Chances are, you’ve encountered multi-factor authentication (MFA) at some point. Perhaps you entered your username and password to log into your bank’s online portal, and although they were correct, the system challenged you with a second form of authentication. For example, if after asking your preference of email or text message, the bank then sent a one time password to further verify your identity.
Even within smaller organizations, and certainly at the consumer level, more and more focus is being put on MFA, especially in light of recent data breaches that could have been prevented by it. The recommendation of MFA by best practice frameworks and standards, such as ISO 27001 and COBIT, have only further driven MFA adoption. However, once your organization has implemented MFA, that’s only the beginning—MFA capabilities vary greatly from organization to organization—and there’s always room for improvement.
To help break down the different levels of authentication capability, we’ve created a Multi-Factor Authentication Maturity Model. We recently discussed the first two levels of this MFA Maturity Model, Basic and Advanced. And now that Identity Automation’s Co-Founder and Identity Fellow, Troy Moreland, has walked us through the full MFA Maturity Model in our recent webinar, Advancing Your Identity Management Strategy with the IAM Maturity Model, Part 2 - Multi-Factor Authentication, we’re ready to jump right into the remaining two levels— Adaptive and Intelligent, as well as the steps your organization can take to achieve them.
The Adaptive Level of the MFA Maturity Model: Protection of All High Risk Systems and Privileged Access
We left off part one at Level 2, or the Advanced level, where all three authentication factors (“something you have”, “something you know”, and “something you are”) are supported, achieving true MFA capabilities. In addition, organizations in Level 2 have authentication policies that are flexible and fine-grained, providing users with authentication options that don’t disrupt the productivity of their day-to-day tasks.
These authentication policies are especially important as we discuss how to advance to Level 3. At Level 3, also known as the Adaptive level, organizations have protected all high-risk systems and privileged access.
This may sound simple enough, but where do you start?
The first step to achieving Level 3 is to define risk mitigating policies. This helps ensure your high-risk users are protected with the highest risk mitigating authentication policies. At this point, you’ll also need to start thinking about how to refine these policies based on various contextual factors, such as time of day, day of the week, network origin, and whether the device is trusted. These factors may alter your authentication policies and implementation (which we’ll discuss in more detail shortly).
Looking back at Level 2, authentication policies are in place and associated with users based on their identity— and these policies can be either static or dynamic. If the policy is dynamic, the system is essentially checking a user’s attributes to determine access. For example, a department only gets access to resources that pertain to that particular group.
However, there are situations where information aside from identity data might be important. The most common criteria is where you’re coming from, or the device source location. Whether you are in the office, working from home, or in another country altogether— this data is contextual, and as a result, different authentication policies may apply.
For example, if your organization only operates out of the United States, an international login attempt would be considered higher risk, and therefore, require a stronger authentication policy for access. Other factors in the adaptive criteria include day of week and time of day. So, if your organization typically operates 8AM - 5PM, Monday through Friday, an attempted login outside of that window of time could be flagged as high risk with stronger authentication policies associated.
Other characteristics of Level 3 are application specific policies and support for step-up authentication. MFA can be embedded into the native applications themselves for session authentication, and the application’s specific policy can require specific authentication methods for access.
Furthermore, with step-up authentication, a user is challenged to produce additional methods of authentication, demonstrating a higher level of assurance the user is who they claim to be. This is crucial to protect high risk access and can be used for accessing a particular application with sensitive information.
Your organization can also require certain authentication methods for particular applications. For instance, even if a user is already authenticated into their session for the day, a stronger method can be required to access sensitive resources, such as payroll.
The Intelligent Level of the MFA Maturity Model: Contextual Authentication Policies and Artificial Intelligence
Once you’ve reached Level 3, the next step is to begin considering your artificial intelligence strategy. The two main questions you should ask are: 1) Is it in your organization’s best interest to take these next steps? and 2) Will this be done in-house or outsourced?
You may be wondering, how does artificial intelligence even fit into the discussion of MFA? While voice and face recognition are excellent examples of artificial intelligence driven authentication methods, there are other factors, such as keystroke patterns, which learn over time how you interact with the keyboard.
In addition, artificial intelligence can be used to detect anomalies. Rather than hard-coded criteria based on identity and context, artificial intelligence can add behavioral analytics as another segment. For instance, if you frequently log into your applications at 2:00 AM, the system learns that’s normal behavior for you and stops challenging you with additional authentication factors.
Moreover, organizations in Level 4 have an expanded library of authentication methods. For example, school districts have a wide range of users utilizing their RapidIdentity single sign-on portal—anywhere from kindergarten students all the way up to advanced system administrators. While a kindergartner needs age-appropriate authentication methods that overcome struggles with reading and remembering traditional usernames and passwords, a system administrator with unfettered access requires more stringent authentication than a typical end-user. It’s extremely important to make sure your organization has authentication methods that support the flexibility you need for your end-user groups, as well as strong security.
What Are Your Organization’s Next Steps on the MFA Maturity Model?
As more and more information becomes available to the public on the internet, we have to do more to verify identity data. The MFA Maturity Model is an ideal place to start mapping out your organization’s current level of capabilities and determine areas of focus moving forward. Now that you have an overview of each level, you can dive deeper into the details with our on-demand webinar, Advancing Your Identity Management Strategy with the IAM Maturity Model, Part 2 - Multi-Factor Authentication.
In this webinar, Troy Moreland, Identity Automation’s Co-Founder and IAM expert, provides actionable insights into how to evaluate your organization’s current authentication maturity level, take your MFA strategy to the next level, and even move away from using passwords altogether.