MFA, or Multi-Factor Authentication, is one of the greatest advancements to ever hit the market in password security. While this technology is not new, it’s just recently starting to gain mass-adoption. If nothing else, the number of conversations we have about it has increased many times over.
For years, our cyber security organization has been pressing password security as a necessary evil to reduce the risk associated with password theft. In the average assessment we get access to over 50% of the passwords, including administrator accounts. Tools like password managers and password generators are a tremendous improvement in password reuse reduction. However, it is the ugly truth that any password can be cracked, given enough time and computing resources.
Thus, we started to see a rise in MFA adoptions and conversations. For a while the interest was mainly just for outside employees, but now we see the need across all areas of the business. One of the benefits is the ability to reduce the necessity for password complexity requirements.
Easier Passwords with MFA
With MFA you are using a token to provide a second form of verification. The token is tied to a users account and one users device only. As of now, there is no way to create a duplicate.
Additionally, without the second component (token), having the password will not allow you to gain access into the network on the device requiring MFA. Therefore, passwords are useless on their own. Furthermore, there is no need to have ridiculous password requirements if MFA is in use.
As a security consultant with decades of experience, I understand and empathize with organizations on the delicate balancing act of security and usability. We certainly have a need for a more user-friendly networks to ensure the objectives of the business are possible and met. Cyber security initiatives should not be an obstacle to the business reaching its full potential. Unfortunately, there are real risks and issues that exist. Issues and risks that have to be mitigated and cannot be ignored.
We are always looking for ways to implement security with minimal pain to the end user. It is always better to have standardized security across an organization and have that expectation in place. MFA helps moves us towards that goal.
Additionally, Microsoft has recently offered the ability to authenticate to their networks with just use of a token and no password.
I can at this time comfortably predict that the password will be eliminated in the next decade as a primary form of authentication. Every user will be required to have some form of verification. Websites and companies will not be willing to carry the liability of storing and protecting passwords. MFA moves the liability off of the organization and onto the user.
I also predict that the MFA technology, once widely adopted, will continue to get better and better. I think it can be equated to safety systems in cars. We started with a seat belt, then anti-lock brakes, then air bags, and then intelligent cruise control. The innovation cycle will kick in. There is no stopping it.