Multifactor Authentication: No Longer Enough on Its Own

Posted August 2, 2017

Multifactor Authentication: No Longer Enough on Its Own

Multifactor authentication (MFA) solutions have become a popular weapon in the ongoing battle against cybercrime, as evidenced by its market forecast expected to top $12.51 billion by 2022.

Yet we’ve known for many years that, on its own, MFA isn’t enough to detect and block fraudsters. And, these solutions can also cause customer friction. A full 74 percent of companies that have deployed MFA say they receive complaints about it, and nearly 10 percent of their users flat-out hate it. With more than $4 trillion in revenue lost through cart abandonment due to friction, those kinds of misgivings clearly add up fast.

That doesn’t mean MFA should be discarded, however. When used in conjunction with digital identity-based authentication solutions, MFA can play a role in the fight against cybercrime.

MFA Is No Longer Enough

At its most essential, MFA is designed to verify identity based on any number of independent factors. For example, two-factor authentication (2FA) requires at least two of three demonstrable elements—something you know, something you have, or something you are.

An ATM card is 2FA, requiring a physical card (something you have), and a PIN code (something you know). In the digital realm, along with a username and password, 2FA typically requires a one-time passcode (OTP) sent to the user’s mobile phone. Some organizations use USB-based cryptographical security keys.

However, cybercriminals have the tactics and tools for stealing everything they need to bypass 2FA — from passwords, to secret questions, to token-generated passwords, to device ID data and more. Cyber thieves can use tools to steal credentials that report OTPs in real time so they can login before the victim does, or they can hijack active sessions remotely.

As if that wasn’t bad enough, 2FA has gotten some bad publicity in the past few weeks. Recently leaked NSA documents revealed a critical weakness in 2FA. And hackers recently exploited a security hole in the networking protocol used by mobile operators to plunder 2FA-protected bank accounts in Germany.

It’s also no secret users want frictionless access to their web-based accounts, and they want seamless checkout experiences from their e-commerce providers. Adding a step (or five) through various forms of MFA isn’t going to win many fans. Some consumers are even willing to overlook cybersecurity risks all together for the sake of convenience.

The truth is, it’s pretty reckless to risk losing customers over forms of authentication that can’t secure your business or your customers on their own — especially when the technologies exist to render such tradeoffs between security and convenience unnecessary.

Truth or Friction?

The answer lies in frictionless, highly accurate fraud prevention that is completely invisible to the user and can work seamlessly with MFA to streamline the user experience and help reverse cart abandonment due to fraud. In other words — digital identity-based authentication.

By leveraging crowdsourced and anonymized global identity data, the ThreatMetrix Digital Identity Network processes more than 70 million transactions per day, and assesses the ever-changing associations between users and their devices, locations, accounts, behavior, and the presence of any device-level threats.

Instead of verifying identity based on login credentials that can be hijacked, stolen or falsified, ThreatMetrix analyzes more than 500 different dynamic data elements that are impossible to fake, and assigns a risk score to each transaction that comes through the Network. Legitimate users are instantly recognized with 95-percent accuracy without requiring any additional steps.

For everyone else, our customers can decide to proceed with a transaction, reject it, or initiate MFA as an added precaution based on the risk score. Best of all, this happens in milliseconds — less time than it took you to read the last word — and for only a fraction of a penny per transaction.

It’s easy to see that MFA alone can’t help organizations strike the perfect balance between fraud and friction. But MFA combined with digital identity-based authentication can, as it already has for 5,000 customers worldwide.

Do you still think MFA by itself is good enough to keep your organization safe from the increasingly sophisticated cyberthreats coming your way?

Alisdair Faulkner

Alisdair Faulkner

Chief Identity Officer, Business Services, LexisNexis Risk Solutions

close btn