account settings.
An employee is attempting to access a native SaaS application from the office. Because he’s on the corporate network, he’s not asked to perform any additional authentication.
What’s best for your environment? Navigating the various factors of implementing MFA can be a cumbersome task, so we’re here to help. Register for our upcoming webinar and join Paul Madsen from the CTO office at Ping Identity on February 18. He’ll help you maneuver more easily through your options. You’ll learn about:
- Authentication 101
- Choosing the right MFA mechanisms for your environment
- Applying a risk-based model to step-up MFA
- Best practices in step-up MFA, including risk analysis, choice of authentication factors, privacy, lock-out, registration, user opt-in, suspension and bypass, self-service, native applications, initial authentication and multiple touch points/channels.
Reaffirming the importance of creating a process which accommodates a simple customer journey, the NCCoE understands that retailers will be reluctant to employ any anti-fraud measures which may potentially deter customers from using their online services. The increased security and improved identity management process must not compromise the e-commerce experience, with all online retailers unwilling to jeopardise their stake in the $400bn industry.
The end goal of the project is to produce an NIST (National Institute of Standards and Technology) Cybersecurity Practice Guide for all e-commerce retailers, detailing the steps to securely and accurately identify and authenticate online purchasers. It will then be the decision of stakeholders how to implement the steps and suggestions, aligning them within the structure of the e-commerce site’s existing customer journey and retail portal.
A secondary purpose of the practice guide is to demonstrate the existence of current multi-factor authentication technologies and products which effectively manage identity authentication.