Multifactor Authentication: Balancing Usability and Security
Striking the balance between usability and protection is one of the major problems with organizational security. EmpowerID provides you with the tools to implement the exact level your organization requires. Whether that is MFA, Adaptive MFA, Passwordless login, etc., EmpowerID delivers what you need.
Weak passwords and poor password practices are the cause of 80%of breaches today. MFA helps alleviate such methods.
Adaptive MFA enables your organization to use detailed intelligence to determine who needs to authenticate and when.
Passwords are renowned for being the weakest link. It does, therefore, make perfect sense to remove them from the equation.
Here, we look at:
- Multifactor Authentication weak passwords, lax practices, and stolen credentials are the cause of most breaches today. MFA provides the much-needed security and balance that your organizations security needs.
- Adaptive MFA users are resistant to change, and this eases many issues that regular MFA does not. For example, it smooths user adoption, helps alleviate disruption, and facilitates the overall transformation to this new security system.
- Passwordless Login given passwords are a known weak link, removing passwords from the equation is the logical next step. EmpowerID provides this next level security.
- EmpowerID Mobile Authenticator provides a simple one-click MFA authentication solution and is a proven and effective method for obtaining user-buy-in.
- Adaptive MFA for VPN delivers RADIUS strong authentication to firewalls, VPN servers, and network devices within your network infrastructure.
Cybercrime is on the increase and your organization’s resources are attractive to the hacker.
Unfortunately, because 80% of data breaches are due to weak or stolen credentials, it is clear that passwords and password practices are of prime concern for your organization
Indeed, passwords and user practices are, and continue to be, the weakest link in an organization’s security strategy. Multifactor Authentication (MFA) alleviates both.
MFA works because it ensures that the user is who they say they are. But, it is not without its own problems.
The main one for your organization being a balance between security and usability.
Your MFA password policy needs to be secure enough for your organization and easy enough to be welcomed and adopted by your users.
Furthermore, for MFA to be successful, it must also be available for all your user authentication entry points, such as web, VPN, and mobile app.
Moreover, MFA must also be available in an easy to use format from any of their devices.
EmpowerID supports a wide range of friendly options including one-time passwords (OTP), FIDO/Yubikey tokens, 3rd parties such as DUO, as well as the EmpowerID Mobile phone app, which allows users to click to approve their logins.
Watch a short overview of EmpowerID's end-user multi-factor authentication experience:
The next level up from MFA is Adaptive MFA. We mentioned above about organizations needing to find a balance between security and usability. Adaptive MFA provides that balance.
Adaptive MFA eases the adoption of even more secure login procedures by ensuring that users only need to perform MFA when cicumstances warrant it.
For example, you can set a policy where users only have to login based on certain criteria. If they don’t meet that criteria, then they do not have to perform MFA.
Such criteria can include:
- leveraging information about the user’s device
- their location on the internal or external network
- their geolocation and velocity
- the application they are attempting to access
- information about the user themselves (including their roles and risk score).
EmpowerID intelligently analyzes and evaluates all of these factors and compares them against your business login policy.
The result determines what the user must then do. This could be to either go through additional steps to further ensure the veracity of their identity, or that no MFA is required and they are logged in or even denied access, etc.
When planning/managing risk, the first method is to see if that risk can be eliminated. If that is not possible, the next step is to try and substitute an alternative – to make it safer/less risky, etc.
This process continues until the final step of employing sufficient Personal Protective Equipment (PPE) to protect the user from impact and injury, disease, etc.
Where passwords are concerned, we must follow the same process. Given they are the weakest link and the biggest security risk for organizations, the first step in managing that risk is to try and eliminate it
Though previously impossible, with passwordless login, this is no longer the case.
EmpowerID’s passwordless login securely authenticates users via a broad set of supported factors, including FIDO2 keys, virtual and hardware tokens, mobile authenticators, etc.
As with Adaptive MFA, your passwordless login requirements are intelligently determined by your organization’s own flexible adaptive policies.
When a user reveals their name at the login screen, the system already knows about them, i.e. who they are, what authentication methods have been setup, policies assigned by risk score, IP subnet, type of browser, where they are in terms of external or internal to the network, etc.
A combination of all these factors, plus your own business policies, will determine if the selected authenticated method is sufficient to admit the user, or whether additional methods are needed.
EmpowerID Mobile Authenticator
The EmpowerID Mobile Authenticator allows users to perform multifactor authentication with the click of a button (did you watch the earlier video? This shows exactly how to use the EmpowerID Mobile Authenticator). It is available on major mobile platforms.
As you can see, when authenticating while logging in is as simple and convenient as a single click on your mobile device (whether smartphone or watch), user adoption skyrockets.
The process for logging in is as follows:
When connected to the Internet
- Your user enters their name/email/login ID and clicks Submit.
- The decision is sent through your device to EmpowerID, where it is validated.
The user is logged in. When not connected to the Internet If the user’s mobile device is not connected to the Internet:
- The app will display a OTP on screen.
- The user enters this into the login screen in the EmpowerID portal.
- As soon as EmpowerID receives a valid one-time password, the user is logged in.
The EmpowerID Mobile Authenticator is available in the Apple and Android app stores and it is both is easy to install and enroll.
To use the mobile authenticator, the first time a user signs into the EmpowerID Portal they will select the EmpowerID Mobile Authenticator as their MFA option.
They are then presented with a QR code which they will scab with the mobile app. This automatically registers the device for the user. They are now setup and enrolled.
Adaptive MFA for VPN
EmpowerID also provides Adaptive MFA via the integrated EmpowerID RADIUS Server.
The EmpowerID RADIUS server provides RADIUS strong authentication to firewalls, network devices, and VPN servers within your network infrastructure.
When users attempt to login, EmpowerID verifies their user credentials against the Identity Warehouse or against connected directories like Active Directory
User logins from network devices are analyzed using the same context-driven policies as web logins and enforce adaptive MFA rules in the same manner.
The EmpowerID LDAP Virtual Directory is available for organizations that prefer LDAP over RADIUS, and can be used in a similar manner.