Multifactor Authentication (MFA) and Layered Security have long been recommended best practices for enterprise security. But what exactly are they? … At what point are there too many layers? And WHICH layers of security should I deploy?

What is Layered Security?

Layered security attempts to secure organizations by employing various tools – ideally complementary tools. The problem is, these tools, or layers are often not complementary, and we know that disparate systems can create lots of work, lots of frustration, and arguably the number one enemy of security … complexity.

Without a proper plan, it’s easy for companies to purchase several overlapping or disconnected systems which can lead to unsecured gaps and ultimately lower security posture

How can this lower security posture?

  1. Whatever the system, it will need to be maintained. This will require staff. In many cases, the technology is obtained in order to meet a compliance need or simply to be crossed off a list – without proper management. Unmanaged, it is not only a waste of money but potentially adds vulnerability.
  2. Different systems will require different types of management – outsourced or not. This can create difficulties in communication and compatibility. The more layers in place, the more likely it is that one or more will conflict or cause problems with business operations.
  3. Restrictive security layers can cause pushback among users. For example, they may use the same credentials for multiple accounts. If email is used as the username for a company system and the same password is used for internal and external accounts, this makes a bad actor’s job easier.

These layered security challenges are arguably THE biggest problem in the cyber threat detection and mitigation space.  And, because attackers are well aware of these issues, they can relatively easily exploit the gaps they create.

Multi-Factor (NOT Multi-Layer) Authentication

Multi-factor authentication (MFA) requires that users prove they are who they say they are before granting them access to digital resources. MFA requires two or more factors for authentication. The factors can be a combination of two or more of the following: 1. Knowledge – Something you know, 2. Possession – Something you have, or 3. Inherence – Something you are.

From Microsoft to CISA, all the way up to the White House – most experts agree that MFA should be a requirement for any organization. The Federal Trade Commission (FTC), for example, requires that any institution handling financial data, be required to deploy MFA. A 2021 Executive Order from President Biden outlined requirements for strong security for Federal contractors. …

But is all MFA more secure? The answer is NO. In fact, MFA is only as secure as the factors chosen.

When Layers are Just “Band-Aids”, They Don’t Work

Adding layers to MFA can sometimes mean ADDED risk! Here’s an example: Password plus one-time passcode (OTP). Or how about three factors? Password, plus OTP, plus push notification. The problem here is that all those factors are weak. Even the longest, most complicated string of characters can be shared, phished, or guessed. Cybercrime has become too sophisticated for these methods, as evidenced by repeated cyber-attacks. Using a password manager with a master password? What if that master password is compromised? Then, that bad actor has access to multiple resources.

The password, or any “knowledge factor” … any Human Readable Credential (HRC) is inherently risky for security and should be considered obsolete. Passwords and usernames are frustrating, forgettable, shareable, and Phishable. When they sit at the base of your security posture – just adding another layer merely adds a layer of inconvenience, worsening user experience. The most common approach is to send an SMS code, which can potentially be intercepted by bad actors.

The National Institute of Standards and Technology (NIST) cautions against this approach

Google reported that 1 in 5 phishing kits collect phone data in order to intercept these codes. And according to Google, less than 10 percent of its users even bothered to turn on 2FA. The other 90 percent are protected only by passwords.

The Question We Should Be Asking About Passwords

If we need another factor for authentication on top of one that has long been deemed unsecure, why are we using the first factor at all? Any information that can be entered into a form field by one person could also potentially be obtained and entered by a hacker.

The Good news is, we don’t need the password or HRC, and neither do we need complicated or disparate layers for security.

Un-LayerCake MFA

At TraitWare, we’ve eliminated the need for the #1 risk factor behind 81% of cyber-attacks – the password. In fact, with TraitWare there’s no need for any shareable or Phishable secret for login.

TraitWare is not a layered approach to security. Passwordless MFA is not an add-on. It’s inherent in the solution. This means 1. It’s more secure because it’s Always On for all your users, and because you can’t Phish the password if it doesn’t exist! 2. It is not only easy to use, but it also actually simplifies login. Once your biometric is registered to the secure TraitWare app via the mobile device you already carry, the MFA is just there – invisible to the user. Nothing to type in, nothing to remember (or forget).

What’s more, TraitWare is quick and easy to deploy and will save on costs. Thinking of cyber insurance? TraitWare’s solution can also help lower insurance premiums.

If you’re curious about Passwordless, Phishing-Resistant MFA+SSO to simplify and secure your company login, please reach out any time.