Fighting ATO Wights? GOT Multifactor Authentication?
Warning: Spoilers Ahead
The horror of the moment that the Night King unleashes some kind of kryptonite ice javelin into the air, bringing down Daenerys dragon, Viserion, was only eclipsed by the moment he opens his now vivid blue eyes. A tell-tale sign that the dragon is now a wight, becoming a weapon for the army of the dead.
Account takeovers (ATO) are the wights of online e-commerce. An account that was just recently seen as a trusted ally has suddenly turned into a dangerous foe. The many massive data breaches in recent years have led to a flood of compromised credentials becoming available for pennies on the Dark Web. Using these credentials, criminals can deploy bots to automatically scan websites to find online accounts where those credentials can be leveraged for improper account access. What makes this so dangerous is that they target accounts that were created by real users that contain valuable information such as financial data, which also makes them very difficult to identify once they’ve taken over (unfortunately they don’t have a clear identifier, such as blue eyes!). So how can you identify and stop these wights if you don’t have any dragonglass or Valerian steel lying around? The answer is simple: prevent ATO from the onset with a dynamic multifactor authentication (MFA) solution that can work with your existing authentication services.
With MFA you can stop ATO attacks cold. Mobile multifactor authentication allows a user to be quickly and easily authenticated using factors such as biometrics, pattern codes, and proximity detection. All of which provide a much higher level of assurance than traditional passwords. New methods can also be easily added to the platform as they gain mainstream acceptance (imagine retinal scanning, facial recognition, and heart rate scans).
When you get the first indications that a wight has been created to hijack an account, you can immediately trigger additional MFA factors. This allows you to tailor authentication requirements based on risk rather than subjecting every customer to an eye exam. For a change of address request, you could push an authorization request straight to the customer’s mobile device. For fund transfers or purchases over a set threshold, you could require the appropriate, risk-based step-up method to be deployed.
In the fight against ATO wights, it’s important to have the right tools. Otherwise, the army of the dead just might prevail. Are you prepared for the battle to come?
If you’d like to learn more about making the move to multifactor authentication, check out this short video.