Phishing Resistant Multi-factor authentication (MFA) is an important security tool that requires users to provide two or more verification factors before gaining access to a website or application. MFA helps prevent the risk of compromised credentials resulting in account takeovers by requiring an additional layer of verification beyond just a username and password. With compromised credentials leading to 90% of all breaches, MFA is table stakes at this point.
That is why you are seeing such a shift in the regulatory landscape. PCI 4 requires phishing resistant MFA for everyone, everywhere starting in April. NIS2 requires continuous MFA starting in October. The federal government has issued new guidance. SOC 2. ISO 27011. The list goes on.
The big one is PCI 4 for BPOs. As David Buerckner, CISO at one of Australia's leading BPOs, ProbeCX, said in this podcast focused on BPO security and compliance recently, you primarily need to focus on whatever set of rules are the most stringent. The big one for BPOs is PCI 4, which now says you need MFA for everyone, everywhere. Not just your employees at home but everyone in the contact center, too. This is a big change as most BPOs don’t use MFA in their secure facilities. Those that do either use phones, breaking their clean-desk policies or use desktop authenticators and sacrifice shared desktops / floating desks.
Phishing-resistant MFA is crucial for BPOs to implement because they handle sensitive customer and credit card data for their clients. Most of whom are Fortune 500 companies. A customer data breach can lead to substantial financial losses and reputational damage. The average cost of a breach is $9.4m. Examples abound for BPOs showing a cost 5-10x that amount, like in this article from Nearshore Americas. Phishing-resistant MFA makes it much harder for cybercriminals to gain entry into BPO systems by requiring an extra step to prove your identity using something that cannot be stolen (e.g. passwords).
Traditional MFA is just far too easy to breach. You think you’re secure, and you’re simply not. Google’s Security research team found that a targeted attack would be successful 24% of the time with SMS codes and 10% of the time with phone-based authenticator apps. Considering the average company gets targeted 5 times per year, and BPOs are one of the highest target groups, you are basically just asking to be breached unless you get serious.
There are three common options for phishing-resistant MFA, but only two that BPOs can seriously consider. I’ve included each below in this analysis to help share some of the pros and cons of each:
- Hard tokens - Physical devices that generate authentication codes
- Behavioral solutions - Services that use machine learning to analyze how you type or move the mouse to allow/deny access
- Phone-based solutions - phishing resistant options available but fall foul of clean desk policies
Below, I will explore the pros and cons of each approach to help BPOs understand which options may work best to improve their security posture.
Hard tokens are physical devices that authorize access to systems and authenticate users. They are one of the most secure forms of multi-factor authentication (MFA) due to the fact that no sensitive data is stored on the user's device.
The main advantages of using hard tokens for MFA include:
- Very secure as all credentials are stored on the physical device and it generates one-time passwords. This prevents threats like phishing and malware.
- Nothing is stored on the user's device, so there is no digital trail that could be exploited by attackers.
- Hard to replicate, so provides protection against automated attacks.
- PCI & Clean Desk Compliant - hard tokens meet both PCI and clean desk policy requirements
However, hard tokens also have some downsides for BPOs:
- More expensive than software solutions since physical devices must be purchased for each user,
- High replacement costs
- Device loss/breakages/replacements are regularly seen above 5% per month in the BPO industry,
- Depreciated over a 3-year period normally,
- Users can easily misplace or lose the devices, disrupting access until replacements are issued, which can often be hours of down time.
- Logistics and taxes are involved with purchasing, configuring, and shipping devices.
Overall, hard tokens offer excellent security with minimal vulnerabilities, but can be burdensome for users and expensive to deploy and manage particularly for BPOs.
Behavioral authentication (note: this is what Twosense does) is a form of multi-factor authentication (MFA) that verifies a user's identity based on unique aspects of their behavior, like how they type or move their mouse. It dynamically analyzes a user's natural patterns of interaction to build a profile that can recognize suspicious deviations.
