KuppingerCole's Advisory stands out due to our regular communication with vendors and key clients, providing us with in-depth insight into the issues and knowledge required to address real-world challenges.
Unlock the power of industry-leading insights and expertise. Gain access to our extensive knowledge base, vibrant community, and tailored analyst sessions—all designed to keep you at the forefront of identity security.
Get instant access to our complete research library.
Access essential knowledge at your fingertips with KuppingerCole's extensive resources. From in-depth reports to concise one-pagers, leverage our complete security library to inform strategy and drive innovation.
Get instant access to our complete research library.
Gain access to comprehensive resources, personalized analyst consultations, and exclusive events – all designed to enhance your decision-making capabilities and industry connections.
Get instant access to our complete research library.
Gain a true partner to drive transformative initiatives. Access comprehensive resources, tailored expert guidance, and networking opportunities.
Get instant access to our complete research library.
Optimize your decision-making process with the most comprehensive and up-to-date market data available.
Compare solution offerings and follow predefined best practices or adapt them to the individual requirements of your company.
Configure your individual requirements to discover the ideal solution for your business.
Meet our team of analysts and advisors who are highly skilled and experienced professionals dedicated to helping you make informed decisions and achieve your goals.
Meet our business team committed to helping you achieve success. We understand that running a business can be challenging, but with the right team in your corner, anything is possible.
So I, again, as I just said, if you look at any of the zero trust information, what you see is lots of statements about MFA and multifactor authentication as this multifactor authentication is this and MFA is a really important thing, but what does it really mean from the perspective of implementing a strong network and really being able to be sure, you know, who's on the network. So I wanna kind of compare the concept of strong authentication with multifactor authentication. So to really start out with then, you know, what exactly is strong authentication? It's interesting.
I was at the diverse conference this year and this topic kept coming up. Everybody kept talking about you need strong authentication, but there's not really a definition anywhere of strong authentication. So one of the documents, at least here in the us that is looked at fairly heavily is a document published by the national Institute for standard and technology for digital identity guidelines. And they define three assurance levels for authenticators, where they define a L one as single factor. AAL two is kind of that multifactor authentication.
And then AAL three is where you start doing things like hardware based, cryptographic authenticators using public key technology and smart cards. But one of the things I find really interesting about this document is that nowhere in the document does it actually use the term strong authentication. It just defines these different capabilities. It has a lot of technological jargon about what constitutes these different factors, but it doesn't help with trying to figure out what exactly is strong authentication.
So I then kind of, you know, as all people do, I went to look on the web to say, Hey, what is strong authentication on the web? And what I found was a really interesting set of discussion slides about passwords, again, not talking about strong authentication, but way back in 2009, there was a lot of discussion articles about how you needed to have a better password. You know, that your six digit password that you'd been using for years just wasn't secure enough anymore.
And then as kind of move forward in history a little bit stronger language about how your password maybe wasn't good enough by itself. I found it interesting as we move forward, O passwords are gonna be ending. They're just too easy to hack. They're not secure enough. And then as late as early as 2019, there was a lot of discussion about how passwords are broken. So it seems like if I'm trying to figure out what is strong authentication, that perhaps passwords are not strong authentication. So then I went and said, well, what do I see in my personal daily life?
These are all login screens from sites that I access on a regular basis. One of the things I found that was common across all of these sites is every one of them is asking me for a password. So on the one hand, we have a lot of security experts saying passwords are not strong authentication, and we all need to do strong authentication. But then on the other hand, I have all of these systems that I access on a regular basis that are saying, I'm gonna accept a password as authentication for you to be able to access your information on my site.
And I'm guessing the rest of you pretty much experience this in your life as well, that all of the sites that you go to really want you to establish a password. One of the things I also find interesting about most of these sites is that I often forget my password and most of them will then say, oh, well, we're gonna give you a way to recover your passwords. It doesn't cost us a lot of money. So perhaps they registered my cell phone or perhaps they asked me to remember the answer to a security question.
