Why Not MFA? episode artwork

EPISODE · Mar 17, 2020

Why Not MFA?

from Info Risk Today Podcast · host InfoRiskToday.com

In cybersecurity circles, multi-factor authentication today is considered table stakes. Yet, many organizations and users are hesitant to embrace MFA because of friction or other concerns. Corey Nachreiner and Marc Laliberte of WatchGuard Technologies dispel some of the MFA myths.

Episode metadata supplied by the publisher feed · Published Mar 17, 2020

In cybersecurity circles, multi-factor authentication today is considered table stakes. Yet, many organizations and users are hesitant to embrace MFA because of friction or other concerns. Corey Nachreiner and Marc Laliberte of WatchGuard Technologies dispel some of the MFA myths.

PodParley-generated summary based on available episode metadata and transcript content.

NOW PLAYING

Why Not MFA?

0:00 0:00
of MATCHES

TRANSCRIPT · AUTO-GENERATED

Hi, I'm Tom Field, Senior Vice President of Editorial with Information Security Media Group. Today I'm talking not only about multi-factor authentication, but why not multi-factor authentication. Here to speak about this with me are Corey Knockreiner, Chief Technology Officer with WatchGuard Technologies, and his associate Mark Willerby, Senior Security Analyst also with WatchGuard Technologies. Corey, Mark, thanks so much for joining me today.

Hey, Tom, thanks for having us on. Yeah, it's always a pleasure. So guys, despite multi-factor being embraced really as table stakes in security these days, we all know there are still many organizations that haven't adopted it. What do you find to be the biggest barriers from one, the enterprise's perspective, and two, the user's perspective?

Well, let me start with the enterprise's perspective, Tom. This is Corey, by the way. I think the issues really come down to cost and friction. And what we find is larger enterprises, you know, from a security perspective, it is table stakes.

Larger enterprises realize this and they might have already adopted it relatively extensively. But as you go to mid-market and especially down to small business, cost and friction really affect them quite a bit more. So from the enterprise perspective, you know, the initial issues with multi-factor, even though it's a very mature and it's been around for decades, were the complexity and cost of the initial solutions. They required heavy servers rather than cloud-based solutions you have today.

They technically, or in the past, they really heavily leveraged physical hardware-based tokens, which are great and can be very secure, but also have quite a bit of deployment cost. When you're dealing with a physical token, you know, having to get them out to your employees, especially if you're a big organization, having to recover or reset or get rid of them when they're lost, having to redeploy, all of those things tend to add up. So early on, the technology was really cost and friction. Although I'll say new solutions have made that come down.

And I think the user perspective is similar, but why don't you weigh in, Mark? Yeah, hey, this is Mark, by the way. And when it comes to the users, often it comes down to, like Corey mentioned, friction. Implementations that aren't easy to use for the end user will cause them to not want to adopt it.

That could be a hardware token that they now have to fish out of their pocket anytime they want to log into something. Could even be like a text or an app where you have to enter in now a six-digit code every time you log in. So you have to fish your phone out of the pocket. That additional time can be a bit of a pain when it comes to users, which means we need to look towards implementations that make it easier for users to hop right in.

So both of you have used the word friction. What do you find to be the real user frictions that are inherent in multi-factor? Well, one, there's a number of different techniques. I mean, your audience probably realizes multi-factor just combines multiple tokens or factors that are something you know, something you are, or something you have.

And different combinations of those can be harder or easier. For instance, something you have does require a physical token. It may require pressing a button. It may require entering a code and reading off a code back and forth.

So every little step that you have to take to an employee, you know, if I'm logging in every day, and chances are I'm logging in multiple times a day to many things, every extra step I have to do just seems like it's slowing me down to doing my job. So it's those type of just basic extra steps you have to do. That said, smart implementations of multi-factor can really lessen those steps. For instance, you know, one of the most common ways that historically we've done multi-factor is something called one-time passcodes where, you know, whatever your token and whether it's a soft token on a mobile phone or if it's a hardware token, you log in with your password and then you're asked to put in this temporary six-digit or maybe four- or eight-digit code.

And even that little extra step can kind of irritate users. On the flip side, with mobile phones nowadays, we have push authentication where you always have your phone on you. You get a little notification that just pops up and it says, hey, I see you're authenticating from Spain at 6 a.m. on Friday.

Is this really you? And you just have to press a button. So just subtle differences between having to type more things versus just having to press a button to approve something, that makes a very big difference. Now talk to me about the real risk to the enterprise in terms of exploits that might be associated with MFA.

Yeah, so I want to preface this with any form of MFA is better than no MFA at all. But when it comes to multi-factor authentication, not all of them come equally in terms of security. We've seen real-world attacks against MFA like with the Reddit breach from last year or the year before where they were using multi-factor authentication, but they were using SMS-based one-time passwords. And the criminal in this case was able to trick their mobile phone providers to port phone numbers over to a different SIM card or a different account, which then let them intercept those text-based one-time passwords and successfully log into the accounts even though they were using MFA.

Yeah, and there's all kinds of different risks and ways you can get those text messages, whether they're vulnerabilities in ISPs or carrier networks and protocols they use like signaling system 7. We've seen a lot of malware authors create malware that coincides with their, you know, they may have traditional Windows malware that affects your desktop, but they've designed malware that also affects usually Android, sometimes iOS devices that tries to capture locally things like that secondary token, that one-time password, or that text message. Not all MFA is created equal, but as an enterprise or even market customer, you have to kind of balance the best security with the least friction. And you're not always going to be using like the NSA-grade super token that does challenge response and requires a fingerprint because that might add too much friction, but you can get really good and secure options that give you the security with less friction as well.

