Multi-factor Authenication MUST become a de-facto standard on corporate systems

Anyone who has an Apple product will know that Apple takes security seriously, and that they make it seamless from a user point-of-view…

Multi-factor Authentication MUST become a de-facto standard on corporate systems

Anyone who has an Apple product will know that Apple takes security seriously, and that they make it seamless from a user point-of-view. There’s no having to setup devices that are trusted, Apple seems to know the ones you use, and helps you when needed.

A change of password on a Macbook Pro, flashes up a message on your iPad or your iPhone, for your approval. The chances thus of someone getting direct access to two of your devices at the same time, without being detected (and being able to get into them before you disable them) is very low. I appreciate that you have to have more than one Apple device for this to happen, but it’s possibly a core reason that people trust Apple for security. They have setup a strong eco-system of trust, and make it easy for the user:

Often, on an Apple device, there’s no need for virus scanners and IDS systems, as iOS has a strong control on the applications it allows to run, and has a good trust model. Users thus feel safe.

And Google, too, has done a great job in where you register your devices, and whenever there’s a change of your password on Google — which needs to be safe as many of your passwords are stored there and also your search history — there’s an out-of-band authentication message on your device to approve it. The great thing with this, is that it flashes up on your phone, and you don’t have to go looking for it. There’s no entering of digits and fumbling around for SMS messages, you just press the button, and that’s it, and automatically it will move off the Web page. These are two computers working together, and where the user sees the interaction in real-time.

So this week I’ve been trying out Microsoft Authenticator, and, while it’s not as good as the Apple and Google offerings, it is a massive step forward for Microsoft-focused applications. I can now register it to be used with a range of, and then to trigger actions when I login or reset passwords:

What I liked, is that on my phone, the login to my email system checked my iris’s before it allowed me to access my email. I also needed my fingerprint to gain access to my phone, so the whole process just felt more security than just using a static username and password. Every so often, too, it challenges me for my biometric footprint before allowing access to my email.

Overall, I feel supported by some companies and the steps they are taking to move away from passwords, and love when GitHub prompts me to resync my account, or when I get instant messages on any changes to my account through my mobile device. Like it or not, your mobile device is one of the best authenicators of you that you have, so look after it.

Conclusions

Microsoft have been slow on this, but are now catching up. I appreciate that they are not in the privileged position of Apple or Google, but they really need to continue there development of the Authenicator product, and make it easier to use, and to control. For just now, it feels very much like a Version 1.0 product (I do appreciate that the current version is 6.2.8 — but it has not really been properly integrated up to now). Microsoft has the opportunity — hopefully — to scale across Apple, Android, and other systems, and hopefully create an authenicator that provides a single point-of-contact.

For now, we need multi-factor authenication as a de-facto standard on all our corporate systems, and out-of-band authenication of account changes.

For my own country … why doesn’t the UK government define that every organisation over a certain size, must have MF authentication for their login and email systems?