Panel | MFA usage in enterprise

Hopefully this panel will be interesting because I think we can agree that passwords are no longer fit for purpose. And most of us realize that credential compromise is one of the most common ways attackers are using to gain access to enterprise. So organizations of all sizes are being targeted in this way. And according to Microsoft accounts using MFA are 99% less likely to get hacked, which is an interesting, but I suspect slightly biased statistic, but nevertheless, we'll, we'll leave it there. Okay.

Gentlemen, if you could, I would do what I did with a previous panel. If you could just say your name, where you're from and an opening statement, if you like or not. Yeah. Thanks. Have you turned it on?

No, it should work. Okay, great. Yeah. Thanks for inviting us. So I'm Alexei Onk. I'm the vice president sales at Yubico. I have no. Okay. I'm A man without Microphone. Andrew Shikha Executive director at fi Alliance, Fi Sam and I lead the consumer identity at capital one. Capital one is a top 10 financial institution. And as such, you know, any industry in the, whether it's financial industry or any regulated industry in general, MFA is not really an option or a choice.

It's, it's really a requirement to meet, you know, various compliance. So what I'd like to have, you know, discussed today is how, you know, how we can balance risk, right? And friction, as we deploy these solutions, we tend to like talk about them, maybe get excited about the various opportunities and passwordless, but in practicality it's not as easy. Right?

So, so I'd love to have some conversation around that. Thank you. And I'm John Tolbert lead Analyst here at Cooper.

Nicole, I cover authentication topics quite extensively, along with consumer identity, fraud reduction and various cybersecurity topics. So what really interests me about security is the relationship with business. And for years we've been saying security should be a business enabler. So my first question today is what are the business benefits of implementing MFA?

Because, you know, we often talk about it in terms of, of, of security and so on, but what are the business benefits? Yeah. Somehow MFA, if we look at MFA only in the security part, it's business enabler it's yeah.

Grants, business continuity. It allows remote working and also zero trust initiative in, in several organizations. Yeah.

So I'm, I'm speaking next. So I'll talk about, you know, more details about Fido and how this all kind of comes together. But you know, at a high level, I think every time we look at multifactor authentication, it's this balance of security and usability.

And so, yeah, so what's a business benefit to MFA. There's a security benefit in the sense that you're less likely to get hacked and lose resources or have a major data breach. That's certainly a thing, but more and more, you know, the conversations that I'm having with companies that are seeking to deploy vital authentication it's about usability. And how does this play into the customer experience? My providing not just a more secure, but a superior CX, such as something to the extent where it's actually helping reinforce my brand. So I think MFA done right.

Can be actually not just a cost preventer, but also a bottom line enhancer. Okay. Yeah.

I mean, I agree, you know, if, if let's say, if you haven't implemented some form of MFA and you're having to, to log in on a mobile device, you know, with the traditional username and password, there's a lot of typing that you have to do, but if you have an MFA solution, right. You know, like, like a face ID, you've already got your multifactor, it's very, you know, user friendly and it's seamless. So there's definitely that Benefit. Yeah. There's also yeah. Time to log too.

So, so talk to several members in the financial services space, you know, they're decreasing time to log in by, by a point or like login efficiency by, you know, one, one percentage point is, is a massive swing from, from a revenue standpoint, getting that many more people in quickly to your service has massive benefit. And as you mentioned so usability and the acceptance of the employee's also very important.

And if we look at the fighter two standard, which is now the most important worldwide enterprise authentication standard, we had made great improvements over the last years to get user acceptance and great user experience. So we at keeping and Cole are great supporters of MFA, but our general feeling is that adoption is, is still way, way, way too low. So from the panel, what are the most common reasons that you've encountered for not implementing MFA? Why organizations not doing it? Why haven't we, why aren't we see more of it at an enterprise level? Yeah.

Some organizations, they, they stuck to their username password strategy, which is no longer a valid in these times, SVT many strikes in, in account takeovers and fishing. So they, they need to look at how they can best implement MFA. And it's not that complicated anymore. As we have the right standards, we have passport initiatives in place.

So it's, it's really easy to implement. And if you look at the cost side of it, it helps you save costs on support, especially when it comes to reset for passwords. So it's just, yeah. Putting something in place and replacing it with a very weak security thing you have in place right now, John, you wanted to make a point. Yeah.

You know, I, I think within the last month or two, there was an interesting survey published by Microsoft and the, the numbers were like 22% for MFA usage. So I mean, we come here. I kind of feel like, you know, we're preaching to the choir. Yes. We all think MFA is a great idea. But when you, when you look at what's really going on out there, no it's not really happening.

And then, you know, at best you wind up getting, you know, a dozen OTPs on your phone. I mean, this isn't really an acceptable way to do business in, in my mind, at least, you know, this is not increasing security. It's not increasing usability.

There's, there's still a lot of room to grow. I mean, we've done a couple of webinars in the last month and have kind of informally pulled people on the webinars about, so if you're not doing MFA, why not? And it's not really a budget issue amongst those who have reported it's integrating with legacy applications is what, you know, people are saying that is, you know, the last mile problem on the integration side.

