The MFA Dilemma and Moving Beyond Mobile

For joining us today. Maybe we can start by quick introduction.
Let's see if this is on. It is on. So hello everyone, my name is Anders. I'm working for Okta as the technical director for for marketing for emia. And I've been in the identity business for a very long time. I've worked at Ford Truck, Oracle Sun, so I know the problems with MFA and it's not an easy one to solve, but let's, let's figure this out today.
Everyone. Great to meet you. My name is Head Covitz. I'm the CEO and one of the founders at Silver Fault. We are a company providing unified identity protection, partnering with other companies here to extend what they do to systems that don't support modern authentication. And my background in security started from the Israeli intelligence from unit 8,200, but I was a, a group leader leading cyber campaign cyber offense.
Yeah, nice meeting you all. My name is Alexander. I'm the vice president of say EA at Yubico. I think let's talk about a nice topic MFA today. And yeah, I will add some comments on how to get a fishing resistant MFA in place with the UBI key.
Hi everyone, my name is Fadiman. I am the head of engineering for consumer identity at Capital One. Capital One is a top 10 US bank and credit card issuer. And we also have various use cases outside of the financial space. So I'm here at, you know, share my view on MFA when it comes to, you know, like external customers, the consumers.
Okay. Perhaps we can start maybe with a couple questions for you guys and then we can open the floor for questions from the audience. Maybe the first question would be the scary one. How are attackers taking advantage of the way MFA is currently being deployed?
Has anyone heard of Evil Jinx too? That's one way, right? Put up a Porwal that looks exactly like LinkedIn or look exactly like, you know, even Okta's Porwal and Trek people. Trekking is the key aspect where, or the key vector that people attack organizations to get their, their MFA session or approved session. So that, that's one thing that needs to be mitigated. Keep in mind that MFA is not the silver bullet to solve this problem, but it, it does help, right? The other one is the MFA fatigue. You, you keep getting so many messages that ultimately you end up approving something. So having a modern solution in place, that's one thing. And it's important should be, you know, using the latest technology, ai, behavioral analysis of signals, et cetera. But one thing is, is important not to forget and it's that dimension of training, training your people, training your users so that they can detect and figure out
If there's something that's fishy and suspect.
I fully agree and I think that one of the other things that attackers are doing these days is they understand that MFA is a very strong security control and sometimes the easiest way is to find a way to log in or to connect Will MFA is not even there. MFA is mostly available for modern applications, web applications, cloud applications and specific protocols. But as the attacker, and again, that's, that's where I started my career. You are the one who choose how you connect to a system. So if there is MFA on the web interface or something like remote desktop, but as the attacker, I can choose to log in with a different protocol, you know, a command line interface or a shared folder or something else to access the same resource. And those legacy metals don't have mfa. That's sometimes the easiest way to get in. You don't need to, you know, have all of the, all of the doors open. It's enough to have one. And I think that's where we need to make sure we bring MFA ever.
Oh, that's that's absolutely right. And what we are facing in customer discussions that having an MFA in place at least is the first step to get more secure because more of 50% of authentication methods are still username passport. So this is the first thing we, we need to come over. Secondly, not every MFA has the same security level. So it's about the methodology, how to secure your access with an mfa. And there are many difference in between. I think this is something, yeah, that needs to take some, some discussions, some explanations, but I'm pretty sure we'll get there. And what the other said as well, it's, it's very important to make it usable. Usability and use acceptance is one of the key factors to go to a successful mfa.
Yeah, I mean, I agree with everything said, I, I'd like to say that we know that there are vulnerabilities right out there and MFA can be bypassed, et cetera, but the basic has to be, you gotta start with some form of MFA for those, you know, enterprises that don't use it at all. Like, you gotta start with that at a minimum. I know today we've been talking a lot of things, you know, including password lists, et cetera, but like for some enterprises, I don't want 'em to be overwhelmed by like, oh my gosh, how am I gonna get to the password list? Like start the journey with the basics number one. Number two, with respect to training the customers, you know, like one of the things that we've, we've realized is that, you know, and we do a lot in terms of training the customers of detecting, you know, fraudulent or phishing attacks, but at the end of the day, the best way is to like eliminate the need, right?
From having to deal with a, you know, man in the middle attack, right? So what are some of the things that you can do as an enterprise to ease that burden on your customer? I think pays off in the long term. Now I have to say that in terms of a financial institution, you know, like we survey customers and sometimes they feel that if we are not challenging them, that somehow, you know, our security is more lax, right? Like that's why we have features. Many banks have features to always challenge me, right? Like at every login. So it's that again, education, like how do you tell the customers that like you're safe because we're doing a lot of things in the background invisible to you, right? So it's like that balance.
Well, all of you, all of you belong to different organizations. So from your experience, how can we bring modern MFA into legacy systems and environments?
