Multi-factor authentication (MFA)—or the use of more than one identifying factor when someone requests access to secure resources—is critical to thwarting credentials-related attacks, complying with cybersecurity regulations, and keeping resources safe. By requiring an additional authentication factor (or factors) beyond a simple username/password combination, MFA creates another hurdle for would-be attackers attempting to gain access. MFA has been extremely effective since its wide adoption over the last couple of decades; in one study, it proved successful in keeping more than 99.99% of accounts secure.
MFA’s effectiveness in stopping attacks constantly inspires attackers to devise increasingly complex tactics and create new avenues of attack that will circumvent an organization’s defenses. The good news is that MFA is also constantly adapting to meet emerging challenges. In this post, we’ll look at the MFA trends we’re seeing on the horizon, including the challenges that MFA will have to account for, new MFA methods, and the considerations that organizations will need to weigh when evaluating MFA innovations.
1. Adaptive authentication
Adaptive authentication evolved from traditional MFA as a way of increasing security without increasing the burden on users. It’s an advanced form of MFA that dynamically responds to someone presenting credentials for access, based on the level of risk associated with the access attempt. For example, if you’re logging in on your usual device from your usual location, adaptive MFA will recognize this and grant access without requiring an additional authentication factor.
But if you’re logging in from an unrecognized device in an unfamiliar location, or using a different browser or network than usual, adaptive MFA may prompt you to provide an additional authentication factor. Sometimes this additional factor is referred to as “step-up authentication,” as the system’s authentication requirements increase in real time along with the risk. As threats continue to evolve, we expect more organizations to deploy adaptive authentication to ensure that their security is keeping pace with threats.
Adaptive MFA provides stronger security than static authentication methods and policies. By dynamically adapting to threats in real time, adaptive MFA can detect and block sophisticated attacks such as credential stuffing and phishing, and it can reduce the MFA fatigue that is associated with attackers bombarding users with authentication prompts to allow a malicious log-in attempt. In addition to improving security, adaptive authentication also enhances the user experience, by reducing the number of prompts for verification users must deal with in authentication.
2. Context-aware authentication
Context-aware authentication is a component of adaptive authentication that can also be expected to become a mainstay of MFA. Not unlike adaptive authentication, context-aware authentication analyzes various data points to make authentication decisions, including:
- Device type: Is the login coming from a known device?
- Location: Is the user logging in from a known location?
- IP address: Is the IP associated with a VPN?
- Time of access: Is the login happening at an unusual time?
- Behavior: Does the typing speed or mouse movement reflect usual behavior?
While both context-aware and adaptive authentication analyze login information, there’s one big difference that sets the two apart: Context-aware authentication checks and reports on login conditions but doesn’t necessarily adjust security dynamically based on the context it detects—leaving it instead to a human response to act on the information. Adaptive authentication, on the other hand, is a real-time, AI-driven capability that can change authentication and make risk adjustments in the moment, including blocking high-risk logins automatically.
3. Passwordless authentication
Hard for users to remember and easy for attackers to guess, passwords have become a weak link in authentication, especially with the number of resources requiring secure access skyrocketing. Passwordless authentication addresses this dilemma by verifying identities without relying on passwords; passwordless authentication processes use a broad range of non-password-based factors, including tried-and-true hardware tokens, generated one-time passcodes (OTPs), and app-based actions such as push-to-approve. The more passwordless options, the greater the opportunity for enterprises to tailor passwordless environments to their specific needs or to specific user groups.
Passwordless authentication is evolving in sophistication and effectiveness. One trend we see influencing the evolution of MFA is more organizations using passwordless methods to improve user experiences. For example, watch for enterprises to increasingly move towards passwordless logins via biometrics as a means of better securing internal systems, fighting phishing, and maturing their Zero Trust posture.
Passkeys provide another path to improving enterprise security via passwordless authentication methods. Once primarily associated with the consumer experience, they’re increasingly part of MFA’s future, particularly in enterprise use. The key to organizations successfully deploying passkeys is leveraging solutions suitable for enterprise use and maximizing security.
To that end, organizations should typically use device-bound passkeys rather than passkeys that are freely synced across multiple devices.
4. Decentralized identity (DID)
The combination of decentralized identity (DID) and blockchain technology is set to influence MFA’s evolution. In a DID environment, users own and control their identity themselves rather than relying on a centralized authority, such as a database or large tech platform. For example, instead of logging into a resource using an organizational account, a user can add verified credentials to a decentralized wallet, using the blockchain as a tamper-proof ledger for authentication records.
A DID + blockchain approach has the potential to improve MFA in a number of ways. By eliminating the presence of a central authority that controls authentication data, it reduces the risk of data breaches. It also supports passwordless authentication, by verifying identity through blockchain-stored cryptographic keys. And because it uses securely stored private keys for authentication, it can render phishing attacks useless.
5. Emerging technologies in MFA
Several emerging technologies have tremendous potential to impact MFA—both for better and for worse. On the positive side, AI is helping enable proactive, adaptive, and automated threat detection; as cyber threats evolve, AI-driven systems will hold the key to real-time threat defense. There’s another side to that coin, though: cyber attackers can also use AI to create new and more powerful threat mechanisms. Notably, however, the vast majority of cybersecurity professionals in a recent RSA survey (80%) reported that they expect AI to do more to empower cybersecurity than to abet cybercriminals over the next several years.
The use of IoT and connected devices as MFA factors also presents both potential benefits and potential threats to authentication. IoT devices have a key part to play in enabling proximity-based authentication (think smartwatches unlocking laptops); context-aware access (where IoT sensors verify users based on location and other factors); and zero-touch authentication, in which devices automatically recognize authorized users. At the same time, though, by virtue of its interconnectedness with multiple devices and resources, IoT can also open more paths for introducing authentication risk.
One area of emerging technologies that is unambiguously a potential problem for MFA is quantum computing, which poses a serious threat to the encryption techniques that secure MFA systems. Fortunately, however, there have been no verifiable uses of quantum computing to break the encryption or MFA. And, given that quantum computing requires more resources than are currently available, the technology is still in its infancy—and any risks it poses to MFA or encryption are still purely theoretical. NIST has said that 2048-bit keys should continue to offer sufficient protection through at least 2030, and most modern web browsers can support 4096-bit keys should the need arise.
Moreover, work is well underway to make MFA quantum-resistant, including steps NIST is taking to standardize quantum-resistant encryption algorithms that create quantum-safe MFA protocols. The agency has released new post-quantum FIPS encryption standards (FIPS 203, FIPS 204, and FIPS 205). Organizations should review this guidance and begin implementing it today.
How will you make sure your authentication capabilities are up to the challenges MFA faces today—and the new risks evolving to bypass it?
Your defense starts with simply being aware of and staying on top of those trends—and continues with taking the right steps to stay ahead of them. That means adopting MFA advances like adaptive authentication, moving to passwordless authentication, and exploring emerging MFA-related technologies to understand the benefits they may bring and the risks they could pose. As always, RSA is here to help.
