Security
Why Adaptive MFA is a Game Changer for User Experience
By Matt Keib
Security measures often feel like they’re just making life harder for end users. Meanwhile, attackers are out there finding clever ways to bypass these tools. They love it when users get frustrated because it makes phishing campaigns and stealing those long, complex passwords a breeze. Multifactor authentication (MFA) stepped in to stop these criminals from effectively accessing company resources using stolen passwords. But if users are already triggered by complex password policies, adding yet another step to the authentication process makes the matter go from bad to worse---in their eyes, at least.
But the future is here, and it’s called adaptive MFA. While there are some consumer applications, the real power of adaptive MFA is in protecting the workforce, so we’re seeing increased adoption in the enterprise. It’s designed for security pros and IT teams who need to keep organizational resources safe. By adjusting authentication requirements based on real-time risk, it offers strong security without the hassle. This version maintains a conversational and engaging tone, emphasizing the adoption of adaptive MFA in the enterprise context and aligning with the intended audience of security professionals and IT teams.
Limitations of Traditional MFA
A traditional approach to MFA is usually a huge step up in securing organizations. It solves weak-password issues by adding an additional layer of authentication that makes unauthorized access hard for most attackers.
But like most things in life, MFA comes with certain drawbacks.
Users Find MFA Inconvenient
Yes, cybersecurity experts and enthusiasts love this great cyberattacker stopper. But regular users find using MFA to be a real challenge.
Most users are workers with a lot on their plate. They need to complete tasks, run off to meetings, answer emails, and so on, in a never-ending cycle. Having to take that extra step to log in and carry on with their work is a complete nuisance.
Users’ most common complaint about MFA is how time-consuming and “inconvenient” it is to authenticate twice. That second authentication layer often involves several steps for the user that require them to switch between tabs, apps, or devices. They might even need to wait for an SMS message that never reaches their phone.
This hassle can lead to annoyed users who raise their voices. No matter how important IT and security departments know authentication is, decision-makers in management and on the board care more about productivity and user experience than “theoretical” security risks.
Not All MFA Is More Secure
Another important thing to keep in mind is that some MFA authentication methods can ruin the very purpose of MFA itself by creating greater vulnerabilities.
For example, SMS and email authentication are the least secure MFA authentication methodologies. Getting a six-digit code in an email account that’s not secured by MFA and might have much less robust password protection can leave you exposed.
Likewise, SMS MFA is vulnerable to hackers that perform SIM swap attacks. They can clone SIM cards to have messages and calls redirected to the attacker’s phone.
MFA for the sake of MFA is not the same as using MFA to strengthen security.
What Is Adaptive MFA?
While MFA adds an additional layer of security to the login process, adaptive MFA adds an additional layer of customization and configuration.
Adaptive MFA adjusts the authentication requirements based on the context of the login attempt, such as the user’s location, device, network, or behavior. It enhances security by providing an appropriate level of authentication based on the perceived risk of the access attempt.
For instance, if an office network is considered secure due to tight security controls such as firewalls, access control lists, and restrictions, a user attempting to log in from the office network might not be prompted to reauthenticate using MFA. Or if a user’s device is part of a trusted-devices group, they might only be required to use a password.
Adaptive MFA also allows system administrators and security professionals to choose whether to enforce access with MFA using the user’s geolocation data or IP address identifications. If an impossible travel or untrusted IP is detected, MFA will be triggered and prompt the user to perform the additional authentication.
Adaptive MFA can dynamically adjust authentication requirements based on a real-time analysis of the login attempt and the user’s context, meaning that the analysis performed by the tool has zero delay on the events.
Cybersecurity Professionals Love Adaptive MFA
Adaptive MFA excels at cybersecurity because it’s based on user behavior patterns, also known as user entity and behavior analytics (UEBA).
