Multi-Factor Authentication and the Identity and Access Management Capability Maturity Model, Part One

By now, we should all be aware of the inadequacies of passwords. Breach after breach, it's been made painfully clear that single-factor authentication is not enough. In fact, according to the 2017 Verizon Data Breach Report, over 80% of hacking related breaches are due to weak or stolen passwords. So when the traditional means of authentication are so clearly flawed, what’s the next step?

Most organizations know that multi-factor authentication (MFA) can help amp up security with an additional authentication method that further proves the user is who they claim to be. However, it can be difficult to navigate through the many authentication methods that exist or to compare functionality across numerous MFA solutions and vendors.

Whether your organization is just looking into MFA, in the beginning stages of implementation, or already has an MFA solution in place, there’s no better time than now to define your organization’s current authentication strategy and determine the steps needed to increase your MFA maturity level using a maturity model.

Using a maturity model can help your organization determine the effectiveness of current authentication capabilities and where they stand overall. Maturity models also provide a priority level and decision path when an organization is ready to advance its capabilities through maturity. Read on for a sneak peek of the first two levels of Identity Automation’s MFA Maturity Model before checking out the full reveal in our on-demand webinar.

Building Blocks: Authentication Factors, SFA, 2FA, and MFA

Before we discuss the MFA Maturity Model, let’s start with the basic building blocks of authentication to make sure we’re all up to speed on what MFA is and how it helps organizations beef up their security.

An authentication factor is an "independent category of credential used for identity verification." In plain English, that means something that proves that you are who you say you are. As defined by NIST SP 800-63-3, the three factors that are identified as the cornerstones of authentication are:   

1. Something you know (e.g., a password).
2. Something you have (e.g., an ID badge or a cryptographic key).
3. Something you are (e.g., a fingerprint or other biometric data).

Single-Factor Authentication (SFA) scenarios use “something you know”, commonly referred to as a knowledge factor, such as a password. While this is by far the most common authentication method, unfortunately, as mentioned above, it can be all-too-easy for hackers to get ahold of that "something you know."

Two-Factor Authentication (2FA) ups the ante by adding another authentication factor, typically a possession factor, i.e., “something you have”, such as a cell phone or a hard token.

From there, we can take things a step further with multi-factor authentication. As you've probably surmised, this requires the support of all three cornerstones of authentication. Most often, the third factor is an inherence factor, which is “something you are”. This could mean anything from biometrics, such as a fingerprint scan or facial recognition, to your physical location.

However, having three authentication methods does not necessarily mean you've implemented true MFA. If your third method is simply another knowledge factor, such as a soft token, text code, or secret question, you are simply adding another layer to your second factor.

The Basic Level of the MFA Maturity Model: Two-Factor Authentication

Organizations who are just starting out with MFA are considered to be at the Basic Level of the MFA Maturity Model. At this first level, an organization has 2FA in place, with authentication factors supporting the “something you know” and “something you have” authentication methods.

For example, an organization that’s at Level 1 of the MFA maturity model may require a user authenticating to an application to first identify themselves with a username and password and then prompt them for a one time password (OTP) that’s generated on their mobile phone. The password is something the person knows, while the OTP is something the person has (via the phone). Other examples for “something you have” include FIDO U2F, push notifications, hard token OTPs, and SMS OTPs.

If your organization is currently residing at Level 1, there are several tangible steps you can take to take your MFA strategy to the next level. While we discuss this more in-depth in our on-demand webinar, creating risk profiles for your organization’s user types, building a plan to progress to stronger but readily available authentication methods, and moving towards eliminating passwords for all end-users are all steps towards increasing MFA maturity.

The Advanced Level of the MFA Maturity Model: True MFA and Elimination of Passwords

Level 2 of the MFA maturity model, also known as the Advanced Level, supports all three authentication factors (“something you have”, “something you know”, and “something you are”), achieving true MFA capabilities.

Organizations at Level 2 have completely eliminated the use of password from their environments and have authentication policies that are flexible and fine-grained, providing users with options to not disrupt the productivity of their day-to-day tasks. These organizations also have advanced authentication methods in place, such as fingerprint biometrics, proximity cards, bluetooth proximity, and smart cards.

As you can see, Level 2 of the MFA Maturity Model is called Advanced for a reason. However, it is possible to move beyond even this. This starts with ensuring that high risk users or access is protected with the highest risk mitigating authentication policies. These policies can be based on a number of contextual factors, such as time of day, day of the week, network origin, trusted device, etc. Don’t worry—this is all covered in our on-demand MFA Maturity Model webinar.

So, Where Does Your Organization Fall on the MFA Maturity Model?

Now that we’ve taken a peek at the first two levels of the MFA Maturity Model—Basic and Advanced—you’re ready to learn the next steps to build a truly comprehensive MFA strategy. 

Check out our on-demand webinar, Advancing Your Identity Management Strategy with the IAM Maturity Model, Part 2 - Multi-Factor Authentication, where our Founder and IAM subject matter expert, Troy Moreland, discusses the progression from a basic authentication strategy, to an advanced, to an adaptive, and finally, to an intelligent, MFA strategy. 

This webinar provides actionable insights into how to evaluate your organization’s current authentication maturity level, take your MFA strategy to the next level, and even move away from using passwords altogether.