Pillars of Zero Trust: Multi-Factor Authentication

By John Filitz | Senior Research Analyst

Zero Trust cyber security is a response to the dissolving network perimeter. Authenticating end-user identity via Multi-Factor Authentication (MFA) solutions is one of the cornerstones of a Zero Trust cyber security strategy and is also an essential element to prevent unauthorized user access.

Research shows that stolen log-in credentials and credential-stuffing are among the leading threat vectors for information system breaches. [i]

Privileged account access is an additional element that can exacerbate the damage from a successful credential-related breach. This can, and often does, result in bad actors having unfettered access for days, and even months, before being detected.

Inadequate authentication control measures to prevent insider threats from manifesting represents an added threat to organizations. For example, this could include unauthorized access and data theft by a disgruntled or recently terminated employee.

Shortcomings of Two-Factor Authentication

Leveraging additional identity verification protocols to usernames and passwords is an essential element to mitigating the threat of a credential-related compromise.

Until fairly recently, and in fact still commonly used, Two-Factor Authentication (2FA) provides a solution that prompts a user to enter a code received via SMS, a voice call, email link, or third-party authentication application to further verify an end-user’s identity.

The key shortcoming of 2FA, however, is that this verification protocol can be circumvented or spoofed via identity takeover. For example, should a bad actor successfully hijack an individual’s cellphone SIM as well as secondary and primary email accounts, this form of added identity authentication would prove futile in stopping unauthorized access. For this reason, the vulnerability of 2FA to compromise as described above is well understood by cyber security experts. [ii]

How to prevent credential related breaches: MFA

Moving beyond 2FA is where the next generation of authentication solutions comes into play.

MFA protocols force the end-user to verify identity through conventional log-in credentials (username and password) with multiple identification verification protocols, including third-party verification applications, SMS, adaptive authentication (user identity and device behavior analysis), and biometric criteria.

Balancing security efficacy while minimizing end-user inconvenience is an essential element to implementing MFA within an organization. High security efficacy and low user friction are two facets that separate next-generation MFA solution providers from the rest of the market.

Research shows that poor user experience, such as cumbersome log-in procedures and repeated authentication prompts, can in fact impede the security efficacy of the authentication solution. [iii] This often results in poor user compliance, increasing the usage of shadow IT and an organization’s risk of a breach.

The drive to reduce user friction has spurred innovation among a few of the leading Identity and Access Management (IAM) solutions, giving rise to password-less authentication. These best-in-class solutions facilitate a near frictionless user experience through security protocols that verify the identity of the end-user in the back end of the solution.

Zero Trust: Having an IAM strategy in place is key

Although more than half of all US organizations are leveraging Multi-Factor Authentication (MFA) solutions in their organizations, it is essential that the MFA solution be architected and implemented correctly to effectively enforce Zero Trust. [iv] In this regard,  MFA solutions, as part of a broader IAM strategy, are one of the core enforcement pillars enabling Zero Trust.

For more information on how to architect and implement Zero Trust, you may want to consider signing up for a low-risk Zero Trust Workshop put on by Trace3.

[i] HelpNetSecurity. (2020). Passwords still dominant authentication method, top cause of data breaches.
[ii] ComputerWeekly.com. (2020). Two-factor authentication is broken: What comes next?
[iii] Forrester. (2019). The Future Of Identity And Access Management.
[iv] Statista (2020). US Companies and Cyber Crime.

Back to Blog