When attempting to implement a Zero Trust security model, that first step is the most important… but maybe not for the reasons you think. We don’t mean this in a symbolic sense – it’s not the “first step” toward a grand vision or mission statement about an organization’s commitment to robust security. No, we mean it in a very real, practical sense. That first step is important because it’s there when the most potentially damaging mistakes are often made.
Multi-Factor Authentication (MFA) is one of those Zero Trust building blocks that’s susceptible to weak points — some due to deployment missteps, but most because it’s incredibly difficult to balance stringent security with practical usability. Unfortunately, it’s often unclear until after a system is in place if you’ve veered too much toward one or the other.
Since combined MFA and Single Sign-On (SSO) systems are often an organization’s gateway to Zero Trust, it’s important not to stumble on your way through it. This requires an understanding of the challenges inherent in MFA implementation — many of which aren’t always immediately apparent — and a clear sense of the long-term strategy for effectively anticipating and thwarting attacks.
If “the journey of a thousand miles starts with a single step,” it’s important that first one lands on solid ground. Here’s how you can help ensure it does.
Your Organization is Only Human
There are two truths when it comes to cybersecurity. One, attackers are constantly inventing new ways to circumvent blockades. And two – simple human error is one of the quickest and easiest ways to get inside a network, regardless of existing technological roadblocks.
“MFA fatigue” is real, and it can undermine security efforts in potentially damaging ways. There are a number of ways in which a Zero Trust implementation can reveal resulting vulnerabilities. The most notable is that most users, when faced with repeated authentication messages and touchpoints, can become lazy or careless and unwittingly create openings for attackers.
For example, when faced with repeated prompts for re-authentication, most users will simply click “yes” to rid themselves of the pop-up, without reading the request or taking the time to consider its legitimacy. It’s simple human nature — if your phone is “dinging” repeatedly, you’ll do whatever you can to make it stop. That could mean clicking on a malicious prompt or even logging in to a screen designed to look like one of your usual systems. Either way, the attacker is banking on MFA fatigue to make the user careless.
Other avenues for attack include hijacking an SSO session by compromising the very machine the user is employing through malware or other such means. Secondary channels are also often left unprotected, such as in cases that enable Active Directory environments by default. For example, with Server Message Block (SMB) and Remote Procedure Call (RPC) an attacker would only need a username and password and no secondary verification.
These are classic privileged access challenges — and why security teams should “own” UX. This can help ensure MFA and SSO system security is bolstered with Privileged Access Management (PAM) controls that add variant layers of security to all available access points. Recent attacks have shown that if your authentication systems are protected by passwords and nothing else, it’s no longer a question of if you will be compromised but when.
Striking the Right Balance
The CISO View 2021 Survey: Zero Trust and Privileged Access found that a majority of the respondents, an overwhelming 86%, agreed that optimizing the user experience was “very important” or “important” when implementing Zero Trust. The willingness is there; however, putting it into practice reveals just how tricky that balance between usability and security can be.
The CISO View survey pointed toward two keys to minimize friction (and thereby improve UX) — utilizing passwordless authentication and artificial intelligence (AI). The first speaks to having multiple layers of authentication — usually a mix of some kind of physical device such as a USB key or QR code — that are naturally stronger lines of defense and biometrics (such as facial recognition, fingerprint scanning).
But it’s the second — AI — that offers the critical context and insights needed to effectively balance user experience with security. When it comes to MFA, it’s not just about the number of different data signals an AI system can ingest, but also the ways it can interact with that data to help organizations automatically learn the “normal” behavior of each individual identity. And when they detect a deviation from that baseline, or any other risky event, organizations can easily block an employee’s access until they go through a stronger round of authentication.
To put it another way, the push for AI and machine learning isn’t a race to create the smartest algorithm — it’s the race to create the most informed.
AI can and will also play an important role in automating the evaluation of risk. Re-authentication requests would, therefore, be required only for risky access requests based on context and behavior — those that deal with highly sensitive data. This would cut down on the dull repetition of re-authentication requests for “everyday” interactions, which will reduce fatigue and improve UX.
Practical Advice
Zero Trust is a big idea. It encompasses big-picture thinking while depending mightily on the small details, right toolset and human elements that keep it working. When an organization is looking to move toward a Zero Trust model, that first step can seem elusive and fraught with peril.
But as we’ve seen, strong Identity Security offers a solid, practical way to achieve Zero Trust. It delivers the right mix of solutions to secure individual identities throughout the cycle of accessing critical assets — starting with adaptive authentication mechanisms protected in an almost symbiotic way with strong privileged access controls. This helps ensure the user experience is designed not only for optimal security but also for smooth, easy, and efficient UX that won’t lull users into making critical mistakes.
Even as security measures become more advanced, attackers know that human error is a reliable weakness to exploit. Don’t wait until you’ve been breached to fix those holes, take the steps to build a solid MFA foundation that’s dependable and practical — from the very beginning.