To illustrate, consider an end user who usually works Monday through Friday from 8:00 a.m. to 5:00 p.m. Most interactions between the user and the services requiring authentication will happen during that time span. If there’s suddenly an attempt to log in at 10:00 p.m. on a Saturday, the system will flag it as suspicious and prompt the user to use MFA to authenticate. The same will occur if the IP the login is coming from has been reported and blacklisted by other security entities.
Another benefit of adaptive MFA solutions is that they can be integrated into various systems, such as identity and access management (IAM), CIAM or customer relationship management (CRM) platforms, as well as other types of enterprise applications using APIs. FusionAuth, for example, provides API support for its monitoring tools and other integrations (such as user authentication, MFA, and connection to other identity providers).
Such integrations ensure that adaptive MFA is applied consistently across all entry points to provide a unified security posture. APIs also allow certain tasks to be automated, such as enrolling new users, updating user profiles, and triggering additional authentication challenges based on specific events and conditions. Moreover, because these integrations facilitate real-time communication between the adaptive MFA solution and other security tools such as SIEMs or threat intelligence platforms, they’re ideal for security professionals who want to engage in proactive and preventative measures by keeping an analytic eye on events in a company.
Adaptive MFA Strikes a Better Balance between Simplicity and Security
Adaptive MFA strikes a more acceptable balance between security and what all end users cherish: simplicity.
Since adaptive MFA works with behavioral patterns, geolocation, and trusted IPs, users who regularly work within the same “safe” conditions are not prompted for MFA authentication, which makes their lives much easier. In internal networks, adaptive MFA can even be integrated with single sign-on (SSO). That means those who work on an SSO-enabled device will not even need a password to log in as long as they work from their safe device and within trusted boundaries (IPs, geolocation, etc.).
Adding simplicity to security is particularly useful in certain situations:
Where the user is your customer. When an annoyed user is an employee, they will log a ticket, but an annoyed customer takes their business elsewhere. That’s why you’ll notice that e-commerce services such as eBay or Amazon ask for little to no authentication when you log in from the same network and device as usual (this is UEBA at work). But they will prompt you for MFA for more sensitive tasks such as adding or removing a credit card.
In the healthcare industry. Healthcare workers are governed by strict legislation such as HIPAA to protect patients’ personally identifiable information (PII). Adaptive MFA allows them to work more seamlessly while complying with security regulations.
Mobile. Prompting users for excessive written credentials and swapping between apps for authentication is especially grating on mobile devices. Adaptive MFA makes simplicity and fluency a reality with smartphones.
Adaptive MFA Is a Valuable Investment
Security professionals often hit a common roadblock: costs. Decision makers prefer to allocate funds to almost anything but cybersecurity---until it’s already too late, that is.
You might have gathered by now that implementing adaptive MFA requires additional services. These services and the expertise to set up and maintain them come at a cost.
For instance, to achieve adaptive MFA in Azure Active Directory (now called Entra ID), you need to enable MFA for all your users and deploy a Conditional Access policy that defines what IP range (or location) can get through and which will be MFA enforced. You also expand the granularity of adaptive MFA with tools such as risky users and risky sign-ins.
However, costs are subjective to each company’s budget and goals. If you want or need to provide security and simplicity for end users and clients, adaptive MFA can be a worthwhile investment that results in fewer tickets and more customers.
Moreover, simple MFA means more MFA enrollments, which leads to fewer vulnerabilities. This decreases your organization’s chances of becoming the next headline for leaked user data.
Conclusion
Striking a healthy balance between robust security measures and user convenience has always been a challenging feat. Traditional MFA solutions, while effective in enhancing security, often come at the cost of user experience, leading to frustration and reduced productivity. However, as you’ve seen in this article, adaptive MFA emerges as a game-changer. It not only fortifies security but also respects the user’s time and workflow by adjusting authentication requirements based on context and risk level.
Adaptive MFA offers a balanced approach that caters to both security professionals and end users. It ensures robust security without compromising on convenience. Integrating adaptive MFA into your security strategy lets you protect your assets and provide a seamless user experience to foster trust and loyalty among customers and employees alike.