Not All MFA is Created Equal, Especially in CIAM

Photo by Lukas

In many industries (finance and healthcare, to name a few), regulations require the use of multifactor authentication (MFA) to protect access to sensitive data and transactions. Also last year, an important executive order was issued, aimed at improving the cybersecurity posture within the US government by requiring all federal agencies to adopt MFA systems. Regulations and standards like these will continue to spread over more industries and transaction types.

How can organizations choose the best MFA methods to protect their business and their customers? It’s one thing to simply tick the checkbox for regulatory requirements, but ensuring an approach that will help drive successful engagement with customers is an entirely different topic.

Good security is critical in CIAM

I’ll start out by stating some important foundational facts. First, it’s really important for organizations to provide adequate security in their customer experience (CX) solutions, and not just to meet regulatory requirements. Why? Users are much less likely to do business with organizations when they feel their personal information is not secure and private. 

There is also ample evidence that relying on passwords alone is problematic. Even the most responsible approach to passwords (such as enforcing policies for minimum strength, frequent changes, non-reuse, etc.) leaves a lot to be desired, security-wise. 

MFA is very effective, but hasn’t caught on yet

There’s no doubt that MFA dramatically reduces password-related security risks. Microsoft reported that up to 99.9% of account takeover attempts were defeated when MFA was in use. Despite that amazing success rate, only 26% of US organizations require a second factor in their authentication policies for their internal users. 

Why would this figure be so low, given the incredible security effectiveness that MFA can provide? Probably the biggest reason for this disparity is that users generally perceive MFA to be hard to use, and try to avoid or circumvent it when they can. 

In CIAM, organizations are working to safely enable system access for external users, who are much more likely than internal employees to lose patience and react negatively to what they perceive as a challenging user experience. If users encounter too much friction in your CX (which is typically what happens if security is very strict), many will simply leave and conduct their business elsewhere.

Therefore, it’s critical that organizations implement MFA solutions that simultaneously inspire confidence among users that their data is safe and private, and are not perceived as being overly difficult and onerous.

Which MFA methods are better for CIAM?

Over the years, many different types of MFA have been invented and put into use. Depending on the use case and specific objectives involved, each one has its own strengths and weaknesses. A recent Usenix study reviewed several of the more popular MFA methods to determine the usability of each one. 

The research included some of the key MFA methods organizations employ for consumer applications: SMS, TOTP, Push, and U2F security key. These methods don’t require things typically provided by businesses to their internal employees or contractors, such as smart cards or RSA-style hardware tokens.

Here is a very brief description of each method:

• The SMS method leverages a person’s mobile phone as the second factor. Users prove their identity by entering a code that has been sent to them via text. This is by far the most widely used method–almost 80% of MFA-enabled accounts use it. However, it has declined over the last several years because of poor usability, susceptibility to being hacked, and dependence on the availability of the mobile phone network to operate.
• TOTP (time-based one-time passcode) uses a person’s smartphone as the second factor. A standards-based authenticator app generates passcodes that expire every thirty seconds or so. When prompted (by a website login, for example), the user enters the currently displayed code. This method does not require a phone network or internet connection to function.
• Push-based MFA also takes advantage of the user’s smartphone. Here, the user responds to a push notification request to approve or deny a login attempt using a proprietary smartphone app. It requires mobile internet access to function.
• Finally, U2F (universal second factor) authentication makes use of a standards-based USB hardware device, which the user activates at authentication time. While it doesn’t need a separate internet connection, it does require the physical presence of the USB device and the user must register with each website or application prior to using the U2F method.

The key takeaway from the usability study is that TOTP came out on top with a median SUS (System Usability Scale) score of 88.8 out of 100, compared to 81.3 for Push and 75.0 each for SMS and U2F. This combined score included several factors, such as the complexity of setup, the availability of the required external device and connections, and the ease of actually performing the authentication.

TOTP in WSO2 Asgardeo 

Asgardeo is WSO2’s developer-focused, SaaS-based CIAM solution. It lets organizations focus on building great CX solutions for their customers, and not spend time and energy figuring out the details of identity and security.

Asgardeo makes it simple to enable highly usable TOTP MFA in your CX environment. Using its web-based graphical configuration system, an administrator can set up TOTP as an additional login factor in only a few easy steps. This augments the initial login, which can be configured to use passwords, social identity (such as Apple, Google, Facebook, etc.), a standards-based login method (OpenID Connect or SAML), or even decentralized authentication using Ethereum. If an organization has already configured a customized login flow, TOTP can be appended with a simple change.

External users can take advantage of any standards-based authenticator app. Some of the most common is Google’s Authenticator and Twilio’s Authy. Once the app is downloaded to their smartphone, users can access Asgardeo’s MyAccount self-service page to register their chosen TOTP app with the CIAM system. Asgardeo uses the intuitive, standard enrollment process involving simple QR code scanning from the smartphone camera.

When the user tries to access a TOTP-protected application, the login prompt will ask for a code. The user simply opens the app to see the current passcode value and enters it into the login field.

Try Asgardeo for free

If your organization is looking for a simple yet powerful SaaS-based CIAM solution (that also offers great TOTP MFA capabilities!,) try out Asgardeo. It’s free and easy to get started.