A pragmatic MFA compromise

It sounds obvious, but an organization’s cybersecurity posture can’t be piecemeal. While an organization may treat certain users differently than others, and while they may need additional protection for higher-risk users, a security program must account for every user.

Meeting that need can become increasingly complex as organizations scale, as IT leaders must weigh costs and user behavior even as they create cybersecurity architecture that extends to all users.

For many organizations, mobile devices tend to be a pragmatic compromise balancing security, cost, and convenience. Mobile devices are ubiquitous and easy to use to fulfill multi-factor authentication (MFA) requirements: 73% of users believe that smartphones were the most convenient method to fulfill MFA.

Mobile app-based authentication isn’t for everyone

As good as mobile app-based authentication may be in creating an organization-wide security program and balancing costs, they’re not a panacea that works for everyone all the time. In certain situations, some users may not be able to use mobile devices or rely on mobile connectivity to authenticate (think about a manufacturing clean room). In other cases, employees may not be comfortable installing company-mandated applications on their personal devices to fulfill security requirements.

We see organizations deploy two types of solutions to authenticate these users. The first is hardware authenticators using one-time passcodes (OTPs). Hardware authenticators like the DS100 are the gold standard in authentication: they help organizations go passwordless by unifying the cryptographic advantages of FIDO2 protocols and the security benefits of OTP.

The second way solution is traditional MFA like SMS-based authentication (which sends OTPs directly to users’ personal devices) and voice OTP.

Don’t let perfect be the enemy of the good

SMS and voice OTP have known security flaws: SMS OTP isn’t encrypted and is vulnerable to network outages, SIM-swapping, social engineering, and SS7 and man-in-the-middle attacks. RSA recommends that organizations move to stronger, truly passwordless authentication over the long-term.

However, we recognize that many organizations need to support diverse user groups, save costs, and provide a convenient solution that provides two factor authentication (2FA) for users.

The U.S. National Institute of Standards and Technology (NIST) said as much when it wrote that agencies must balance “the practicalities of today’s implementations with the needs of the future,” and that leveraging “SMS to mobile as a second factor today is less effective than some other approaches—but more effective than a single factor.”

There is no right way to build a security program. But there is at least one wrong way

There’s no right way to balance the need to account for all users, enhance cybersecurity, and control costs. Organizations need to weigh each of these factors on their own and choose solutions based on their unique risk profile, resources, users, and goals.

While there’s no right way, there is at least one wrong way: organizations shouldn’t let their security solutions be dictated by vendors. Balancing those factors is already difficult enough on its own: it’s exacerbated when vendors impose deadlines or remove capabilities that, while imperfect, still fulfill important needs.