Passwords no longer meet the demands of today’s identity and access requirements. Therefore, strong authentication methods are needed.
“Usernames and passwords are insufficient and vulnerable means of authentication on their own; therefore, it is essential to employ strong authentication techniques like multi-factor authentication (MFA) to confirm users’ identities before granting secure access to resources,” Sarah Lefavrais, Product Marketing Manager, Thales states in her recent article. It’s true. Passwords no longer meet the demands of today’s identity and access requirements. Therefore, strong authentication methods are needed to improve security without hindering user convenience.
What is Strong Authentication?
Tech Target states that strong authentication is “any method of verifying the identity of a user or device that is intrinsically stringent enough to ensure the security of the system it protects by withstanding any attacks it is likely to encounter.” It is commonly referred to as a way to confirm a user’s identity when passwords are not enough. As Tech Target continues, the European Bank and many that adopt its guidelines state that strong authentication must include “at least two mutually-independent factors” so that the compromise of one will not lead to the compromise of the other. These factors are:
- Knowledge – Something the user knows
- Possession – Something the user has
- Inherence – Something the user is
As Lefavrais states, employing more than one of these measures is needed to ensure only legitimate users can access applications and services, and when applications contain sensitive data such as confidential, personally identifiable information that needs to be protected.
In IAM strategy, strong authentication methods like MFA and Modern Authentication are quickly replacing traditional methods like passwords, especially as the new gold standard for how IT and security teams enforce access controls, and gain visibility into access events – especially as workloads move to the cloud, VMs and across remote and hybrid environments.
The IAM Security BoundaryStrong authentication is a critical component of modern-day identity and access management. It not only provides additional layers of security around entry points, but allows for customizable levels of authentication, authorization, and access control throughout your environment, giving users only the permissions (and sign-in requirements) they need. To illustrate that point, we’ll investigate two of the primary methods, MFA and Modern Authentication, further in-depth.
Multi-factor Authentication (MFA) is widely seen as the strongest mode of authentication. MFA allows you to:
- Protect against the compromise made possible by weak passwords. With MFA, a password alone is insufficient to grant access, so credential stuffing and brute force attacks are rendered useless.
- Reduce identity theft from phishing and other social engineering schemes. Even if you do click on that email and enter a few credentials, if your bank, work VPN, or other access point requires MFA (especially with tokenization, biometrics, or location-based entry), chances are those credentials won’t be enough, and hackers will move on to easier targets.
- Stay within compliance boundaries like the OMB Memorandum for Zero Trust Cybersecurity and the European Union Agency for Cybersecurity (ENISA) and CERT-EU guidelines, as noted by Lefavrais. These require MFA use throughout subordinate enterprises.
A few MFA methods used in strong authentication include:
- FIDO security keys
- Certificate-based smart cards and certificate-based USB tokens
- Mobile phone and software-based authentication
- One Time Password (OTP) authenticators
- Pattern-based (or grid) authenticators
- Hybrid tokens
Modern Authentication relies on technologies, such as FIDO and Webauthn, contextual authentication and modern federation protocols, which ensure proper user identity and access controls in cloud environments. That means you can implement more effective access security for cloud apps, alongside the existing access controls that are already in place for on-premises and legacy applications. Flexible policy-based access enable a friendly experience while maintaining a high level of security for roles or resources requiring it.
What to Look for in a Strong Authentication Service
When choosing a strong authentication service, be it on-premises or in the cloud, features to consider are:
- Policy-based access with ability to implement conditional access. In order to optimize the end user experience while maintain the best access security for a particular user and application, look for a solution that can enforce a range of authentication methods through policies and risk scoring.
- Resistant to phishing. Phishing accounts for roughly a quarter of all data breaches, according to Verizon’s 2021 DBIR. Strong authentication solutions with FIDO2 can both authenticate securely and prevent attacks.
- User experience. Do the methods involved create security fatigue, or is it simple to secure multiple-use authentication journeys?
- Adaptability and customizability. Can you assign different access controls based on role or asset? What about context, environment, or use case?
Ultimately, you need to ensure your strong authentication provider supports your industry’s identity and access regulations and integrates smoothly with your current identity environment, deploying flexibly and maintaining equilibrium as you transition over. To maintain a risk-based authentication posture, IAM solutions must continue evolving alongside increased digitization demands. When a single lock and key no longer suffice to safeguard the VMs, remote environments, and cloud-based assets of today, we must adopt the access management and strong authentication methods that can.
About the Author: Katrina Thompson is an ardent believer in personal data privacy and the technology behind it, Katrina Thompson is a freelance writer leaning into encryption, data privacy legislation and the intersection of information technology and human rights. She has written for Bora, Venafi, Tripwire and many other sites.