Gone are the days of your employees working a standard nine to five from within company walls. Today, employees often work remotely—from different devices and at all hours of the day.But it’s not just your employees who require secure access to your systems, it is also your contractors, vendors, partners, and other external users. Unfortunately, you don’t necessarily know what kind of security policies and practices their companies have in place.
If you take a one-size-fits-all authentication policy approach, you won’t be able to deal with the many authentication challenges that your organization will face from these different types of users trying to access your network.
It’s time for you to consider a flexible authentication policy that ensures security for your organization and ease of use for your internal and external users.
One Size Doesn’t Fit All
Not every situation requires the same level of authentication. As an example, an employee accessing an app with sensitive customer information from inside your company building during business hours is a very different situation than an employee logging into that same app remotely, at night and from a different country. The risks posed by remote and mobile workers are significant, and your organization’s authentication approach needs to take this into account.
Because each security situation is different, you need a multi-factor authentication (MFA) platform that provides the flexibility to handle these different scenarios securely.
While you want to use authentication methods that ensure secure access, you don’t want to burden your users with unnecessary authentication requirements. In a nutshell, you need to balance usability and security.
To get this balance right, your MFA solution should consider contextual factors, such as:
- Person seeking access—title, tenure, full-time versus contractor, and so forth
- Data type—How sensitive is the data? Is it intellectual property, customer personally identifiable information (PII), or other sensitive data?
- Environment—type of device, location, time of day, and other factors
This is where risk-based authentication (RBA), also known as adaptive authentication, is relevant.. RBA enables you to take into account contextual factors and adapt the authentication processes based on the risks involved.
RBA develops a “risk score” for each log-in attempt, and this score is weighed against the “risk threshold” for a given system. If the login attempt exceeds that threshold, additional authentication methods are then required for the user to log in.
The beauty of RBA is that it happens in the background, so the user is not aware of the process and doesn’t become frustrated by burdensome authentication requirements. Your users will only be asked for additional authentication when it is required for security reasons.
Giving Your Users Choices
In addition to considering the risk level of a particular security situation, you should also consider flexibility from your users’ perspective and give them the choice of what authentication methods to use. Flexibility in authentication methods is the best way to ensure security, while meeting the needs of your users.
We have all experienced situations where the default authentication method doesn’t work; for example, if you don’t have cell phone service, you are flying on a plane, or you don’t have your security token with you.
Typically, challenge-response questions are the go-to second form of authentication, but like passwords, they are susceptible to hacking if they aren’t configured correctly. If the questions are not set up correctly, a savvy hacker may be able to figure out the answers with a little social engineering.
A one-size-fits-all approach to authentication can make certain situations less secure for the company and/or less convenient for the employee, Worse still, it can make authentication impossible in certain situations. There are better options that can be tailored to your organization’s needs, resources, and goals.
Modern MFA solutions overcome authentication challenges by providing users with multiple options depending on the context. Plus, taking different contextual situations into account, such as working offline or not having a second device on hand, reduces user frustration, support call hassles, and downtime, while increasing security.
Solutions that offer companies a broad range of flexible MFA methods, risk-based authentication, and the ability to give users a choice in how they authenticate will enable your organization to be more secure and ultimately more productive.