Hacking is a contest of opportunities. Security is a contest of probabilities. The stakes for both are high. Bad actors keep an eye out for flaws in a system or a human weakness to burrow into. Each data request has the potential to be a mask, a deception wherein an identity has been compromised. Even tech giants like Microsoft have experienced data breaches resulting from conventional authentication methods. In this battle of odds, IAM security relies upon perimeters built around each individual identity. Multi-factor authentication (MFA) swings those odds heavily into the favor of the defenders.
For travel agencies and hospitality services, verifying the identities of customers is critical. Without sufficient checks, tight travel plans and expensive accommodations can be snatched away. If an issue arises, your customers become acutely aware of any delays or shortcomings in your response. A customer who might have looked to your services for years to come instead spreads word of their bad experience. Conversely, a customer who enjoys a frictionless and secure digital experience are more likely to develop brand loyalty and even advocacy.
The travel and hospitality industry is not the only sector which has observed considerable benefits from adopting MFA. Industries ranging from healthcare to finance have leveraged multi-factor authentication to great effect. Banking security, confidential patient information, and even self-service password recovery are protected by multiple layers of authentication. As the feature becomes a staple of secure identity and access management, transport and guest enterprises cannot afford to lag. However, recognizing the need and addressing it are worlds apart.
Are you contemplating where to start on your own multi-factor authentication rollout? Do you know what assets need to be provisioned or evaluated? Education is your first step towards successful multi-factor authentication rollout. Memorize these 5 critical multi-factor authentications directives and execute them. Doing so saves you time, prevents costly reworks, and avoids frustrating your end-users.
1. Your Multi-factor Authentication Server
A dedicated central repository, providing a single source of truth, forms the foundation of your MFA. Without a reliable and well-ordered server, the different facets of identity quickly become muddled. The last thing you want is for devices to be associated with the wrong credit card. Or, worse still, for personal info to be unsecured. As such, implementing a solid multi-factor authentication server (preferably backed by a solid identity governance and access platform) is key.
The MFA server is the “brain” that drives all policy decisions and functionality. Think of it as the airline you choose to ride on your journey to the multi-factor authentication finish line. You don’t want to choose an airline that will tear apart mid-flight. Instead, you want one that provides a comfortable experience and gets you where you’re going. The solution must be flexible enough to process meaningful identity data, such as location, time of use, and password veracity.
This “brain” should have broad out-of-the-box integrations to various common endpoints. This maximizes use of its capabilities in all facets of your identity and access management landscape. The multi-factor authentication server should be accessible to your on-premises and cloud applications, services, and servers. For example, a cloud-only check-in app may need to interface with an on-sight TSA program. A central MFA server alleviates any potential difficulties of fitting these pieces together. However, your choice must be informed by an expert IAM opinion.
2. Your Multi-factor Authentication Clients
Multi-factor authentication clients are the various devices end users interact with using the MFA server for proper authentication vetting. A capable server supports myriad client devices and identification techniques. These devices include desktops, laptops, tablets, mobile phones, grid cards, smart cards, RFID cards, key fobs, hard tokens, soft tokens, and biometric readers. The ID techniques range from simple password checks to cutting edge biometrics.
Mobile phones are becoming a very popular option for multi-factor authentication. Smartphones are not only ubiquitous but also support many of the identification techniques that normally require deployment of additional hardware. This is especially true for one-time password (OTP) & biometric options. Be sure to confirm support for all the client devices that are most common during your rollout. This minimizes your challenges with leveraging your MFA server before you make your selection. After all, it would be a shame for clients to try to check in your front desk only to find that your system does not support Android. Do not neglect your customer identity and access management solution.
Also, make sure to select the right identification techniques based on your user populations and factor in the deployment time and cost. Authentication methods such as password-complexity requirements are simple to implement but can cause friction. More complicated yet effective methods, such as biometrics and single sign-on (SSO), are more difficult to implement on your own. Your best option, but most challenging to institute, is an adaptive multi-factor authentication platform. Adaptive MFA scales authentication requirements in response to carefully tuned criteria. However, that kind of platform is both difficult to design and implement. In such cases, a managed identity service provider may be needed for an effective implementation.
3. VPN and SSO Integration
Remote access is typically the first use case out-of-the-gate for MFA integration. Most companies already have a VPN (virtual private network) gateway in place. Your choice of VPN is your “stake in the ground” decision for making your MFA server decision. Ideally you would pick your MFA server first to maximize your capabilities. You should also consider implementing a cloud infrastructure and entitlements managements (CIEM) platform. Due to the remote nature of your server, it is only responsible to set up a security perimeter for it.
You may be fortunate enough to be at an inflection point. This is where your current technology is due for an upgrade or replacement. As such, it makes sense to re-prioritize your VPN selection based on your MFA selection. Going with a capable MFA server yields the benefit of a wide range of out-of-the-box integrations with popular VPN platforms. VPN service providers such as Nord, Express, and Palo Alto are easy to set up. However, secure integration with your full identity fabric requires some tinkering to maximize your results. Additionally, you should couple your MFA to a proper SSO. So long as special care is taken to ensure that your SSO does not compromise the security of your MFA, it can work wonders for user experience.
Consider a hypothetical (yet common) situation wherein an airline traveler needs to quickly retrieve their ticket information. Having to sign in first on the airport’s website, then onto their airline’s profile, and yet again for individual passengers creates friction. It is frustrating and potentially slow enough to make them miss their flight. Single sign-on (SSO) remediates this issue. The combination of adaptive MFA and SSO is the baseline of modern cybersecurity. Each contributes to security while also easing friction for users and synergizes well with PIM. However, this marriage requires a crucial link: a privileged access management (PAM) solution. Without a suitable PAM overseeing your identity fabric, your platform lacks the comprehensive analytics necessary for reactive identity authentication.
4. Application Access Management Integration
Identities are not the only facet of your enterprise which play a part in your multi-factor authentication solution. Application access management integration is a crucial integration point for MFA. Having an access management solution in place is a best practice for managing access to applications, especially web applications. Application-focused access management do not only serve to link disparate applications into a single platform. They also aid in the onboarding of new applications, ensuring that security standards are maintained, and processes do not conflict with each other.
Integrating your MFA solution with an access management solution provides an efficient mechanism for providing MFA capabilities at the individual application level. Since access management solutions form the authentication and authorization backbone for internal and external applications, this essentially extends your MFA capability to internal and external users in an efficient manner. Access management is of such profound importance that there is something to be said for prioritizing it even over a multi-factor authentication rollout.
Because access management forms the ground-level of IAM, it makes sense to establish it first and then add on MFA afterwards. Of course, this assumes that your enterprise does not already have an active access management system. However, if that is the case, it carries its own set of challenges. Your existing system must first be checked for security gaps and then for potential vulnerabilities that could arise from MFA integration. An IAM audit should be performed to assess the full scope and needs of your identity platform.
Acing Your Multi-Factor Authentication Rollout
Taking these 5 considerations into account when you are looking at your MFA solution will lead to a much less bumpy road for your end users. IT admins can rest easier, knowing that the identities under their stewardship are that much more secure. Meanwhile, customers enjoy fewer pain points and less friction in their experience with their travel and hospitality service providers.
The result will be a consistent MFA end user experience for your users across the enterprise and a sound technical approach to solving the most common MFA use cases.