But I, I still think there is room for getting executives on board and getting budget to do these projects, because if we're still sitting at 22%, I mean, that's, that's pretty low in 2022. I think that you hit on an important point.

A lot of companies have a lot of technical debt and it might not be the top priority or, or perceived difficulty of, of deploying, you know, strong authentication multifactor authentication in the us, this here, an interesting, you know, counterpoint to that or an interesting accelerator, perhaps in the Biden administration, they had a, you know, a cyber security executive order, which manifested itself in a zero trust architecture from the OMB part that, that CTA actually specified that government agencies and contractors could now use any sort of unfishable authentication mechanism.

So historically that's been P and K, which are, you know, extremely effective, but also very difficult to deploy. But with this new executive order, this new mandate that could now be expanded to things like security keys, or UBI keys, which are much easier for an organization to deploy to workforce that's remote. So I think things like that are helpful in pushing companies, you know, eliminating the excuses, why not to move with reasons to move forward and, and, and showing the way to move forward. So to flip the question around a bit though, are there any valid reasons for not doing MFA?

I mean, you know, I think we, we're agreeing on, on kind of the business benefits and the security benefits. I mean, are there, are there cases where this is kind of a valid reason that an enterprise can give and you would support that Maybe it could be that the integration of legacy systems was one, but as you mentioned, the UBI key works with more than 700 applications. So on the integration side, there should not be any questions open, so we're ready to go and everyone should think about, yeah, leaving username passport behind and go to a real MFA strategy.

I think sometimes there is an underestimation of the risk, right? People still have that mentality, you know, like internal network, right. You are inside the perimeter, you're safe, but then, but then there is this other thing is that sometimes I feel corporations, they get overwhelmed by the tech aspect of it.

We do say, yeah, like if you wanna implement the static MFA type of solution, that's easy. But when we start talking about adaptive, right. Risk based authentication with, you know, MFA and giving consumers choices around the authenticators that they want to use, I think that's where sometimes organizations get overwhelmed and they don't necessarily have the tech inhouse to, to, to, to, to make these solutions.

So I think it's our job to, to distinguish between the two and start with the basic, right, like your basic password hygiene, and then, you know, like implement a consistent password policy and then build static MFA. And then from there on, you know, continue to iterate and, and, and evolve. I think when we start talking about passwordless and we talk about like the, the latest with Fido and all that stuff, it's great. We wanna do it, but I don't think all, all entities, all corporations have the means of able to get there. Right? Yeah.

So starting with the basic, I think is important to That's that's a very, very point. And also if you, if you ask users and you get a honest answer, they will tell you they hate a password.

So it's, it's very simple. So to change your password every three months or six week, whatever your, your security policy gives you as a choice. So let's get rid of passwords. So we have been here discussing this already three years ago, and yeah, we are still on, on this way to convince the customers getting a yeah. Proper MFA solution in place. That's the only way Yeah. That being said, there's a solid 30 something percent of consumers that actually prefer passwords. Yeah. And that's, that's kind of an education, you know, challenge. I think we all have.

So John, earlier, you, you were quite sort of positive about, about MFA, but I mean, if we're, if we're honest, all MFA's not created equal, right. So there are, there are some caveats or some risk areas that need to be flagged up. Yeah. At the risk of repeating myself from the last panel, you know, risk based authentication is a good way to obviate the need for explicit MFA events.

You know, when the context hasn't changed that much, when the risk level hasn't gone up that much. So I say yes, MFA with risk based whenever you can. Okay.

So common, a common sort of excuse or reason given for not implementing MFA is that I've got too much legacy. I've got too many legacy applications. This is really too, too difficult to do. So from your experience or your point of view, how can MFA be, be implemented for legacy applications?

Is, is it possible? And Yeah, it's a clear pass least for us. When you look at the UBI key, it's a multi-protocol key. So we can support Piff. We can support OTP. And one of my technical colleagues says, always says our customers, if nothing works, OTP works so we can take our customer on the journey towards passwordless and get rid of passwords and get a great user experience. And that's why we're here. Yeah.

I mean, I, I think you can, you can use like some sort of intermediary, like identity orchestration of some sorts, right? Like that with interact with your legacy infrastructure, there are, there are different ways you can use, you know, virtual desktops to, to move the MFA to, to the client.

I mean, there's really no real excuse of why implementing it. And especially when I say like the basic, like the basic static MFA, there shouldn't be really any excuse and like said for regulator industry, you have no choice, you have to implement it. So it's not even an option.

So, and a lot of things that we've written where we said, okay, it's great to, to go for MFA, but sort of long term, should we be aiming for passwordless? I mean, is this, is this the long term goal or was it, is it passwordless with MFA?

What, what, what should be the strategy? And, you know, kind of, maybe we can implement MFA as a short term, get a low hanging fruit thing and then go to password list.

And yes, what's the kind of long, the long goal here. A absolutely.

Yes, because the, the user experience should be in the main focus because any, any kind of security policy is not working. If the user tries to find ways around this. So the passwordless experience is the best thing and taking a dedicated hardware device, hardware, security device for, for this is the best option and the best way to go. Yeah.

