By this point, you’ve probably used multi-factor authentication (MFA) to secure one or more of your online accounts at work. The process usually goes like this: you enter your password, the site or app asks you to provide a second form of authentication (such as a code that is texted to your phone or generated on your phone using an authenticator app), you provide that second form of authentication, and the site or app gives you access to your account. MFA may seem relatively new, but it has actually been around for quite a while.
Here’s a look at the evolution of multi-factor authentication and how MFA is advancing even further to protect businesses from emerging cyber threats.
The 1990s-2000s: from niche 2FA tools to user-friendly 2FA solutions
MFA and its predecessor two-factor authentication (2FA) have been with us in various forms for over twenty years. Although 2FA’s origins are disputed (AT&T claims to have invented it in the 1990s), 2FA didn’t begin to catch on in the mid-2000s. This is in large part because consumers found it inconvenient to use, and they assumed a single form of authentication – passwords – would be enough to keep their accounts safe. Although some larger companies and security-conscious organizations adopted a form of public-key cryptography known as RSA that used two separate authentication tokens to validate user logins, many businesses found this kind of solution too costly and complicated to implement at the time. The evolution of multi-factor authentication accelerated in the mid-2000s, when smartphones first began making a splash with consumers. Because smartphones were also a terrific tool for increasing business productivity, businesses soon began adopting them, as well. Some companies even began rolling out bring your own device (BYOD) programs in which employees were allowed to use their own personal devices for business purposes. Once smartphones became ubiquitous at home and at work, large numbers of people suddenly had access to more convenient 2FA solutions for securing their online accounts. They could easily receive authentication codes via SMS or email, which made the whole idea of 2FA much more palatable.The 2000s-2010s: data breaches spur calls for widespread 2FA and MFA adoption
As consumers and businesses were becoming more open to the idea of using 2FA and MFA on their smartphones throughout the late 2000s and early 2010s, hacks and data breaches began to emerge as a serious threat to online security and privacy. The American public witnessed a wave of massive data breaches affecting private industry, private individuals, defense contractors, and government organizations alike. Sony Pictures Entertainment and the U.S. Office of Personnel Management (OPM) are just two of the highest-profile examples of breaches that made stunning headlines during this period. In early 2016, President Obama wrote an editorial for the Wall Street Journal in which he declared that passwords alone were not enough to protect consumers and businesses. Noting that 9 out of 10 of Americans said they felt like they’d lost control of their personal information, the President announced a new national awareness campaign, #Turnon2FA, to encourage more Americans to protect themselves online. Before long, smartphones began supporting biometric authentication techniques like fingerprint scanning and facial recognition. This accelerated the evolution of multi-factor authentication once more, enabling consumers and businesses to begin using a fuller range of MFA methods to secure their account.How MFA has evolved in response to emerging threats
Unlike 2FA, which relies on just two factors (or forms) of authentication, MFA typically verifies a person’s identity using three factors: something you know, like the answer to a security question; something you have, such as a security code generated by an authentication app on your phone; and something you are – for instance, your unique fingerprint, your face, or your voice. With three factors of authentication guarding access to your account, it’s much harder for cyber criminals to pose as you and slip past the door undetected. MFA offers businesses much better protection than passwords can on their own, but even MFA is not a silver bullet. For example, if a user’s personal information has already been breached and a hacker has bought it on the dark web, that cyber criminal will have an easier time trying to break into that user’s account. Malicious actors are known to scrape public social media posts for personal tidbits, too, so they may use this method to obtain data that will help them gain access to one of the target’s accounts. Certain authentication methods also have security vulnerabilities. In SIM swapping schemes, hackers can easily break into a person’s phone and use it to complete SMS authentication before their intended victim notices. If someone steals the victim’s phone outright and it hasn’t been locked with a biometric form of authentication like facial recognition or fingerprint scanning, they could break into that person’s online accounts and then compromise sensitive business data without much trouble. Even biometric authentication can be faked if the hacker has sophisticated enough tools at their disposal, which means that MFA must continue evolving to keep businesses safe.How MFA has paved the way for our passwordless future
As MFA has evolved, it has also paved the way for our passwordless future. Before MFA arrived on the scene, many employees only knew how to use passwords. If any one individual user had poor password hygiene, their credentials could easily be compromised – putting the company at serious risk for a potential data breach. Once employees became familiar with using MFA to further secure their accounts and protect business data, though, they eventually discovered it wasn't so hard to layer multiple forms of authentication onto their traditional, password-based login processes. For example, an iPhone or Android user receiving an MFA code via an SMS message could choose to have it automatically filled into the MFA challenge prompt on their behalf. In the case of a user relying on an authenticator app, they could simply pop open that app, copy the code that was active, and then paste it directly into the MFA challenge prompt. Biometric authentication was even easier still, allowing them to authenticate with just a tap of a finger. After a while, taking these kinds of extra steps didn't seem like such a heavy lift – and the user gradually found themself in a better position to ward off a damaging cyber attack. Now that businesses and their employees are proficient in using MFA, they are in a great position to embrace passwordless authentication. For example, with a secure authentication protocol like FIDO2, you can now use MFA to replace or eliminate passwords. Because FIDO2 also enables users to easily authenticate to online services using their mobile and desktop devices, for example using methods that employees may already be familiar with such as biometrics, your employees are likely to find passwordless authentication just as frictionless and easy to use as MFA. This way, they'll be building on knowledge they've already acquired rather than feeling like they have to start from scratch – and your company will be able to enjoy greater peace of mind knowing its data is more secure.How LastPass MFA can help keep your business safe
LastPass’ adaptive MFA technology is continually evolving in response to major cybersecurity threats like ransomware attacks. Here’s how the benefits of MFA can help keep your business safe as the cybersecurity landscape evolves:- Adaptive authentication. LastPass MFA combines biometric and contextual intelligence to prove a user’s identity with a combination of factors, so your business has the best possible protection as the environment changes.
- Passwordless user experience. Your employees can use LastPass to access their work across all devices – mobile devices to desktop – without requiring a password.
- Customizable MFA methods. LastPass gives your business flexible options for authentication. You create and apply unique MFA factors at the user or group level to ensure all-around security.
- Easy MFA administration. LastPass makes it easy for your IT team to apply MFA to a range of access points, such as cloud apps, virtual private network (VPN) connections, workstations, identity providers, and more. This helps move your organization toward a zero-trust architecture and strengthen its overall cybersecurity posture.
