MFA has become the standard, which means it’s time to evolve

Shalom Carmel

Since the 1960s, passwords have undergone quite an evolution. Despite the changes, strong passwords are still an essential first line of defense in cybersecurity regardless of whether you’re working on military computers or social media.

But a single password for a laptop or account is not enough to stop hackers and other malicious figures from accessing vital information anymore. Fortunately the advent of multifactor authentication (MFA) has introduced a method that allows both individuals and corporations to strengthen their accounts and keep their sensitive information protected. 

What is a passwordless future?

The idea of a passwordless future is not new. In fact, many tech giants and some new players are already building the infrastructure to make it a reality. In a passwordless future, instead of relying on passwords, we can use biometric authentication, physical security tokens, one-time passwords (OTP), or authentication apps to securely access accounts. 

The idea here is to avoid transmitting secrets across the network, by validating the user’s identity remotely instead. The most secure way to do that is via the FIDO standard, using public-key cryptography (PKI). With FIDO, the end user has a private cryptographic key and the system has a corresponding public key. When the end user solves a local challenge, such as providing a valid fingerprint, the login request is signed with the private key and can be validated with the public key to grant access. 

Though integrating new systems and security measures are temporary annoyances, prioritizing corporate cybersecurity is essential to maintain and grow operations. Being proactive in embracing these developments will position companies at the front of the pack rather than having to work backward after a security breach or being left behind in technological progress.

Although real passwordless is definitely the most secure way, in practicality many systems will opt to continue to use MFA, with a mix of passwords, time-based one-time passwords (TOTP), and authentication apps. 

The hurdles of MFA

While MFA is now considered standard practice for most types of cybersecurity needs, it doesn’t mean it’s the easiest development to deal with.

Traditional MFA typically requires a unique password coupled with a one-time password (OTP) sent to a user’s mobile device or some other third-party authenticator only they can access. This is simple enough and almost entirely ensures that only a user can access their account. But consider what happens when an individual loses their phone or access to a third-party authenticator required to log in using MFA. For consumers, this creates a monumental inconvenience, as they essentially lose access to all their credentials, which cannot easily be reset. But for companies utilizing MFA, this could be a lot more cumbersome when sensitive corporate information is involved.

The reality is that a standard MFA using OTP and passwords often requires teams to share OTPs regardless of the risk this poses. To circumvent this challenge, it’s advised to use a central platform, such as Okta, to keep a stock of shared passwords used by team members in a corporate environment. An ideal platform keeps OTP seeds in a central vault and grants access to the relevant OTP for necessary team members with a simple command. 

Some organizations maintain a large number of applications and systems for their clientele. Many of those systems require OTP as part of the authentication process, and are issued a single user for the entire team. This is a recommended course of action as it reduces security vulnerabilities and risks while streamlining internal operations, reducing the weight of complex security mechanisms. To make teamwork possible, it’s advisable to establish an internal tool based on Slack, the workplace communication software tool. For instance, an authorized user can type a Slack command like “/otp” and get access to the shared one-time password they are authorized to.  

Who would have thought that after deploying supposedly strong security measures like MFA, technical teams will still need to resort to sharing one time passwords?  

With so many platforms, devices, and services mandating MFA for all users, thinking about its next phase is important for any organization that relies on internet connectivity and web-based apps. Let’s just remember that no matter which direction the technology goes, and no matter what promises the security vendors make, there will always be exceptions to the rule.

Select a Table to Export