So they have additional authentication mechanisms are those, but, but each of those mechanisms, I then use to reestablish a new password. So I'm still essentially basing my authentication on passwords passwords that are broken and not secure and easily hacked. So why is this? Why do I still see passwords everywhere? Even though it's been 10 years since security expert started saying stop using passwords, you need a better approach to authentication.
Well, I think there are a lot of reasons why passwords are still out there. One, they were there already. So why change? It's kind of working, nobody's hacked me yet and I'm just gonna keep doing it. I think there's a second reason. Everybody complains about passwords and they talk about how they can't remember passwords and their whole ecosystems established to protect and manage passwords. But on the other hand, they work users know how to use a password. The third reason why passwords persist is that they work. They work with my iPad. They work with my desktop.
They even work over a telephone call. In some cases I can use a four digit pin and type it in to let my electric company know that I'm really me. So they have a lot of usability. And then that whole reset, it's pretty easy to reset a password. I can use knowledge based authentication. I can use an, a text to a cell phone. I can use many different mechanisms that are relatively inexpensive to automatically reset a password without having to bring a human into the picture. And then finally, they're pretty simple. Most systems support putting in passwords.
I don't have to do anything complicated. I don't need to set up a lot of different mechanisms. I don't need to work with a bunch of different vendors in order to make passwords work. So the bottom line is passwords are cheap and easy. And I think that's really why in spite of the fact that everybody says, not everybody, but many security, most security experts will say that passwords are not good enough because they're cheap and easy passwords. Haven't gone away and seem unlikely to be going away anytime soon. So let's get back to that concept of multifactor authentication.
So what is it about multi-factor authentication and why do we not see it more ubiquitous than we should? So I think the first reason is MFA. Isn't cheap implementing a, that second factor is often not something that's stored within the system itself. You have to go with a third party vendor or you have to pay essentially transaction cast costs in order to leverage that second factor. Think another reason that passwords still persists is it MFA.
Isn't easy the user now, instead of just having to remember a password and storing that password, maybe with a password manager, they have to be able to access that second factor, however that's being implemented. So it increases the issues for the users and makes their experience much less seamless. And from many perspectives, providing a seamless interface to the users is very important piece of providing authentication. So the other issue that I think sometimes people look at is to say, well, people did MFA and they got hacked.
Anyway, just a couple of examples. I don't know if you all still remember in 2011, Komodo was a PKI provider. It's supposed to be the strongest form of authentication, but it turned out they used passwords to authenticate to the CA I think they ended up going out of business as a result in 2015, the IRSs get transcript application was hacked because people were able to authenticate as the user. They were pretending to be and issue themselves a new password. In 2017. There was a really interesting situation where people redirected those SMS text messages that go to your phone.
They actually drained a bunch of people's bank accounts as a result. And then very recently the FBI has actually published, demonstrated methods at different hacking conferences of how to hack MFA. So clearly MFA all by itself is not the magic bullet of strong authentication. On the other hand, there are some other aspects of MFA that I think are important. So one is that it is getting easier because mobile devices are so frequent. It's very easy to have somebody use their mobile device to support that second factor.
My phone can remember a lot of really complicated things and as long as I don't have to remember them, but just have to be in possession of the phone, that actually is re makes it an easy user experience. And there have been studies that show today, people will realize they've lost their phone faster than they realize they've lost their wallet. So phones are probably a pretty secure factor when it comes to multifactor authentication. MFA definitely is more secure. Although I did show some examples of how MFA has been hacked.
It is more expensive to implement those hacks than it is to implement hacks on passwords. In addition, password attacks on one system allow the hacker to create a dictionary of passwords, and then they can try that same password on other systems and MFA can really kind of stop that particular type of attack from happening. So they're clearly more secure than just regular passwords, but I wanna talk about a little bit going into that. When is MFA probably more appropriate because they do still tend to have a cost impact on your enterprise.