So yes, I think we need to get passwords off the server. I forget whose presentation was talking about this earlier in, in this track, but you know, this, this ongoing cycle of, you know, enterprise credentials being stolen or consumer credentials being stolen, sold in the dark web stuff successfully, which leads to more credential theft and, and, and selling, and it's this, this ongoing cycle. And the only way to break that cycle is to, to reduce our dependence on passwords and knowledge based credentials. So I think we need to, you know, we need to move towards password lists.

And the first step to doing that is starting with less passwords. Fair enough.

One, one sort of viewpoint is that MFA based on sort of all the technical solutions that we've been discussing now is an easy entry into making zero trust a reality. Would you agree that as it's been a way in that come, It's one of the things where you can come to a zero trust strategy and I think, yeah, protecting people that access the company network from the outside, from anywhere in the world, from any device, I think this is important. And the more we work remotely, the more important this gets, Okay, It's the first building block.

I mean, you know, zero trust requires a lot more than that, but you gotta start with the basic and the basic is to have at least MFA, Right? So we have some questions from the app. What is the most challenging aspect of rowing out MFA and how to, how you measure the success of a, an MFA rollout? Because I think metrics are really important, but what do you use? How do you say, okay, we've moved from here to here. Yeah.

I mean, you know, I was saying early on it's you have to have various options to our customers. Customers wanna see choice what a certain authenticator might work in. A certain environment may not work in a, in another environment. So it's really, and, and it's really something that you have to like constantly measure, test evaluate, because if you do it wrong, you could either, you know, increase user friction, which shorts the business, or, you know, open yourself for, for a compromise.

So it's, it's really a balance. And that's where I think, you know, taking a, a layered risk approach is important. So you start with the first factor, the multifactor, and then you introduce adaptive risk. And this is where it gets a little bit complicated because we say it, we say that, you know, like AI and ML is here, but really to do it, right. It's not that simple, right? Like you have to make sure you're collecting the right data. You're building the right models. You're training the models with the right data.

You're, you're tweaking the models. Right. You're making that data in real time. So that's why I say like, it's easy for us to talk about it, but it's not easy to implement it. Right. So you have to take a gradual approach right. And mature your security levels. But at the end, you have to make sure that you have choice front and center for your customers. Because I think with that choice, you're gonna find, you know, a lot of struggles. Yeah.

I think it's a, it's a journey for most of the customers, but it's important to start now and to get an efficient resistant MFA in place as soon as possible and having the choice, which way you go, if you go for the password strategy, that's, that's five passwordless strategy, but start now that's important Right before we don't have any questions right. This minute, but we have more or less a comment.

It says, don't you think before thinking about passwordless, we should remove world password day and call it world password list day. So maybe that would be our progress. Okay. We do have a question now is what are the weakest issues of the MFAs, the push message method for authentication example SMS.

So what, what do you think can be the solution? Well, I'll be talking about this momentarily. Yeah. Okay. Alright.

Well, Yeah, You can bow out if you want to. No, I'm trying to foreshadow it. I'll spend less time on it next.

No, I think there's fundamentally there's we, we position photo Alliance positions this as legacy MFA and then modern MFA legacy are things that's generally knowledge based or anything that's like relies on human decisioning too much. Right? Human beings were fallible. We have good human nature and, and remote attackers take advantage of that. Whether it's fishing you or getting you to give to, you know, prompt, fatigue. That's why a lot of push mechanisms are, you know, fall the kinda legacy box.

So moving towards a, you know, possession based approach, which, you know, leverages, you know, advanced cryptography the algorithms and letting the machines make that decision for you is a much better approach. That's great. Thanks. So we're at time now. So if you guys would just like to make a quick closing statement and then we can move right onto Andy's closing presentation until coffee.

Well kind of going back to the last question, you know, I think, again, as technical people, we tend to have a lot of new and shiny devices, but you know, one of the measures of success is how well does this work across all the different populations that you have to support? So sometimes, you know, not everyone has the latest devices and, you know, there can be usability issues across different populations, as well as Richard was kind of alluding to in his presentation.

You know, there, there are some people that fingerprints don't work so well for and some of the other biometric methods. So, you know, being able to offer, you know, a mix of balance of different methods and also, you know, planning for different types of devices that may be available may still be in use long after you think. Maybe they're not. Yeah.

I mean, definitely I agree, John, and you know, like empathy, right? Like you have to, you have to feel for the customers and what they're going through.

And, you know, we talked about various types of customers, you know, not everybody is digital native, right. You know, like us, like we have, I have like maybe three or four devices on me. There are people who don't have a, a smart device. Right. And you can't leave them behind. Right.

Like it's, it's something that we have to consider always. Yeah. I think it's important for, for our customers to, to give their employees the choice from which device they want to authenticate towards their, their company network. But it's only one, one security device that can help you with this. It's a multifunctional UBI key in this case. So you're happy, invited to, to us and the German team here in the conference. So we are happy to discuss your, your situation and guide you to your journey towards clear MFA strategy And on that pitch. Thank you very much.