15 May, 2024 | 3 min read

Not All MFA is Created Equal, Especially in CIAM

  • Bob Bentley
  • Dir. Product Marketing IAM - WSO2

In many industries (finance and healthcare, to name a couple), regulations require the use of multi-factor authentication (MFA) to protect access to sensitive data and transactions. Also, an important executive order was issued, aimed at improving the cybersecurity posture within the US government by requiring all federal agencies to adopt MFA systems. Regulations and standards like these will continue to spread over more industries and transaction types.

How can organizations choose the best MFA methods to protect their business and their customers? It’s one thing to simply tick the checkbox for regulatory requirements, but ensuring an approach that will help drive successful engagement with customers is an entirely different topic.

Good Security Is Critical in CIAM

It’s really important for organizations to provide adequate security in their customer-facing websites and apps, and not just to meet regulatory requirements. Why? Users are much less likely to do business with organizations when they feel their personal information is not secure and private.

There is also ample evidence that relying on passwords alone is problematic. Even the most responsible approach to passwords (such as enforcing policies for minimum strength, frequent changes, non-reuse, etc.) leaves a lot to be desired, security-wise.

MFA Is Very Effective but Hasn’t Caught On Yet

There’s no doubt that MFA dramatically reduces password-related security risks. Microsoft reported that up to 99.9% of account takeover attempts were defeated when MFA was in use. Despite that amazing success rate, only 26% of US organizations require a second authentication factor for their internal users.

Why would this figure be so low, given how effective MFA is? Probably the biggest reason is that users generally perceive MFA to be hard to use, and try to avoid or circumvent it when they can.

External customers are more likely than internal employees to lose patience and react negatively to what they perceive as a challenging user experience. If external users encounter too much friction in your website and mobile apps (which is typically what happens if security is very strict), many will simply leave and conduct their business elsewhere.

Therefore, in CIAM it’s critical that organizations implement MFA solutions that simultaneously inspire confidence among external users that their data is safe and private, and are not perceived as being overly difficult and onerous.

Which MFA Methods Are Better for CIAM?

Over the years, many different types of MFA have been invented and put into use, each with its own strengths and weaknesses. A study by Usenix reviewed several of the more popular MFA methods to determine the usability of each one, considering all factors including the complexity of setup and data connection requirements.

The research included some of the key MFA methods organizations typically employ for consumer-facing use cases: SMS, TOTP, Push, and U2F security key. Here is a very brief description of each method.

  • To verify their identity using the SMS method, users enter a code that has been sent via SMS text. This is probably the most recognizable method (almost 80% of MFA-enabled accounts use it) but it has been declining in popularity because of poor usability and susceptibility to being hacked.
  • With the TOTP (time-based one-time passcode) method, an authenticator app generates passcodes that expire every thirty seconds or so. When prompted (by a website login, for example), the user enters the currently displayed code. This method does not require any data connection.
  • Push-based MFA gives users a notification on their smartphone of a login attempt, which they can approve or deny. It requires mobile internet access to function.
  • U2F (universal second factor) uses a USB hardware device, which the user activates when authenticating. While it doesn’t need a separate internet connection, it does require a USB device, and the user must register beforehand with each website or application.

The key takeaway from the usability study is that among the established methods tested, TOTP came out on top.

However, we’re also seeing a lot of interest in the emerging passwordless authentication methods (such as passkeys from HYPR and other vendors). About 40% of organizations in the retail and financial services industries indicate a strong interest in implementing passwordless methods for their consumers.

MFA in WSO2 Asgardeo

Asgardeo is WSO2’s developer-focused IDaaS solution that provides seamless, secure authentication and user management. It lets organizations focus on building great apps for their customers, and not spend time and energy figuring out the details of identity and security.

Asgardeo makes it simple to enable highly usable MFA methods in your customer experience apps. Using its web-based graphical configuration system, an administrator can set up MFA as an additional login factor in only a few easy steps.

This augments the initial login, which can be configured to use passwords, social identity (such as Apple, Google, Facebook, etc.), a standards-based login method (OpenID Connect or SAML), or even decentralized authentication using Ethereum.

Try Asgardeo for Free

If your organization is looking for a simple yet powerful SaaS-based IAM solution (that also offers a variety of great MFA capabilities!), try out Asgardeo. It’s free and easy to get started.

WSO2's IAM Suite is a world-class, developer-focused access management solution that simplifies securing your web and mobile apps for your consumers, employees, business customers, and even APIs. The WSO2 CIAM Suite gives you the flexibility to choose between open source installable software, IDaaS/SaaS, or single-tenant private cloud deployment options.