I remember seeing a comedian do a bit about “why do brand marketers use words like ‘New and Improved’ on products?” The punch line boiled down to: the only thing “new and improved” is the way you’re talking about the product and maybe a feature you bolted on to the old one you’re imploring us to replace.
These days I feel the same about the over-use of “next-gen” on just about every tech product, advancement and feature. Especially with all-things-AI. And even closer to home, especially with identity and access management solutions. It seems as though you can’t go anywhere without running into a “next-gen” solution!
Before diving into what next-Gen MFA is, it’s important to understand what it isn’t. Next-gen MFA is Often Confused With:
- Just Adding More Factors: Simply adding more authentication factors (e.g., requiring a password, a TOTP code, and a biometric scan) is not necessarily next-gen MFA. It might improve security, but it doesn't address the core concepts of context, adaptiveness, and phishing resistance.
- Any New Authentication Method: The introduction of a new authentication method (e.g., push notifications) doesn't automatically make it next-gen MFA. It needs to be integrated into a risk-based, contextual framework.
- MFA for Everything: While MFA should be widely deployed, simply requiring MFA for every single application, regardless of risk, can be counterproductive and lead to user fatigue. Next-gen MFA allows for a more nuanced approach.
What Next-Gen MFA Should Mean
I can’t control what other cyber defense solution manufacturers consider to be “Next-Gen,” but I can affect what it means at SOFTwarfare.
True next-gen MFA moves beyond the limitations of traditional multi-factor authentication. For SOFTwarfare, this means:
Integrated, Continuous Contextual and Adaptive Authentication:
Instead of just asking for a second factor every time, our approach is to analyze the context of the login attempt. This includes:
- User Behavior: Has this user logged in from this location/device before? Is their typing speed or mouse movement unusual?
- Device Posture: Is the device up-to-date with security patches? Is it jailbroken/rooted? Does it have malware?
- Location/Network: Is the login attempt coming from a known and trusted location? Is the network suspicious?
- Time of Day/Day of Week: Is this login attempt happening at an unusual time for this user?
- Risk Score: Based on all these factors, a risk score is calculated. High-risk logins might require stronger authentication (e.g., passwordless or phishing-resistant authenticators), while low-risk logins might require no additional factors at all (frictionless authentication).
Phishing-Resistant Authentication: Next-gen MFA prioritizes methods that are highly resistant to phishing attacks. This often means moving beyond OTPs (one-time passwords) delivered via SMS or email that can be intercepted. Instead, it emphasizes:
- Hardware Security Keys (FIDO2): These are physical devices that cryptographically verify the login request, making them virtually impossible to phish.
- Platform Authenticators (e.g., Windows Hello, Touch ID): These leverage the built-in security of the user's device.
- Certificate-based Authentication: Using digital certificates to verify the user's identity.
Enhanced User Experience: While security is paramount, next-gen MFA aims to minimize friction for the user. This means:
- Frictionless Authentication: For low-risk logins, the user might not be prompted for any additional factors.
- Step-up Authentication: Only requiring additional factors when the risk level warrants it.
- Choice of Authenticators: Allowing users to choose from a range of authentication methods that suit their needs.
Centralized Management and Orchestration: Our secured, integrated platform as a service provides a centralized capability for managing authentication policies, integrating with various applications and services, and providing detailed reporting and analytics.
When I was in the Army, I had the privilege of leading Information Operations campaigns across the globe. One of my constant mantras was that Words Matter. Next-gen MFA is a paradigm shift in how we think about authentication. It's not just about adding more factors; it's about adding intelligence to the authentication process. It's about understanding the context of each login attempt and dynamically adjusting the level of security required. It's about prioritizing phishing-resistant methods and minimizing user friction.
If a solution claims to be "next-gen" MFA, make sure it delivers on these core principles. Otherwise you might just be getting the same, tired cereal in a shiny new wrapper.
