Thales Blog

Not All Authentication Methods Are Equally Safe

February 10, 2022

Danna Bethlehem Danna Bethlehem | Director, Product Marketing More About This Author >

There is broad recognition by security leaders that stronger authentication is foundational to preventing data breaches. As recently as September 2021, US Deputy National Security Adviser for Cyber and Emerging Technologies Anne Neuberger said that multifactor authentication — which requires users to access websites and systems by entering a password and also using a second device to verify their identity — could prevent 80% to 90% of all successful cyberattacks.

And while many organizations have implemented MFA for remote users, large numbers of users in these same organizations, continue to access applications and services with vulnerable passwords.

In the current cybercrime climate, all users are targets. Implementing partial MFA for subsets of users will leave gaps and create security vulnerabilities

Not all MFA methods are equal

While the concept of multifactor authentication is comprehensive, the devil is hiding in the implementation detail. Most organizations are following a monolithic approach to MFA authentication, leveraging smartphones as the second authentication factor. Therefore, the most common authentication methods are mobile OTP authenticators, push OTP and SMS-based authentication.

However, not all forms of MFA are suited to future proofing an organization’s access requirements and extend coverage to all users. For example, SMS-based authentication is deprecated by NIST because of SIM swapping threats. There are also numerous reasons why a smart phone frequently cannot be used as an authentication device. As organizations gear up to expand strong authentication to additional users and apps, implementing the right authentication method for the right user is key to success.

Distinct user authentication journeys

There is a misconception that all users are the same. This is far from true. In modern, cloud-based businesses each user is unique and has distinct access requirements. A user might access data in the cloud from their home using their business laptop. Another user might access sensitive data on-premises while they are commuting using a mobile phone. In addition, for some users in the enterprise it might not be feasible to have access to a smartphone to authenticate themselves because of various operational restrictions that constrain mobile connectivity or prohibit mobile phone use.

Welcome to the world of user identity verification journeys, where different use cases demand different approaches to user authentication. To understand the concept, let us look at two distinct use cases – a sales representative and a biologist.

Sales representative

A sales rep might be commuting by train to head office. She can access her Salesforce account and apply MFA, which is now a requirement, using a mobile phone. She can also use her mobile authenticator to access Salesforce when logging into her account from a business laptop in the office. This is an example where the same authentication method can be used in various cases, however this is not always the case.

Nature biologist

A nature biologist could find themselves in a remote location, such as a jungle, and need to authenticate to log the findings of research into a hardened tablet. In remote locations he cannot use a mobile phone because there is not any access to the internet. Therefore, he needs to have access to a device that can provide authentication without an internet connection. Alternatively, when he is back in his hotel or home, he can use a mobile phone to authenticate and access his university’s cloud platform.

Are you ready to take the authentication challenge?

These two scenarios demonstrate the necessity for businesses to be able to support various user authentication journeys. To do so, they need to adopt a ‘Discover, Protect, Control’ approach:

  • Discover employees distinct authentication journeys
  • Protect data while balancing user experience
  • Control access security to scale with business needs

To understand the concept of user authentication journeys and what this means for your organization, Thales has developed a tutorial, which you can access here. Try this fun game and see how many points you score by applying the correct authentication solutions.