Multi-factor authentication (MFA<\/a>) is now one of the core methods for securing user access to IT resources, and a critical component of a Zero Trust<\/a> security model. With the rise of remote work and the continued prevalence of high-profile data breaches, many organizations are evaluating their options for implementing MFA policies. <\/p>\n\n\n\n
According to a recent survey of IT professionals<\/a>, 52.6 percent of small and medium-sized enterprises already require MFA across all applications and logins. This article is geared towards the remaining organizations trying to figure out the best way to do that while avoiding resistance from decision makers and end users. <\/p>\n\n\n\n
Multi-factor authentication (also called two-factor authentication or 2FA<\/a>) is the practice of requiring an additional factor beyond the standard username\/password combination requested at most logins. Oftentimes, these factors are colloquially known as:<\/p>\n\n\n\n
According to Verizon\u2019s 2021 Data Breach Investigation Report, 61% of data breaches<\/a> involve credentials. When used as a single factor, passwords are an insufficient security measure<\/a> and unable to protect your organization from the costs of a data breach. Layering on a second authentication factor at login is significantly more secure than relying on passwords alone, and can make accounts 99.9% less likely<\/a> to be compromised.<\/p>\n\n\n\n
So how much of an effect does the type of additional factor have? Well, Google\u2019s Security Blog studied the effects of MFA on account takeovers<\/a>. Here\u2019s what they found:<\/p>\n\n\n\n
The chart above details the efficacy of the six most popular \u201csomething you have\u201d and \u201csomething you know\u201d MFA methods. With this chart in mind, let\u2019s look at how push notification MFA (which falls under the \u201cOn-Device Prompt\u201d classification) compares to the other forms of multi-factor authentication an organization can deploy.<\/p>\n\n\n\n
Push MFA utilizes smartphone notifications to assert authentication. This puts push MFA in the category of \u201csomething you have,\u201d as the user will need to have their smartphone on them to use push notifications as a second factor. After inputting their username and password, end users simply need to unlock their phone and then press a button to either approve or deny the access request. <\/p>\n\n\n\n
Push notifications are growing in popularity thanks to the ease of use for end users and the low cost of implementation for IT admins. To best illustrate the benefits of this authentication factor, the following sections highlight the similarities and differences between push notifications and other MFA implementation options.<\/p>\n\n\n\n
SMS-based MFA is one of the more widely-used forms of MFA in use today. This method sends a login code to an end user\u2019s phone or email after they have submitted their credentials. Once they receive the code, they must input it correctly to complete the login. <\/p>\n\n\n\n
Per the Google chart above, SMS-based MFA offers effective security for automated and bulk phishing attacks, but is less effective for accounts that are specifically targeted. This security vulnerability is due to the need for a third-party network to act as the middleman between the origin of the code and the end user. This provides an additional attack vector, as well as a larger window of time in which foul play can occur. <\/p>\n\n\n\n
Push notifications, on the other hand, are created directly on a user\u2019s smartphone with an authenticator app and do not require the user to input a numerical code. This not only provides a simpler user experience, it also saves employees time. In fact, push MFA saves a user 13 minutes annually<\/a> over SMS-based MFA.<\/p>\n\n\n\n
TOTP MFA<\/a> utilizes a randomly generated code similar to that of SMS-based MFA. In contrast to SMS, however, TOTP codes are generated the same way as push notifications\u2014via an authenticator app. The numerical codes are only valid for a specific time interval, such as 30 seconds. The user must correctly input the TOTP before the end of the time period since once it ends, a new code is generated and the previous one is rendered null.<\/p>\n\n\n\n
Push notifications operate very similarly to TOTP and provide the same level of security with a better user experience. A good authenticator app will provide the option for both TOTP and push MFA, and empower employees to choose the second authentication factor that works best for them. This is especially important for putting MFA accessibility considerations<\/a> into practice. <\/p>\n\n\n\n
Physical key-based MFA is akin to a digital version of a tangible lock and key. Each physical key \u2014 often represented in the form of a USB stick like Google Titan<\/a> \u2014 is unique to its user. As long as the user maintains possession of their key, their authentication should be hyper-secured. Google backs this up with their research from the chart above, claiming 100% efficacy at blocking most major forms of attack.<\/p>\n\n\n\n
Science fiction has long speculated on the extent of biometric authentication, often represented by retinal scans and voice or facial recognition. Today\u2019s day and age have made such biometrics a reality. Biometrics exemplify the \u201csomething you are\u201d MFA factor, and many people have grown accustomed to using biometric authentication in the form of a fingerprint reader or face ID on their smartphone or laptop.<\/p>\n\n\n\n
Although it is still challenging to manage biometric MFA at scale in today\u2019s enterprise settings, the use of an authenticator app can naturally add biometrics into the equation. For example, to accept a push notification, the user must first unlock their phone to respond to the request. How do most people unlock their phones these days? With a biometric identifier that inherently provides an additional layer of security. <\/p>\n\n\n\n
IT organizations can use several different solutions to enforce MFA push notifications across their user base. There are three key considerations to keep in mind when evaluating MFA push notification solutions:<\/p>\n\n\n\n
The decision is easy for IT admins using the JumpCloud Directory Platform to manage virtually all of their IT resources. JumpCloud Protect<\/a> is an authentication app available on both iOS<\/a> and Android<\/a> devices that integrates seamlessly with our cloud-based admin console, and allows for both push notifications and TOTP across cloud and on-premise applications, Mac, Windows, and Linux desktops, VPN and wireless networks, and servers. <\/p>\n\n\n\n
It\u2019s included in all packages at no extra cost. Try JumpCloud Protect today<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":"