By this point, you've probably used multi-factor authentication (MFA) to secure one or more of your online accounts at work. The process usually goes like this: you enter your password, the site or app asks you to provide a second form of authentication (such as a code that is texted to your phone or generated on your phone using an authenticator app), you provide that second form of authentication, and the site or app gives you access to your account. MFA may seem relatively new, but it has actually been around for quite a while.
Here's a look at the evolution of multi-factor authentication and how MFA is advancing even further to protect businesses from emerging cyber threats.
The 1990s-2000s: from niche 2FA tools to user-friendly 2FA solutions
MFA and its predecessor two-factor authentication (2FA) have been with us in various forms for over twenty years. Although 2FA's origins are disputed (AT&T claims to have invented it in the 1990s), 2FA didn't begin to catch on in the mid-2000s. This is in large part because consumers found it inconvenient to use, and they assumed a single form of authentication – passwords – would be enough to keep their accounts safe. Although some larger companies and security-conscious organizations adopted a form of public-key cryptography known as RSA that used two separate authentication tokens to validate user logins, many businesses found this kind of solution too costly and complicated to implement at the time. The evolution of multi-factor authentication accelerated in the mid-2000s, when smartphones first began making a splash with consumers. Because smartphones were also a terrific tool for increasing business productivity, businesses soon began adopting them, as well. Some companies even began rolling out bring your own device (BYOD) programs in which employees were allowed to use their own personal devices for business purposes. Once smartphones became ubiquitous at home and at work, large numbers of people suddenly had access to more convenient 2FA solutions for securing their online accounts. They could easily receive authentication codes via SMS or email, which suddenly made the whole idea of 2FA much more palatable.The 2000s-2010s: data breaches spur calls for widespread 2FA and MFA adoption
As consumers and businesses were becoming more open to the idea of using 2FA and MFA on their smartphones throughout the late 2000s and early 2010s, hacks and data breaches began to emerge as a serious threat to online security and privacy. The American public witnessed a wave of serious massive data breaches affecting private industry, private individuals, defense contractors, and government organizations alike. Sony Pictures Entertainment and the U.S. Office of Personnel Management and Budget (OPM) are just two of the highest-profile examples of breaches that made stunning headlines during this period. In early 2016, President Obama wrote an editorial for the Wall Street Journal in which he declared that passwords alone were not enough to protect consumers and businesses. Noting that 9 out of 10 of Americans said they felt like they'd lost control of their personal information, the President announced a new national awareness campaign, #Turnon2FA, to encourage more Americans to protect themselves online. Before long, smartphones began supporting biometric authentication techniques like fingerprint scanning and facial recognition. This accelerated the evolution of multi-factor authentication once more, enabling consumers and businesses to begin using a fuller range of MFA methods to secure their account.How MFA is evolving in response to emerging threats
Unlike 2FA, which relies on just two factors (or forms) of authentication, MFA typically verifies a person's identity using three factors: something you know, like the answer to a security question; something you have, such as a security code generated by an authentication app on your phone; and something you are – for instance, your unique fingerprint. With three factors of authentication guarding access to your account, it's much harder for cyber criminals to pose as you and slip past the door undetected. MFA offers businesses much better protection than passwords can on their own, but even MFA is not a silver bullet. For example, if a user's personal information has already been breached and a hacker has bought it on the dark web, that cyber criminal will have an easier time trying to break into that person's account. Malicious actors are known to scrape public social media posts for personal tidbits, too, so they may use this method to obtain data that will help them gain access to one of the target's accounts. Certain authentication methods also have security vulnerabilities. In SIM swapping schemes, hackers can easily break into a person's phone and use it to complete SMS authentication before their intended victim notices. If someone steals the victim's phone outright and it hasn't been locked with a biometric form of authentication like facial recognition or fingerprint scanning, they could break into that person's online accounts and then compromise sensitive business data without much trouble. Even biometric authentication can be faked if the hacker has sophisticated enough tools at their disposal, which means that MFA must continue evolving to keep businesses safe.How LastPass MFA can help keep your business safe
LastPass' adaptive MFA technology is continually evolving in response to major cybersecurity threats like ransomware attacks. Here's how the benefits of MFA with LastPass Business can help keep your business safe as the cybersecurity landscape evolves:- Adaptive authentication. LastPass MFA combines biometric and contextual intelligence to prove a user’s identity with a combination of factors, so your business has the best possible protection as the environment changes.
- A single authentication app. Businesses can use a single authenticator app to streamline the authentication process, eliminating confusion for employees and administrators alike.
- Customizable MFA methods. LastPass gives your business flexible options for authentication. You can use push notifications in the app or even eliminate passwords entirely depending on your needs.
- Easy MFA administration. Unlike the 2FA solutions of the past, LastPass makes it easy for your IT team to deploy and administer MFA on all the endpoints across your business, whether they're at the office or your employees' homes or somewhere else. Now work-from-anywhere is here to stay, this is even more essential than ever.
- MFA for VPN connections. You can also add MFA to virtual private network (VPN) connections. This helps move your organization toward a zero-trust architecture in which even nominally trusted links like a VPN connection benefit from additional verification.
- Extra workstation security. In-office security is important, too, which is why you can use LastPass to add MFA to employee workstations. This helps mitigate insider threats and reduce the chances that a bad actor could try to log onto an employee's workstation without authorization.
