What's next for multi-factor authentication (MFA)?

Around 70% of successful data breaches originate from stolen credentials or phishing attacks, demonstrating how weak access security offers cybercriminals an easy route into corporate networks. Multi-factor authentication (MFA) plays a key role in the defense against cyber attacks. Critical to any organization’s identity and access management (IAM) strategy, MFA makes it much more challenging for attackers to use stolen credentials to access corporate networks.

With the average data breach costing $4.45m in 2023, the extra security that MFA solutions offer is mission-critical. Despite that, Microsoft estimates that only 28% of users have any MFA during their login processes.

In this blog, we’ll explore the current status — and what the future of MFA will bring.

MFA current status and future trends

Despite its importance as a key defense against identity attacks, MFA’s uptake has been relatively slow. Budgets are tight, IT teams are pulled in different directions, and buy-in can be hard to get from the c-suite and end-users alike.

Even so, increasingly costly attacks and stricter regulations are driving more and more organizations to implement MFA. As a technology, MFA has also evolved, shedding its clumsy image with modern, low-friction options like apps, tokens or push notifications.

Modern, more lightweight MFA methods also make it easier for IT teams to extend MFA protection across all user sessions, which most experts generally agree is optimal for security.

Expect MFA adoption to accelerate

As MFA adoption picks up steam, the global MFA market is poised for explosive growth, and is set to double its value by 2027.

A few pervasive myths around MFA implementation still hold back many organizations, but this is changing. A few common objections include:

• Some organizations may consider MFA too complicated to deploy

• Some might not want an MFA solution to change their current processes

• Others might consider MFA too expensive

While some of these concerns are understandable, some are simply based on an outdated understanding of MFA. Modern MFA solutions are, across the board, much easier to use and implement. Organizations also now have more options to choose from, increasing their ability to handpick an MFA solution that really fits their unique environment and needs.

As for price, the price of implementing MFA is dwarfed by the cost of a data breach, and a good MFA solution will integrate seamlessly with your existing environment.

Regulatory requirements will increasingly drive MFA adoption

For many organizations and industries, MFA is, or soon will be, a security requirement. Various bodies and compliance standards now recommend or mandate the use of MFA to secure user accounts.

Some current examples of MFA and two-factor authentication (2FA) compliance needs include:

• The White House now mandates 2FA for any user access to federal information systems.

• The New York Department of Financial Services (NYDFS) mandates MFA for financial institutions.

• PCI DSS 4.0 will require MFA for all access to online payment transaction data from 2025.

• The updated Federal Trade Commission (FTC) Safeguards require organizations across virtually every area of commerce to implement MFA for user account with access to customer data.

As sensitive data becomes increasingly attractive for cybercriminals, expect to see more regulations such as GDPR and HIPAA, require more robust security measures like MFA.

The next frontier for Multi-Factor Authentication: protecting all users

MFA is a critical step in mitigating common cybersecurity risks, and key for anyone looking to enhance their access management.

What’s next for MFA? Over the next few years, expect to see more changes in how MFA is applied.

Ensuring secure logins across all users

Alex Weinert, vice president of identity security at Microsoft, views driving more multifactor authentication usage as, “the most important thing we can do for the ecosystem.” He continues, “Our strong position is that all user sessions should be multifactor authentication protected.”

It’s not only privileged user accounts that pose a danger to your system. Regular users, too, can give bad actors access to important resources. MFA is an effective way to protect all types of users from unauthorized access.

The simple truth is that any user account protected solely by a password presents a risk to your organization. The key to successful MFA implementation is to implement a zero-trust policy — protecting all access points, regardless of the user’s level of privilege.

Of course, you need to balance security with productivity. You might want to require admins to complete MFA on every login. A standard user might need to authenticate less frequently. With UserLock, you can use granular controls and contextual access management to provide security with a seamless user experience.

Best practices for implementing MFA in your organization

Following best practices when implementing any MFA solution will help you optimize security. Some examples of MFA best practices include:

• Monitor your system for suspicious patterns: IT departments need real-time monitoring that tracks user activity and detects unusual behavior. UserLock enables organizations to identify potential threats and take prompt action to prevent harm.

• Regularly review and update MFA policies to match security needs: Your users, systems, and security needs will change. To ensure your MFA solution offers the right protection, regularly check that your MFA policies are suitable for your current requirements.

• Use contextual controls to avoid disrupting end-users: Context-aware access controls allow or deny login attempts based on factors such as the user’s location, device, and time of day. UserLock’s contextual access management helps prevent unauthorized access and reduce the risk of future threats.

• Deploy MFA methods that suit your users: MFA methods include the use of hardware tokens, authentication apps, and push notification mobile apps. Deploying the authentication method that best suits your system is paramount. If your organization needs MFA for remote work, offline access, or single sign-on (SSO), pick an MFA solution that delivers the features you need.

• Report on user activity and access: During deployment and ongoing management, keep a report of your MFA implementation. UserLock’s compliance reporting capabilities enable organizations to track and report on user activity and access to meet regulatory requirements. This helps to ensure compliance and reduce the risk of future threats.

Remember that system security is not a one-off task — it’s an ongoing effort to protect against existing and emerging threats. The challenge for anyone tasked with implementing MFA will be achieving a balance between securing data while remaining user-friendly.

Secure vs. less secure MFA methods

Generally, MFA methods verify something the user has, is, or knows. For this reason, it’s extremely challenging for an attacker to complete the second verification step, even when they know a user’s password.

It’s essential to use secure MFA methods that align with your organization’s security needs.

Do all MFA methods offer the same level of security?

While they’re all better than passwords alone, some MFA methods offer much more protection than others. More secure MFA methods, such as hardware tokens and keys, generate unique codes or security keys for each login attempt. As the user physically possesses these methods, they are difficult to duplicate or compromise.

On the other hand, less secure MFA methods, like smartphone SMS-based verification or email passcodes, can be easily guessed or intercepted.

For many users, push notifications offer a happy medium: a nearly frictionless experience, with high security.

The growing role of adaptive MFA

Predictive user modeling and threat detection

As in almost every field, artificial intelligence (AI) has improved MFA by enabling predictive user modeling and threat detection. This approach involves machine learning algorithms analyzing user behavior patterns to identify deviations and flag them as potential threats.

AI-powered threat detection can help create a smoother user experience. It helps organizations detect and respond to security threats in real-time without damaging the user experience. However, analytics are already well established within many MFA solutions. More MFA solutions will be using their insights to further enhance factors like contextual access management.

Challenges and considerations for AI in MFA

AI risks and ethics are concerns across every industry. The use of AI in MFA brings the usual challenges and considerations, including concerns about privacy and potential algorithmic bias. Organizations must ensure that data protection policies are in place, algorithms are transparent, and resources are adequate. Any legal and regulatory needs must also be implemented.