Behavioral MFA provides continuous, persistent authentication by constantly monitoring how someone interacts with their device. Even if credentials are compromised, a fraudster won't be able to mimic a user's distinct behavior.
- Continuous & Automatic - two of the big gaps in traditional MFA is that users hate it as it adds so many extra steps and friction. I enjoyed Jeff Schilling’s white paper with MIT on this. The second is that it only happens 5-6 times a day vs being something that is continuous,
- Frictionless - one of the big challenges with implementing more security is that it always leads to an even worse user experience. Behavioral MFA makes it possible to be more secure while improving the user experience,
- Software only - being software only but not relying on a phone provides a lot of advantages for BPOs especially the ability to only pay for what you use vs having to buy hardware for the maximum number of users you have in a year.
- PCI & Clean Desk Compliant
- Continuous learning - some approaches to this have a very limited learning or enrollment period for a user's behavior (e.g. “re-type this paragraph”) which does not encompass all the ways in which a single user can behave. This can mean it quickly becomes unreliable over a period of time. It’s important to ensure the vendors continuously learn the users behavior.
- Behavior as a factor - Many implementations provide an additional layer of security but cannot operate as a stand-alone MFA factor, and won’t solve compliance or client requirements.
- Enterprise support - Many behavioral solutions are not designed for the Enterprise IDAM use case
- Agent enrollment - Behavior can be completely passive for deployment and enrollment, but some aren’t requiring agent education and training, plus cajoling - “please enroll and go through this flow.”
Behavioral authentication allows for highly secure passive authentication that doesn't require any additional effort from users beyond their normal device interactions.
Compared to traditional methods, behavioral authentication removes the need to carry additional tokens, wait for SMS codes, or remember PINs. It authenticates users completely in the background, providing a frictionless user experience. And by eliminating social engineering attacks that attempt to steal hard or soft tokens, it also reduces fraud risks and costs.
Phone Based Solutions
Phone based solution are the most common you will see. Everyone has a phone so it makes things easy. Except for when you don’t or can’t use your phone. That is the problem BPOs face with clean desk policies, client pressure and concern with fraud. You do see phones used in some use cases like at home but normally they use options left wanting from a security standpoint - personal phones with authenticator apps. Phishing resistant options also exist which are recommended over the authenticator apps.
- Ubiquitous - Most people already have a phone
- Convenient - Users don't have to carry around another device just for MFA. Their phone is likely already with them at all times.
- Included - Mobile MFA is fairly commoditized and will usually be included at no charge in another license.
- Most users have experience with mobile-based 2FA and don’t require training
- Phone’s are not allowed in a contact center as they don’t meet clean desk policies
- Phones are normally BYOD - the business has no ability to ensure they are not compromised.
- If a phone is used, it often puts the burdon on the BPO to subsidize the cost of the phone, or purchase a new on
Phones provide a convenient and ubiquitously available option for MFA that users already have on hand. However, for BPOs you quickly run into problems with clean desk policies, fraud risk and client pushback.
As we have seen, there are only really two options for phishing-resistant MFA when securing BPO access. Each has its own pros and cons.
Hard tokens provide strong security, but can be inconvenient and costly. Behavior & AI-powered solutions like TwoSense are emerging as a way to get both security and convenience.
A very interesting trend I am also seeing is putting together behavior based solutions with desktop or browser based authenticators to meet the security and compliance requirements. On their own, they don’t meet PCI compliance or come bundled with several operational limitations (no floating desks / shared endpoints) but together they are interesting.
When selecting an MFA approach, it is important to weigh factors like:
- Security level needed - is a high-assurance hardware token necessary for your use case?
- Costs per user - what will the total cost be, not just the headline number?
- User experience - will employees be frustrated with tokens, or appreciate convenience?
- Implementation difficulty - the only thing worse than an expensive solution is an unsuccessful solution.
- Recovery options if a device is lost.
I look forward to hearing your thoughts and anything you may agree or disagree with. If you want to speak further, just let me know. And before I go, a quick plug for the new BPO page we launched at Twosense - https://www.twosense.ai/bpo