What do I get from these NSA super tokens? I don't know. I think we'd have to pass some sort of like confidentiality test and get SCIF access and give all our information to the government. I'll just use my phone.

But on the Christmas list market. So John, to bring it back to WatchGuard, how are you helping to overcome some of these specific frictions and risks you've just detailed for us? So we've actually designed our solution really for this mid-market and below that we think has less adoption of MFA. And to, you know, some of the frictions aren't just the user friction, but the cost.

One of the things we've done is implemented a cloud-based management solution and server solution. So other than wherever your identity store is, your Active Directory or LDAP server, which you probably already have set up, you know, our solution is entirely SaaS, you know, software as a service, cloud-based. You don't have to install any hardware to do it. So for business friction, it's really easy and quick to implement.

And it covers, you know, anything from logging onto online sites to, you know, local Windows authentication or Mac authentication. So that covers some of the cost issues. As far as the security risks, we really like this mobile phone-based push solution. So mobile devices are pretty ubiquitous.

Many people have them. And the way we do our classic multi-factor authentication is not forcing you to type a code. It's not actually using the text on your mobile phone, but using that push-based notification, which, by the way, happens over a fully encrypted TLS SSL channel. So it's not something you can man in the middle easily.

Also behind the scenes, there's a lot we're doing in that application besides the push authentication of the phone. There are risks Mark haven't talked about yet where people literally image your phone device or do SIM card swapping to kind of get your phone number attached to another phone or get your applications to be able to be attached to another phone. So one of the things we have that is another factor behind the scenes is something called digital DNA we are using from your mobile device. So we actually understand some of the physical identifications of your specific phone so that we protect against things like SIM card swapping and can even protect sometimes against things like local malware that's just looking to get the key, the one-time password.

So it really covers a lot of your security risks. And I think I already covered how that push-based authentication removes a lot of user friction. I mean, literally, all you have to do is press a button called approve. We hope you read a little information.

You know, our system will tell you where we see you authenticating from and a few other details that help the user confirm that it really is the authentication they're looking for, but it really is such a quick process. The final thing I would add, and this is really important to enterprise adoption of MFA, is I actually think the right MFA solution can make your daily authentication tasks easier. So one of the things we combined with AuthPoint, which is the name of our solution, is a single sign-on portal. And we even have a cloud-based option.

So all of the local, like your daily SaaS applications, if you use Office 365, Wrike, Salesforce, name any SaaS application that you might tie our system in with for multi-factor. What we all do here at WatchGuard is we log every day one time after we log onto our computer into our authentication portal. It has all of our services there after we've logged in with multi-factor. And from that point on, we just have to push a button to get into any

That Hoarder: Overcome Compulsive Hoarding That Hoarder Hoarding disorder is stigmatised and people who hoard feel vast amounts of shame. This podcast began life as an audio diary, an anonymous outlet for somebody with this weird condition. That Hoarder speaks about her experiences living with compulsive hoarding, she interviews therapists, academics, researchers, children of hoarders, professional organisers and influencers, and she shares insight and tips for others with the problem. Listened to by people who hoard as well as those who love them and those who work with them, Overcome Compulsive Hoarding with That Hoarder aims to shatter the stigma, share the truth and speak openly and honestly to improve lives. The Small Business Startup School – Business Notes | Financial Literacy | Retail Psychology – For Professionals & Entrepreneurs The Small Business Startup School Inc. Starting or buying a small business? While personal circumstances may vary, business patterns remain timeless. On The Small Business Startup School, we explore strategies, insights, and practical solutions to help entrepreneurs confidently navigate their journey.Hosted by Ola Williams—a retail entrepreneur, fintech founder, and financial coach with over two decades of experience—this podcast marries financial awareness and retail psychology with optimism to deliver actionable takeaways.Join us to learn, grow, and connect as we uncover the keys to business success.Let’s continue to learn together and be encouraged to keep on connecting! DIOSA. Carolina Sanper This podcast is a sacred space created by Carolina Sanper where you connect with your inner wisdom and embody your magnetic feminine power.It is the realization that the mystical realm is where you plant the seeds of your desired reality.It is a portal to your true essence: awareness, presence, and receiving with ease. Welcome home, DIOSA. 🖤 XXX Tech by SOVRYN Dr. Brian Sovryn The crossroads between technology, sensuality, and metaphysics - and the longest running anarchist podcast in the world! Brought to you by Dr. Brian Sovryn.

Frequently Asked Questions

How long is this episode of Info Risk Today Podcast?

Episode duration information is not available.

When was this Info Risk Today Podcast episode published?

This episode was published on March 17, 2020.

What is this episode about?

In cybersecurity circles, multi-factor authentication today is considered table stakes. Yet, many organizations and users are hesitant to embrace MFA because of friction or other concerns. Corey Nachreiner and Marc Laliberte of WatchGuard...

Can I download this Info Risk Today Podcast episode?

Yes, you can download this episode by clicking the download button on the episode player, or subscribe to the podcast in your preferred podcast app for automatic downloads.
URL copied to clipboard!