Guest Column | October 20, 2022

Moving Beyond Legacy Authentication – The Value Of Unphishable MFA For Channel Partners

By Kurt Johnson, Beyond Identity

Cyber Fraud security

In today’s dynamic and incredibly fast-paced world, safeguarding network access has been the core focus of every security team and solutions provider. For years now, businesses have considered the username/password combination to be the ‘go-to’ solution for verifying identity and access privileges. However, this is providing organizations with a false sense of security which is no longer tenable in today’s threat landscape. In fact, passwords are the single largest attack vector and the root cause for a massive 80% of all data breaches according to Verizon’s Data Breach Investigations Report.

While channel partners are usually promoting multi-factor authentication (MFA) as a key solution for the ‘identity and access verification’ problem, traditional MFAs still heavily rely on passwords. Malicious tactics such as phishing, man-in-the-middle, and SIM swaps pose a major threat to traditional MFA solutions, as sign-in codes and passwords can be easily exploited through sophisticated social engineering attacks.

We have already seen the U.S. government mandate the implementation of Zero Trust by 2024. According to the Biden memo, all government organizations must move away from passwords and one-time codes, by incorporating phishing-resistant MFA within their security framework. It is quite evident that this initiative was largely driven by the influx of cyberattacks on U.S. organizations, as 14 out of 16 critical national infrastructure sectors in the U.S. were targets of sophisticated attacks in 2021. As the cyber landscape is becoming more hostile and complex, businesses must follow in similar footsteps before their valuable assets are compromised through sophisticated cyber attacks.

There needs to be a large-scale shift toward invisible and unphishable MFA solutions based on the Zero Trust approach, and channel partners are in the ideal position to facilitate and fast-track this. With their rich portfolio of security solutions, experience, and knowledge, channel partners can influence businesses to move away from password-based authentication and offer their clients unphishable MFA solutions that provide better identity and access management tools. This will not only create a new revenue stream for the channel but also will position distributors as dynamic and trusted security influencers, as clients will be less susceptible to access-based threats.

Password-Based Legacy Solutions Need To Become Extinct

One of the misconceptions that persist in securing privileged access is that cyber security is enhanced by enforcing stronger passwords. This is far from reality and, fundamentally, there is no way to make passwords safe. Stronger passwords might take longer to crack, but they are still vulnerable, and as long as this vulnerability remains, access management will continue to be a major pitfall for attacks. Using passwords regardless of strength increases the attack surface for threat actors, as 61% of users reuse the same password for multiple accounts. So, once it's cracked, the exposed password can provide access to multiple systems and accounts, allowing attackers to move on to higher-earning or higher-profile targets.

With the influx of threats like supply chain attacks, ransomware, and phishing, the demand for Zero Trust is soaring across the industry. By including unphishable MFA solutions within their security offerings, channel partners can effectively address and meet this Zero Trust demand.

Legacy MFA systems, however, cannot uphold the core Zero Trust principles. They still require a certain degree of trust that the password is correct and being accessed by the true user. Such solutions rely on one-time codes, push notifications, and magic links as the means of additional user verification, but these are all comprisable factors. These authentication methods cannot provide 100% assurance of the user's true identity or detect whether a third party is intercepting the access privilege.

Channel partners cannot support their client's security needs and create value by offering legacy MFA. These solutions no longer uphold the promise of innovation or proactive security. Such systems do more harm to businesses than good. Even beyond the security consideration, traditional MFA systems take a significant toll on organizational productivity. Authenticating through one-time codes, magic URLs, email tokens, and security questions is not a real-time process. Considering the number of times users access different systems and the total number of users on a network, the accumulated time spent on user authentication can largely impact workforce productivity additionally causing user frustration.

There’s also the concern that most organizations are not even using legacy MFA systems in the first place, because having to go through several steps in the log-in process is an extra burden for users. Almost 74% of organizations still use single authentication methods or rely solely on passwords. That’s why partners need to start educating their clients about the critical threats of traditional MFA and password-based systems and support their security needs with the next generation of phishing-resistant MFA solutions.

Creating Sustainable Value Through Invisible And Phishing-Resistant MFA

As Zero Trust is the urgent need of the hour, channel leaders need to guide industries toward solutions that can help them build a sustainable security infrastructure for the long run. By providing next-gen phishing-resistant authentication solutions, partners can integrate the Zero Trust framework into their IAM security products. Unphishable MFA solutions bind user identity to authorized devices using cryptography, thus eliminating the most vulnerable link in the authentication chain - passwords.

Phishing-resistant MFA is not just an identity authentication solution, but it’s a standard that improves the overall security posture of the organization. Such solutions require privileged access to be incorporated with specific devices, which need to meet the security policy every time a user requests access. There’s no visible layer to this process, as the entire authentication process happens in the back end. When the device doesn’t meet the defined policy criteria such as location, IP, specification, or network packets, the access request is denied, and system admins are notified of the potential discrepancy. This invisible factor means that there is no password or code to intercept, thus eliminating all entry points of credential-based attacks.

It also solves some of the common problems and frustrations of user logins such as forgetting passwords, longer authentication time, manually provisioning user access, and much more. These problems might seem small, but they end up consuming significant help-desk resources and often they lead to users circumventing security protocols to ease their experiences.

For channel partners, such solutions are not just a new revenue stream, but also a medium for creating stronger and long-term strategic relationships with clients. Supporting clients with proactive and productive security solutions like unphishable MFA will undoubtedly enhance their defensive capabilities against sophisticated cyberattacks, improving consumer retention rates. Creating such value also will help partners to be perceived as trusted advisers, rather than someone who sells products for the sake of transaction.

About The Author

Kurt Johnson is VP Strategy and Business Development at Beyond Identity.