Does that work? Yeah, I think that MFA is, you know, something that we really want to be able to bring everywhere. As I said before, I think that the challenge that a lot of organizations face is that it almost like you need to rebuild some of your applications in order to, to enable that. You know, the companies including here that are offering amazing MFA solutions and building them into every application sometimes is just too much. What we've found with a lot of our customers that really works is to try to build that centrally somehow, such as, you know, in the, in the backend of the main identity infrastructure, like your active directory, as a way to avoid modifying each and every one of the legacy applications and systems. Because going at them one after the other is, is almost impossible. And, and we've actually done this a lot with, with Octa and with yubico, many customers is bringing those great solutions to some of these legacy systems.
Yeah, yeah. I think for us it's, we call it a bridge to passport less because in the end, looking at user acceptance and also having a solution in place that does not create that much administration and, and support cost overlay, we need to get passwordless somehow. And this is mainly driven by 5 0 2 and using this protocol, which is the yeah, well accepted international standard for art indication. It's very secure and on this way we, we need to integrate the legacy systems and this is pretty easy using Yeah. The, the older protocols like OTP are the p standard for a smartcard solution and having them all on one token, which yeah, the UBI key can do. I think this is at least for us, the right way to move forward starting now, getting rid of the passport, getting rid of username passport, and going on this journey and in the end, yeah, become 5 0 2 only. But this is something, it's, it's not something that can happen now, but at least the UBI key ones deployed can stay there and, and take you on this journey.
I think one observation that I see when it comes to Europe and, and I'm talking specifically about the European Union, there's a lot of legal initiatives happening with NS two and Dora, et cetera, et cetera. And, and the, and the core that kind of concerns our business is implementing mfa. Now implementing mfa and you do it partially is not gonna solve your problem because if you still have, you know, pockets of users that are not forced, make it mandatory to use mfa, you'll still have those openings in your infrastructure. You'll still have those users that are, you know, a potential entry point. So that's one of the lessons that I want observations that I, I've seen that if you don't go all in, you're, you're missing out. So the, I think we're, we're gonna see a lot of MFA happening with these new regulatory frameworks putting in place, and I think that will, that will help users get used to it, right? But obviously our technologies here should make it easy and simplified to use this technology. And I, I think that's, that's critical, but also when it comes to differentiate what type of assurance is needed, what's the context around it? Look at the behaviors, the patterns, the signals that a user are, are using and, and there's a lot of things that are happening when it comes to passwordless and that's something that we, you know, especially for the commercial side, the e-commerce, that's something that should be put in place. Get rid of the passwords.
Go. Just going back briefly to, to the, the question is, you know, this is not my area of expertise, but like I've seen some, some organization where they basically front all of their applications, you know, with the vpn, right? And then you have to basically authenticate and by, you know, pass a, an MFA challenge before you access the application. So that could be one way if you're just basically starting out at least to have some protection. And then SSO, once you're in the, you know, past the vpn,
Are there any questions from the audience? Okay, great. We'll go first.
Hi, my name is la I just want to have one comment and definitely I wanna open discussion with you guys. Comment about M F A, do you realize that M F A are saving life right now, saving many lives right now? And the reason why this company right there, I'm from Ukraine and I'm gonna tell you that Yubico last year I was presenting, speaking at this conference about that the, my friends who are in the front lines that told you thank you very much because the, you guys gave us more than 10,000 free UBI keys who are saving life of people on the frontline. Thank you.
Thank thanks for this. And we discussed already last year and yes, absolutely, I think it's up to 30,000 right now. So
The, the discussion I would like to have with you is this, I'm right now working for the bank and we are going through the process of MFA consolidation. We try to get rid of digit certs, which we haven't many applications we try to com, you know, basically get one. But one of the questions you always discussed, it's definitely user experience and what is your opinion about kind of MFA all the way or step up MFA, when it's needed and what is your, thank you very much and what is, I think a lot of practitioners have the same question, so I really want to have my own opinion about, I really want to hear your opinion about where Step Up is important, if you ever done this, and how the profiling of what's a user behavior and the step up and MFA work together. Thank you very much. Appreciate it.
Yeah, that's, that's exactly what we do at Capital One. But that's typical of a, of a enterprise that is much more along their MFA journey or authentication journey as I was saying earlier, you know, you have to balance that need of customers feeling secure because they're seeing a challenge versus not seeing anything, right? So for instance, the first time you log in to your Capital One app, right, we don't know anything about you, right? So as we are building a profile, you will, you will get challenged later on. You're not gonna get challenged perhaps until there is a transaction of some sort of money movement, right? Like at a certain amount. So we leave it up to the business to decide what that threshold is and then what that, what that step up is gonna look like. And you have to give the customers multiple choices in terms of like an authenticator, right? Like it could be as simple as an OTP via SMS to push notification to, you know, like a government ID scanning. So we have a variety of it. And then, and the reason for that is our customers, you know, come in all shapes and sizes and and backgrounds. Some of them don't even have a smart device, right? So you have to provide all these options and leave it up to the customer to decide which one to use.
