• United States



5 trends shaking up multi-factor authentication

Sep 25, 20197 mins
Data and Information SecurityMobileSecurity

Universal adoption of multi-factor authentication (MFA) is hindered by technical limitations and user resistance, but its use is growing. Here's why.

Analysts predict that the multi-factor authentication (MFA) market will continue to grow, fed by the demand for more secure digital payments and rising threats, phishing attacks and massive breaches of large collections of passwords. Adroit Market Research predicts the overall MFA market will reach $20 billion by 2025, while another analyst predicts 18% annual revenue growth between now and 2024. This growth is also motivating MFA vendors to add new factor methods and make their products easier to integrate with custom corporate and public SaaS applications.

That is the good news.

The bad news is twofold. First, there is a growing rift in trust among users, caused by the abuses of private data by Facebook and others. Facebook has poisoned the well of trust for any IT vendor and engendered a higher level of paranoia among users when it comes to their online security and privacy. You would think that would encourage more adoption of MFA, and there is some uptake, but this trust deficit has also raised the bar for more usable MFA tools, with the result being MFA adoption is still far from universal.

That brings up my second point: for the most part, MFA is still far too hard for the general public. Partly it is because the steps involve adding these additional factors is fraught with poor documentation and complex workflows that can easily frustrate even the most determined user. Another reason could be that there are still far too few applications that support any MFA methods, even SMS texts.

Still, the pressure to adopt MFA continues to increase. Here are the most significant trends driving that rise.

1. Smartphone authentication apps continue to grow in popularity.

Three years ago, the hot new approach was using smartphones as an authentication method via soft tokens, which could be a smartphone app, SMS message or telephony. The smartphone apps continue to grow, mainly because they are still the quickest and most secure way to deploy MFA across your infrastructure.

You can now find such apps from Google, Duo, OneSpan, HID Approve, Microsoft, SafeNetMobilePass and Sophos, along with apps from the password manager and single sign-on (SSO) vendors themselves. One app in particular has been a major hit, from the open-source vendor It has become the go-to app for many developers and now offers more than 40 step-by-step guides on how to add its authentication tool to such SaaS applications as LinkedIn, Uber, Evernote and GitHub.

One of the reasons for Authy’s popularity is that it can be used across tablets, laptops, and phones: something that is still a rarity by many MFA tools that only support  laptops or phones but not both.

In 2016 vendors released “smart” hardware tokens that have encryption keys or encryption engines embedded, rather than just displaying a changing series of random numbers for users to type in the authentication dialog. Since then, these MFA methods from OneSpan and Trusona haven’t gotten as much traction as the vendors had hoped.

In place of smarter tokens, we have seen the rise of push authentication methods. Instead of asking a user to key in the one-time code displayed in a token (hard or soft), the MFA notification is sent via SMS (or to the smartphone MFA app itself) and users only have to acknowledge its receipt. This makes MFA nearly effortless. Push has gained a lot more traction from various authentication vendors, including better support from Google, Yahoo and Microsoft. Many MFA vendors and SSO vendors have also made push an additional authentication factor. Security managers should consider both push and smartphone apps in their MFA deployments.

2. Better authentication integration

The flip side of having more hardware in the MFA pipeline is a second trend whereby more apps are incorporating security and authentication methods directly into their code. This is the outcome of efforts by vendors such as OneSpan, Thales and others that have very sophisticated APIs to construct the MFA routines as part of the app itself, whether it be a SaaS-based Web app or something for mobile phones.

It is also the result of better MFA support by the SSO vendors. This latter development is probably the most likely path for corporate end user adoption of MFA, because an IT department can readily push out MFA support to its entire user population and protect logins on all its applications across the company.

Also helping integration is publishing more comprehensive documentation for corporate developers of how MFA methods can be used by a variety of applications. The MFA vendors, such as RSA, PortalGuard and Gemalto/Thales all have added or improved their published integration guides on their websites. This is good news for security managers who have to build in authentication for their corporate apps.

Another reason for better MFA integration is the improvements in vendors’ self-service web portals. Users don’t want to call their IT support line when they need a password reset or report a lost phone. Most of the SSO and identity management vendors have made major strides with adding features to their web portals in the past few years.

3. Biometrics continue to evolve

A third trend is to use built-in fingerprint and facial readers that are available on most of the current Android and iOS phones to secure access to various apps. Paypal has offered its fingerprint app for several years now and other apps are slowly incorporating fingerprints and facial recognition as another or sole authentication factor, such as the mobile Bank of America app. Expect more of these apps to appear in the coming years. One bright sign is that Authy, Lastpass and Dropbox have implemented support for Apple’s Touch ID authentications with their iPhone apps, for example.

Another bright spot is blockchain-based approaches that distribute biometric data, making this method more secure and less vulnerable to breaches. Kiva is using blockchain to implement its biometric protocols to verify banking customers in Sierra Leone, for example, and numerous government land registries are implementing blockchains to authenticate property transactions.

However, while biometrics continue to improve, one limiting factor is that Apple and Android have two different API collections and code streams. While they are found on most modern phones, that isn’t the case for desktops and laptops – devices with these sensors are still far from universally deployed. For these reasons, biometrics will take a back seat for corporate security developers until there are easier integrations available.

4. FIDO support is getting better, but slowly

Six years ago, the Fast Identity Online (FIDO) Alliance seemed like a bright spot in the world of authentication. FIDO offered a way to eliminate carrying multiple authentication tokens to connect to a variety of resources. These FIDO-supported apps have been a long time in coming. Yes, the FIDO Alliance continues to grow and add members, although Apple still hasn’t joined.

There are now hardware tokens supporting FIDO from Yubico and Google, although Google’s Titan tokens had to be reissued because of a flaw in Bluetooth support. Many of the MFA vendors have integrated Nok Nok’s suite of tools to enable FIDO support. This might be the right time for corporate IT managers to consider FIDO membership and further explore its features.

5. Risk-based authentication

Finally, vendors (especially those who offer full identity management suites) are incorporating step-up or risk-based authentication to use more than a second factor for specific situations. This means a user has to pass increasingly more secure hurdles to gain access to more sensitive account actions such as bank wire transfers versus a balance inquiry. The motivation for this development is the continued success of phishing attacks. However, risk-based authentication is still far from mature, especially among the SSO vendors. For example, the MFA vendors RSA, Thales and OneSpan now have products that combine identity and MFA toolsets with risk-based methods. For the time being, risk-based methods carry a large price tag to implement properly.