Hi. Welcome, everyone. I'm Martin Kuppinger, I'm Principal Analyst at KuppingerCole Analysts. And I'm here with Anders Askåsen of Okta. And we will talk today about lessons we can take from the financial services industry on compliance and MFA. And we will talk about this in a specific context, which is DORA and NIS, I'll talk about this in a minute, but first, welcome Anders.
Thank you so much, Martin. Thank you for having me.
Okay. I talked about a title and it's about MFA, it's about what is needed in MFA and strong authentication for compliance reasons and we are talking about DORA, the Digital Operational Resilience Act, which is upcoming, which will be relevant for financial services industry and which will be relevant I think for next year on. And on NIS2, so our EU critical infrastructure cybersecurity regulation. And so Anders, when you look at these regulations, why do we need to talk about MFA in that context?
Well, first of all, with these two regulations, banks, as we know, have always had a certain level of maturity. They have been pressured from credit card providers, from customers, from regulators, etc.. So they have a good solid security resilience already. But many banks don't necessarily have the appropriate MFA, and that's something that is being addressed by the European Union through the SEA and PSD2 as well. So there's room for improvement there.
Yeah, and that's also what I would have brought up. In the finance industry, we had PSD2, so the Payment Services Directive, the revised one, that's where the number two comes from, a couple of years ago, which introduced the SEA, the strong customer authentication piece and sort of raised the bar in that space. So when you were saying there is something, there is experience, and I think without any doubt there is experience, but you also say this may not be good enough anymore. Why?
Exactly. So, I mean, if we look at that from a couple of different angles, MFA is not a silver bullet to solve all authentication problems. It is a good mechanism to step up the authentication and have higher assurance, but it's just that higher assurance that is critical for the banks to achieve. And that forces them into reviewing their current investments and their current infrastructure and making sure that they actually comply with this and they can avoid things like MFA fatigue. That we've seen big corporations being subject to, you get a notification and you get it over and over and over again until you accidentally click approve. And that's a problem. And there's several mechanisms to get around this. But you also need to take the contextual aspect around where a transaction occurs, how it occurs, what time zone, what IP address, etc.. So all these aspects, it's important to weigh in. And when it comes to MFA solutions, if you're using a traditional SMS with an OTP, or not even an OTP, that is a subject to some problems, you can you can still intercept that SMS, you can use that to hack.
Yeah. So what you're saying is, there are two aspects. The one is, we need really good MFA, really strong MFA, and as we all know over time, some of the methods which have been established become outdated, are perceived as being not secure enough anymore, like [...] SMS, for instance, which is surely not the number one approach anymore. It's not the gold standard anymore. And on the other hand, what you are saying is, there’s the context, all the stuff around the authentication. So authentication, just a piece of it. But we need to understand is this really Martin, can that be Martin? If he has been in Germany five minutes ago, go and right now he is in whichever other country and are these usual common transactions Martin is doing? So what you’re saying in the end, we need stronger MFA and we need context. So what could stronger MFA be?
So you need that type of intelligence behind it to evaluate the actual risk score. And if there's a transaction that you, Martin, is taking, is that a normal transaction for you or is there something that would necessarily raise the risk level of that transaction? If it's a €50 transaction that you do once a month? Well, then maybe it's fine. But if it's all of a sudden €50,000, well, maybe that raises the bar and raises some flags and, you know, there's everything in between. And you need to be able to intelligently be able to assess that risk and act accordingly and maybe step up the authentication at appropriate times and when doing these transactions.
What banks frequently do nowadays, where they sort of request, for instance, that you first manually raise your limit for a transaction before you can perform that higher value transaction. So today we want to look at what can others learn, what are lessons others can learn. And so on the one hand there is DORA, which is banks, and this affects a lot of a lot of aspects well beyond the authentication. On the other hand, there's NIS2 and NIS2 affects a very wide range of organizations. So not only enterprises but also governmental organizations, etc.. So what can they concretely learn from financial services?
So like we said in the beginning, the financial services sector has pioneered a lot of these initiatives and they've been subject to a lot of regulatory requirements. Now, what can we learn when it comes to NIS2? NIS2 applies to, as you say, Martin, a much wider set of organizations that are classified as critical infrastructure or critical service providers, and that includes everything from like waste management companies to banks. And there are lessons to be learned from the banks here. If, for example, an MFA is a strong requirement going down with NIS2 to be able to maintain a certain cyber hygiene. But if you make MFA voluntarily, studies have shown that only 68% will actually implement and use it, which is a very low number. So you need to make sure that it's enforced and it's enforced based on this intelligence that we just talked about. If there's a transaction or an action that you're doing that you actually step up the authentication.