I know that's that's absolutely right. And if I look back two or three years, the projects have changed a bit. So three years ago, most of the customers, they start with the most exposed accounts to protect them with a UBI key, then they're looking at administrators privilege accounts and now we see more and more larger implementation as an initial implementation because the sensitivity of getting hacked and the requirements, well you mentioned this too, and others common criteria are critical infrastructure C in Germany, I think there are more and more compliance regulation to enforce an mfa and to us it's not only only about the UBI key, but there's a huge differentiator because between other MFA and the UBI key, which is called fishing resistant, because the key is secure on, on the UBI key, so it doesn't leave the UBI key. So many attack vector are eliminated like men in the middle and others. But to start with, it's better to have an MFA than nothing.
I fully agree first of all that in order to improve user experience, we have to use analytics more and more to reduce the number of times we actually acquire it, with the exception of what you said earlier. But you know, I think that people can do MFA all the time, especially if you want MFA everywhere. What we've found in using machine learning a lot with MFA is that MFA actually has an advantage over any other type of behavioral analytics in cybersecurity is that you have feedback on your decision. Usually in cybersecurity, when you do behavioral analytics, you send alerts to the team and no one knows if there are two or not. They go there today in mfa you actually have the user telling you immediately if you are right or wrong, if the user says yes, this is me, and I can prove it, okay, maybe I was wrong, maybe it wasn't an actual anomaly.
If the user can't prove who they are, I know that I was right, maybe I I need to treat it as a higher risk next time. So when you use this to do what's called reinforcement learning, meaning that the algorithm trains itself with the user's feedback as as automated feedback, you can actually get a level of accuracy that you cannot get in any other field in cybersecurity. And I think more and more companies in cybersecurity will understand that MFA step up authentication is actually the best action of behavioral analytics because it allows you to filter the noise over time.
Very good, thank you. Yeah, no, I, I I concur with that. I I think step up is, is the way to go. And I think also from a regulatory point of view, that's what we're seeing with, with more and more, you know, value transactions require, requires a step up and, and it's about that balance between usability and the friction that introducing something like this causes, you mentioned something, I'm gonna be a bit controversial and attack a little bit. SMS OTPs bad idea. Why has anyone seen Mr. Robot? Yes, you can literally get a FTO cell out of China, make some additional code changes to it, and okay, you need to be in close proximity, but you can still intercept those SMSs because they're more or less in clear text. So it's, it's not, it's a bad idea. Use something modern, but I I completely agree that you need the, the different choices because if you only have one choice, it's it.
And, and that's, that's the thing, I mean everybody understands the vulnerability of OTP sms, right? But you have hundreds of millions of users and not everybody has that capability of a push notification or a modern solution. So you're left to better than nothing. Exactly. That's
Okay. We have one minute and a half, maybe a very short question and a very short answer
For consumers. Currently a mobile device in the center of MFA using biometrics and fire and all this stuff, and it, it's my relationship to a company, but now my battery gets low and old and I'm purchasing not an Android device, but my next device is iOS and what happens, there's a complete mfa, everything my authenticator has gone, how do I manage it? Do you enroll the new device making SMS otp?
Well this goes back to what I was saying, you have to offer the consumers multiple choices. Like one of the choice that we have is where we can call you with a, you know, an sms, right? Look at the one time password and we have this thing called like on demand, which means your battery died, your phone is not working anymore, right? You give us, let's say maybe your home phone number, we do a lookup and to see if the name on that home phone number, right? Like is, matches you as a customer. And in that case we will basically issue a password over the phone, right? So that you can get back into your applic, right? Like that's, that's my point. And some of 'em are, you know, less, you know, or maybe, you know, like they have weaknesses, but to the examples that you provided, you can't prevent someone from accessing their bank account, right? Just because they don't have a, a mobile phone number or they lost it or the battery died. That's why you have to basically offer, and in the background you're doing things risk assessment and behavioral as much as possible to be able to discern whether you'll trust this transaction or not, right? So there's a lot of things on the background, but you have to offer a variety of, of solutions. Most
People can survive anyway if the phone die, right? So,
Well, thank you Comment on
This though. Honestly, the, the mobile device is not a dedicated security device and there are so many implications regarding mobile restricted areas, moving your authenticator to another phone and also within large organizations, having the, the unions in place, the work council bring your only virus, having company phones, having no company phones. So there are too many discussions and in most of the cases our customers there, they move away from and more and more they move away from, from mobile application.
I think we, we
Purchase.
I'm afraid we have to wrap up if it was up to me. I will just let you guys keep going, but we have a next session now, so please a run of applause.