Implementing strong authentication across your business

Strong authentication doesn’t always go down well with end users. They tut when asked to wait for a multi-factor authentication (MFA) code sent to their smartphone, and then again when having to enter the code. They tut once more when they enter an incorrect password or input the wrong letters from the safe word. The whole process can seem like a barrier.

Spare a thought for the IT teams who have to implement strong authentication across multiple devices and operating systems, though. It’s not a walk in the park for them, either. To enable a smooth implementation, IT teams must find the line of least resistance and minimise the pain for both themselves and end-users across an organisation.

Why is strong authentication so complex?

IT teams working with strong authentication methods face a number of challenges. In technology, nothing stands still, and the devices, software and systems people use change on a regular basis. We hear often about how teams can struggle to cater for legacy IT while also supporting the latest systems. This can create headaches in authentication as much as anywhere else.

It isn’t just about implementing the best possible security measures regardless of other factors. “Security must be balanced against privacy requirements, scalability across complex technology stacks, and critically balanced against user experience,” says security expert Will Dixon. “The most significant headache for security teams is balancing the business’s requirement to reduce as much friction as possible with their digital services and channel.” Dixon is a previous director at the World Economic Forum (WEF), heading the Centre for Cybersecurity, strategic lead for various national security and cyber security programmes in the UK government, and was previously global head of intelligence at Barclays Bank.

It must also be balanced against cost and practicality. Dixon says another potential security option, passwordless authentication using hardware security keys, is not without its own issues. “Distributing these to remote workers is not feasible,” he believes. “This is despite the rise in remote and hybrid working being one of the biggest drivers for the wider use of stronger authentication.”

Why do businesses need strong authentication?

There is no getting away from the fact that top-quality authentication is a necessity – not an add-on. A high proportion of cyber attacks are due to weak passwords, with weak authentication the single biggest cause for a breach in any enterprise. Strong authentication can stop the widest range and largest number of enterprise attacks, including credential stuffing and phishing.

“If organisations don’t take action, it basically runs the risk of their systems remaining exposed to compromise by attackers that manage to obtain passwords or similar credentials,” explains Steven Furnell, IEEE senior member and professor of cyber security at the University of Nottingham.

With strong authentication protecting some, those without it may find themselves increasingly exposed, as the opportunities for infiltration they provide are tested by more and more cyber criminals. As Furnell puts it: “As more organisations adopt stronger approaches, those who remain with standard methods are arguably at greater risk within a reducing pool of viable targets.”

How to successfully implement strong authentication across your business

Implementation without alienation

It’s really important for users of strong authentication to understand why it’s needed and why they are asked to do certain things in order to log on. This is especially important when moving from single passwords to strong MFA. Furnell tells IT Pro, the move “will clearly change the way that people meet the system at the front door, and it will certainly be a support headache if they are not prepared for it and then start seeking help en masse”.

The key is education, great support and, where necessary, hand-holding before strong authentication is implemented and during the implementation, so that people understand the new system and why it’s needed. Furnell notes “part of the challenge will often be that steps need to be followed on multiple devices, and help will need to be available to support each context”.

Simplifying implementation without compromising security

One key action tech teams can take to ease the path to strong authentication is financial rather than immediately practical. They should start viewing security not as a cost centre but as a business enabler that creates value. For Dixon, this approach will empower security and IT teams to be at the heart of delivering the customer journey so they can work towards the principle of interoperability. Ultimately, they’ll aim to reduce friction on a customer’s journey with the business.

When that first psychological step is taken at a management level, it becomes easier to normalise all new products supporting strong authentication from day one. Moreover, older technology, which will never support it, can be retired and replaced, and the technology that could support it – but doesn’t currently – can be upgraded.

Meanwhile tech teams can set a few rules and guidelines for themselves to make sure that implementation remains as painless as possible on an ongoing basis. For example, ensuring the user experience (UX) is as easy as possible, and working hard to keep it consistent across different devices and platforms, so that using it becomes a matter of muscle memory rather than a hurdle, and consistently reiterating the reasons it is important, and the value it brings rather than the cost it creates.