Beyond MFA: 3 steps to improve security and reduce customer authentication friction

For many people, life’s fundamental activities are now conducted online. We do our banking and shopping online, turn to the digital realm for entertainment and to access medical records, and pursue our romantic interests via dating sites.

That means apps and online accounts now store vast amounts of our personal and financial information, including records of private digital behaviors, identity data itself, and healthcare information that may have more value than the money in our bank. Naturally, these accounts have become prime targets for criminals seeking to compromise customer accounts and harvest data, opening the door for fraud and other cybercrimes.

Multi-factor authentication (MFA) was developed to provide protection for online accounts by requiring the user to present two or more verification factors to gain access to an application, online account, or other service.

Well-designed MFA methods continue to have a place in an organization’s security ecosystem, and MFA is required to comply with many global regulations such as HIPPA, Payment Card Industry Data Security Standards (PCI- DSS), the Cybersecurity and Infrastructure Security Agency (CISA), GDPR, and the EU’s Payment Services Directive 2 (PSD2).

Organizations need protections that go beyond MFA

But MFA controls also generate considerable friction, causing customer frustration and negatively impacting business revenue. In addition, MFA is no longer a silver bullet to stop fraud, because criminals now routinely bypass MFA defenses using an array of cyberattacks to gain access to data and accounts:

• Phishing attacks use malicious email, texts, or social media messages to trick people into revealing private information such as login credentials, or other sensitive data. The attacker masquerades as a trusted entity to request that the victim log in to a fraudulent webpage to enter a one-time password or other factor. The scam website harvests the data, handing the fraudster the keys to bypass MFA.
• MFA flooding counts on human exasperation to gain access. Using bots, criminals bombard victims with endless MFA push login requests. The overwhelmed victim can mistakenly hit “accept” instead of “decline,” or simply give up and affirm the push just to make the notifications stop, enabling the criminal to bypass MFA.
• Malware-based attacks infect victims’ devices, usually via malicious attachments. Malware strains such as Blackguard Infostealer and MaliBot are designed to steal a wide range of personal data, including cookies that contain authentication and MFA codes. With these in hand, criminals can bypass MFA and access accounts without providing authentication factors.

Supplement MFA with new smart technologies for more holistic protection

MFA controls are valuable but no longer sufficient to protect online apps and accounts; even CISA recognizes the limitations of traditional MFA. And MFA already causes substantial irritation to valuable returning customers.

A new generation of advanced technologies, such as adaptive bot mitigation software, ML-based account protection technologies, and smart digital identity verification and authentication platforms enhance the power of conventional MFA.

Organizations should take the following three steps to augment MFA and provide more comprehensive protections for apps and online accounts, without increasing user friction.

1. Remove bots from your networks. Armies of bots allow criminals to scale their attacks, bypass MFA controls, and enable fraud. Automation means that bots can be massively deployed in pursuit of their assigned task, whether that is MFA flooding or phishing attacks. New bot defense technologies analyze device and behavioral signals to unmask automation and reduce fraud amplification in the most common bot attack vectors, including credential stuffing, fake account creation, and inventory hoarding.

2. Shift left in account protection and fraud detection. Don’t just protect payments or checkout (the last mile) but also defend the upstream attacker continuum starting from login. Monitor infrastructure, behaviors, and digital identities to help determine user intent and stop malicious activities before bad actors can attempt login. Account protection solutions now employ telemetry, signal collection, and AI and ML modeling to monitor user accounts end-to-end for anomalies and suspicious behavior, identifying fraud patterns and risky transactions before they take place.

3. Recognize known good users and accelerate them through the buyer’s journey. Don’t continuously punish valuable returning customers with annoying MFA requirements. Modern authentication platforms streamline identity verification behind the scenes using AI to recognize known trusted customers and eliminate login friction for them. Extend user sessions for returning customers on known devices, welcoming them with a personalized, effort-free experience, like how TSA expedites trusted travelers with TSA PreCheck.

Organizations need to find a balance between burdensome, one-size-fits-all MFA controls and a safe and secure customer experience. Advanced new technologies can augment traditional MFA controls with sophisticated AI and ML modeling to provide real-time protections across the user journey, without increasing friction for your best customers.