Let’s talk about Dynamic MFA, a breakthrough in cybersecurity.
Depending on who you ask the name MFA sounds like a graduate program you beg your kid not to attend (...but how will you make a living???) or something a cybersecurity marketer makes up to get a nanosecond of your attention. (ummm…guilty as charged.)
But Dynamic MFA – multifactor authentication -- really is a legit breakthrough that can keep assurance and customer experience in constant equilibrium, so bear with the “markety-ness” of the phrase for the time it takes to read this post.
MFA has been around for a while. It works by requiring more than one method to authenticate the user of an application. Think of it as something you know, like asking for your mother’s maiden name (knowledge-based authentication or “KBA”) plus maybe something you have, like a fob or a known and previously registered device (your phone or tablet) plus maybe something you are, like your thumbprint.
Raise Your Hand if You Like Passwords
Ok no one has her hand up. Security experts believe MFA is better than single-factor, password-based approaches to access control. Stores of usernames and passwords are vulnerable to breaches (yes, I’m thinking of you Yahoo among many others). It’s also not much a stretch to say that passwords are universally loathed. Yet, like the cybersecurity world’s pesky kid brother on prom night, they refuse to go away. How can this be?
Well, MFA struggles with perceptions challenges including that it's inconvenient and confusing to the end user. Or it’s been considered too expensive, with the need for hardware scanner. MFA also suffers from architectural rigidity: how do I keep up with the advances in facial or retina recognition, for example, without trashing my old system for scanning thumbprints? So does the advent of Dynamic MFA, which adds a high degree of transparency and flexibility to the MFA process, solve this? Well, that depends...
Dynamic MFA is Here
True Dynamic MFA – like iovation's LaunchKey –provides an assortment of authentication options similar to traditional MFA tools, but allows the solution to adapt to changing risk conditions. It uses the contextual state of the mobile device itself to respond to authentication requests.
With advances in APIs and standards, it is now possible to implement Dynamic MFA that can adapt to context and present fewer hurdles for the user … or more hurdles if there are indicators of risky transactions or sessions. The connections between the elements of a Dynamic MFA solution might be achieved through the use of standards such as OAuth, and use standard platform technologies like XML and JSON. In contrast to the basic MFA, a Dynamic MFA process routes authentication requests based on usage context.
Dynamic MFA is like cyber Santa. It knows if your mobile device – phone, tablet, etc. -- has been naughty or nice. These solutions can leverage external information to determine if a device has been used for malicious acts, is being emulated, arriving through a proxy, or if it is located in a suspicious place at an odd time. These factors, combined with permanent identifying traits of the device, allow the MFA solution to step up the rigor of the authentication process to provide better assurance that this is, indeed, the correct user.
Banking, a Dynamic MFA Use Case
When the comedian Steven Wright’s quipped, “24-hour banking? I don’t have time for that,” he captured the kind of low level stress that banking activities tend to generate. You’re dealing with your customer’s money, so security worries tend to hover in the background for the brand and the user. Dynamic MFA offers a way to calm everyone’s nerves in online banking. It allows a casual banking user to enter a relatively simple authentication action, like entering a PIN, when they want to review their balance information.
For additional flexibility the end user can be given some discretion in choosing which technique he or she prefers. They may prefer PINs to represent “something they know,” or they may prefer to always use thumbprint to confirm requests using “something they are.” These options might also include geofencing or time fencing parameters that require users to be coming from a known location, or to be working in a specified time range. In other cases, the Dynamic MFA solution might enable authentication simply by using a strong digital fingerprint from a recognized and registered mobile device as an authentication factor
If the same user wants to send a large online money transfer to a new payee, the Dynamic MFA solution may request additional authentication factors. It might request a thumbprint scan from the device, the entry of a graphic circle code, or the presence of some other known and registered wireless device, like an Apple Watch or wireless headset. If it sounds a bit sci-fi to you, then take a few minutes now to read the latest product news from my team at iovation. Our LaunchKey solution makes all of this – and more – possible.