In this Help Net Security interview, Brian Pontarelli, CEO at FusionAuth, discusses the evolving authentication challenges posed by the rise of hybrid and remote workforces. He advocates for zero trust strategies, including MFA and behavioral biometrics, to enhance security while maintaining productivity.
Given the rise of hybrid and remote workforces, how have authentication challenges evolved, and what strategies are being employed to maintain secure access without compromising productivity?
The shift to hybrid and remote work expands the attack surface, making traditional perimeter-based security insufficient. We’re seeing increased challenges in identity verification, device trust, and protection against sophisticated phishing attempts. To address these issues, organizations are adopting strategies aligned with zero trust principles:
- Multi factor authentication (MFA): Widely implemented as a baseline security measure.
- Contextual and adaptive authentication: Considering factors like location and user behavior for real-time access decisions.
- Single Sign-On (SSO): Streamlining access across multiple applications while maintaining security.
- Passwordless authentication: Enhancing security and user experience through methods like biometrics.
You have to have flexible, robust solutions that make it easy to implement the latest security technologies. Anything less is leaving an open door for attacks.
How can companies address the friction with MFA in environments where frontline workers need quick and constant access to systems?
The friction of MFA is not just an issue for workers logging into applications; it’s also an issue for consumers and other businesses logging in to their applications. MFA can stand as a significant barrier, and even prevent users from taking the time to sign in to an app. Fortunately, the authentication world has some tools in place that can make life easier for everyone involved:
- Long-lived sessions: Sessions are helpful to keep users logged in from the same device over a period of time so they are not prompted for MFA every single login.
- Adaptive MFA: Adjust security requirements based on context and risk.
- Single Sign-On (SSO): Reduce login fatigue across multiple internal applications.
- Biometrics: Using easy MFA prompts that are easy and quick, like secure access through fingerprints or facial recognition.
- Step-up authentication: Only require additional verification for sensitive actions.
The key is tailoring auth to the environment’s specific needs. Your security posture should enhance a workflow or a business transaction, not hinder it.
CISOs report burnout due to the growing complexity of cybersecurity threats, including authentication failures. What factors contribute to this stress, and how can organizations support their security teams to handle authentication challenges better?
The burnout facing CISOs can be boiled down to the fact that their tools are not morphing to the external threat landscape, or the tech stack of their organizations, to the degree required to truly keep up. This leads to an over-reliance on key workers with rare skill sets (for example Kubernetes Security), and an inordinate amount of time spent internally building tools on top of what they’ve already bought from vendors.
Outsourcing authentication is one opportunity to take valuable time back, because security teams no longer have to worry about keeping up with vulnerabilities introduced by the latest updates in authentication protocols; the authentication provider takes care of that.
There have been some outages in authentication providers, and some breaches of authentication providers in the last year, but one way to safeguard against this is by going with a tool that you can self-host and control in your own environment.
Organizations can support security teams in authentication by offloading authentication versus building it in-house.
How do you foresee the use of behavioral biometrics shaping the future of authentication, and what challenges do organizations face in adopting this technology?
I think behavioral biometrics is going to be significant. It’s a more nuanced and continuous approach to identity verification that solves a lot of today’s problems. Moving forward, these user profiles built from pattern recognition become like fingerprints, where no two are the same.
Without any doubt, behavioral biometric systems will give an advanced level of security compared to traditional methods. But beyond that, they also offer a world where passive authentication is a reality, removing friction from the user experience. I’m especially interested to see how this impacts the world of fraud prevention, and as a new factor for MFA.
That said, there are pitfalls when it comes to adoption. Is the system accurate? How private is that data? Imagine the terror of a data breach that can mimic your every behavior. Costs are definitely going to be part of the discussion, and that’s before we even get into user acceptance. We have to expect pushback, regardless of how fast the threat landscape evolves.