By Nelson Santini, BSI
To be clear; were it not for friction, we would have some serious problems trying to get moving or stopping. So yes; some (µ) friction is “ok”.
When it comes to cybersecurity, Multifactor Authentication (MFA) and the use of biometrics, one of the latest marketing buzzwords is “frictionless”. The obsessive overuse of this word in marketing advertisements would have you think that until recently, authenticating identity for digital access required a mortal sacrifice of some sort.
The truth of the matter is that the pendulum of MFA authentication difficulty was swinging so hard in the opposite direction, that we were just one attack away from “Get Smart” level security in order to log in to your corporate PC. (You saw the door sequence, didn’t you?)
· A thumb-print scan or 4-digit code to open your personal gym locker – sounds legit.
· Four people validating a series of nuclear attack orders with secret codes in “cookies”, kept in multiple nested safes to which no-one person would have full access at any time – sounds legit too.
Somewhere between the extremes, and depending on what or who is being protected, lives the practical level of “friction” and security that supports the case-appropriate MFA to support the “zero trust” standards.
I’m all for frictionless MFA authentication. I’m all for an experience that is seamless for the user, reducing the challenge authentication time.
I’m not for WD40 level frictionless when it comes to protecting higher value digital assets.
The good news – we can have our cake, and eat it too.
Some modern MFA technologies live squarely in the zone where the level of friction can be made commensurate to the risk and support the mission, without compromising its security.
Today we have:
Thumbprint scanners to open doors and start auto engines.
4 “character” pins that can’t be shared or stolen by human or BOT.
Facial and gait scan technology that lets you fly past TSA security.
“Gesture” or “drawing” based passwords impossible to forge in practice.
Credentials that are linked to the user’s state of mind.
That said –
Would you want a drunk driver behind the wheel of a car?
Would you not want your doctor to be paying perfect attention when documenting your medical diagnosis?
Would you not want to make sure body doubles are not “posing” for the other?
Friction to me is not an issue of convenience, but one of certainty; of “time to think”. MFA friction should be commensurate to the risk it aims to manage, and should support the mission to protect our digital and physical domain, without compromising security.
"Frictionless" sounds cool; but when it comes down to MFA, some friction is always better.