What's Driving Multi-Factor Authentication Adoption?
Akamai’s multi-factor authentication
It’s been almost a year since Akamai launched its innovative multi-factor authentication (MFA) service: Akamai MFA. Since we introduced the service, we have talked to numerous customers about what’s driving them to either deploy MFA for the first time or to enhance their existing MFA solution. Of course, the primary reason for deploying MFA is usually to improve the security of workforce logins, but it's been fascinating to find out what other factors are driving adoption beyond that.
MFA provides enhanced business and employee security
The need for businesses to deploy MFA for the protection of employee accounts has never been greater — according to the latest Verizon Data Breach report, nearly 80% of data breaches involve the use of stolen or compromised employee credentials and brute force logins.
Beyond the worry of leaking confidential company data and the resulting financial and reputational losses, targeting employee logins is also increasingly being used to create an initial network beachhead to deliver ransomware and malware. For example, the Colonial Pipeline attack started with the attackers gaining access to Colonial’s virtual private network using stolen login credentials.
Addressing increasing cyberattacks
One factor driving MFA adoption that I’ve been hearing much more about recently is compliance. With ever-increasing cyberattacks, many businesses are now investing in cyberinsurance. Increasingly, insurance companies are now explicitly stating in the policy’s terms and conditions that companies need to deploy MFA on all local and remote logins to meet the conditions for insurance coverage.
This is most likely in direct response to the number of claims they have received over the past few years that could have been prevented if the company had MFA in place: further evidence that employee logins are being targeted by attackers.
MFA improves cyber resilience in the United States
The U.S. government has also realized that deploying MFA is critical to help improve the country's cyber resilience. In May 2021, President Biden issued an executive order that mandated the use of MFA for all federal agencies.
In January 2022, the U.S. Office of Management and Budget (OMB) issued a memo to the head of executive departments and agencies; it provided much more detail that not only reiterated that MFA would be required for all federal agencies, but also that the MFA service deployed should be phish-proof and based on FIDO2 standards. This seems to be a sensible approach given the well-documented security weaknesses of MFA solutions that use SMS, other telephony methods, or standard push notifications as a second factor for users.
The U.S. government has also now extended its recommendation of deploying MFA to private companies and private critical infrastructure operators. In a fact sheet issued on March 21, 2022, in response to the increased likelihood of state-sponsored cyberattacks, the U.S. government urged these organizations to execute a number of steps with urgency. At the top of the list was the use of MFA to make it more difficult for attackers to access systems.
MFA within strategic transformation projects
We also frequently hear about MFA included within strategic transformation projects, such as a Zero Trust or secure access service edge initiative. For example, when a company has deployed a Zero Trust Network Access solution to secure access to applications, using MFA to strongly authenticate the users is a natural fit.
Right now, the focus is on deploying an MFA service that is by itself secure and cannot be compromised. However, many companies are starting to look at how MFA can be a prominent capability in an adaptive authentication approach.
FIDO2-based MFA delivers security to passwordless environments
Given that attackers are so focused on using employee accounts for attacks, it’s not a surprise that companies are now starting to look at how they can eliminate passwords from their authentication stack, thereby reducing the attack surface.
This will not be a simple and straightforward journey as many legacy systems expect to receive a password. And if you are eliminating passwords as an authentication factor, then you need to replace passwords with strong and secure factors.
FIDO2-based MFA delivers the level of security needed to move to a passwordless environment and can be coupled with biometric factors to still deliver two-factor authentication.
To find out how Akamai can help you accelerate your MFA deployment projects with an innovative phish-proof MFA service based on FIDO2 that requires no physical security keys, visit www.akamai.com/mfa.