So what you're saying is, we have the technology for a strong MFA. We also have the technology for easily using a range of different authentication mechanisms. So it's not that we say we opt only for that one, we are very flexible, very versatile on that and we have the ability to use the context and analyze the context to understand what the concrete risks of an authentication or transaction are. And at the end the message I would translate is: all this is available, all this is proof. It's proven in the financial industry it is ready to use. So if you're an organization that falls under the scope of NIS2, and these are really many organizations, more or less every manufacturing organization I think above 250 employees or something like that, is in that. So it's really a lot of organizations, the technology is there, make use of it.
But there's three dimensions of cybersecurity, right? The technology is available, it’s on the market, you can procure it, you can implement it and you can have a good safety net when it comes to stepped up in higher assurance authentication. But it's also the processes in place and the awareness, the people, the people dimension, people need to be trained. They need to be make sure that they understand how to catch these MFA fatigue attacks, for example, and be able to report that back to IT operations. And the same goes for processes as well where you can define this.
Yeah, but I think that's again something where technology in some way plays into our hands. So when I look at modern authentication, then we have a lot of approaches which are more and more going passwordless,
- Absolutely.
- which build on the ability to store sensitive information, to store secrets in a secure element on the hardware, to have a user to device binding and then finally do what I think is one of the more important things, not balancing security and convenience, so one going up, the other down, but combining security and convenience.
Yeah. And that's also something that we need to take into account when we're looking at these initiatives, the convenience aspects, because when you do introduce additional factors, the second factor, even a third factor, you're introducing a hassle for the end user and that's where you increase the friction and you make it difficult for the user. So there's always a balance when you're trying to enforce this type of technologies.
But we have to technology. That's what I see, you know, taking Okta, you have a vast list of different authenticators
- Absolutely.
- you are supporting. So I can give a choice. I can give even the individual a choice because most of us are using multiple devices and we may use different things with different devices, what is most convenient, but yet secure enough. And I think this is a huge advantage I think we have gained over the past few years that we are way more flexible in achieving a convenient way of multi-factor authentication. And maybe this is also a very important takeaway for everyone, that we you must not dictate which type of authentication to use but give choices. Maybe this is also even a lesson for the finance industry to learn, because when I look at most online banking approaches, they are still not open in the way you authenticate.
You're absolutely right. It is about reducing that friction, but having the safety net in place. You mentioned something about storing information and we all remember the days when GDPR got introduced and there was a big reporting mechanism around it. The same applies to NIS2 and DORA, but it's different authorities typically where this information, if there is a breach, need to be reported to. And that's also something that needs to be taken into account. So having a platform like Okta’s, for example, where you can quickly and easily gather this information and provide that to the authorities or auditors is also crucial. And that's another lesson that we can take from the financial sector.
Yeah, and we all know that the time organizations have to report on breaches is very short. So you need to be prepared and you need to have a plan and you need to have the technology and the processes in place because otherwise you will just fail that requirement of reporting in a very short period of time to remain compliant. Also that's something I would definitely take as a point. And yes, I think there's a lot you can learn from financial services industry. But what I also would add is, it's also important to say look at the technical opportunities today because as I've already said, there's more than most of the financial services have implemented. So there is technology, so to speak, that is already ahead of the common typical financial services authentication approach. And financial services also proof, Yes, we can do a secure MFA and it works for people.
Oh, absolutely. You're spot on there, Martin, when you describe this It's definitely something in the light of NIS2, and in the light of what's happening when a lot larger set of organizations are being regulated to stand up to a better cyber resilience, be able to look at these lessons and learn from them because it is important. It is absolutely important.
So to close up, when you would need to give sort of one important advice to everyone in the context of this conversation, what would be your main advice?
So my main advice is really to look at security from three angles, and that's the people, processes and technology. The technology, as we've discussed, it's available. It's state of the art solutions that have built-in intelligence to pick up. But you need to make sure that your staff is trained, that your users are trained, whether they're consumers or workforce, and that you have the necessary processes in place. If something happens, you need to assume that something will happen, how do you deal with that in the most urgent and prompt way? And having all those bits and pieces in place will guarantee that you will be able to be compliant and can avoid big fines from regulators.
Thank you Anders, for all that information you’ve provided to all the people listening to this talk. Maybe one more advice: look at NIS2, look at DORA now, and not when it's already too late. You need to prepare now for these regulations so that you really can find the right solution for you.
And on that note, Martin, one lesson learned from when India introduced a similar to 3-D Secure, overnight 25% of business disappeared because they were not prepared. So you're absolutely spot on. Thank you so much for having me, Martin.
Thank you.