So think about when do you need to use MFA it accounts, functional privilege accounts, employees and business partners. So do a risk assessment and determine where does it matter. And zero trust is a really important piece of that. As you look at your data, what is the data that needs a stronger protection that perhaps has a higher cost associated with it? And what types of data perhaps aren't quite so critical and that is of use and inexpensive implementation may be stronger factors.
One other piece to that is obviously you really need to make sure you're locking down any concept of privileged escalation, because if the user can get in with a password and then go sideways across your network to access some of those more privileged resources, that's definitely a no-no. So back to the original question of what is strong authentication, I think that's actually the wrong question to be asking. The better question that should be asked is what is strong enough authentication?
So ideally strong enough authentication would mean that the cost of hacking that authentication is greater than the value of the resources that can be obtained as a result. And this is a really interesting point because in most cases, organizations tend to think about the value of their resources to themselves, and how much are they worth to them if they were perhaps to lose them or what, or have them be wrong. But there are examples of where the value of the resource to a hacker was greater.
I didn't find the link, unfortunately, but there was a story, a number of years ago of a hacking group that hacked a taxi driver system in New York city, which maintained things like where are people picking up taxis and how often and what time so that, and the taxi system used this to try to have their taxis positioned in the right place to be the company that got the fair, what the hackers did is they collected that information and compared it with other geographical information to figure out who was taking taxis to visit perhaps other people, they shouldn't have been visiting in this case.
The value of that resource was, was more to the hacker and they were willing to invest more money into attacking the system than the system owners thought they would. Now that ideal is rarely implementable because partly because costs are very difficult to obtain, but partly because as of organization, you need to make sure you're not spending all of your available funds just on security. So the reality is that strong enough authentication really means that you've balanced. What is the cost of a successful attack versus what is the cost to mitigate that attack?
Looking at things like reputation, as well as the actual cost of say losing access to a very important piece of data. And it's important to think about cost in more terms than just dollars reputation. It's interesting, a lot of companies that have suffered a major hack, the reputation tends to recover over time, but that can be expensive in the short term. I think the more important piece of this is in some cases, are the users gonna come back or the users gonna go to the competition?
So it's really important to think about what is strong enough authentication for the specific set of data that you've identified as part of your zero trust analysis. So getting back to that zero trust piece, how does this authentication connect with zero trust?
I think the biggest area really is in the data management area of zero trust that, that first step towards implementing a zero trust architecture in every article in every system that I've read is really understanding what are your high value resources and how can you make risk based decisions if you haven't yet identified what those resources are and what the value is so that when you look at things like cost benefit analysis, you have the data to make that decision. Obviously, a second area.
I think that's very important from a zero trust perspective and looking at strong enough authentication is the endpoint piece. And in my mind, this is a really important element that zero trust brings into the security equation, which is that authenticating your endpoints and making sure that you understand what is the risk of the endpoint is a part of your authentication factor. So if I'm having an endpoint that is managed internal to my network, I, as an organization completely control what's loaded on that system.
I'm I, I have a different risk factor than if that endpoint is a public library or even somebody's cell phone that they've downloaded, whatever the latest cool looking game is onto. And you have to make assumptions that that endpoint is potentially compromised. So integrating the endpoints and understanding how to manage those endpoints as part of the risk decision is a really key factor. And then of course there is the identity management piece of zero trust.
And one of the points that I think often gets lost in the multifactor authentication discussion is that the technology used to authenticate your users is only one piece of the identity management puzzle. That identity proofing is also important. I have seen instances where the authenticator that I'm using to get in is multifactor, but the process for resetting my authentication is single factor. So I'm not necessarily getting all the benefits of that multifactor authentication action.
If all I need to do to reset it is, you know, a single factor hack an email, and I can give myself a new multifactor authenticator set. So it's really important to look at the whole process, not just the specific technology at the end of the game,
