Fresh Take: Our Five Key Takeaways from the 2023 Gartner® Identity & Access Management Summit in Texas

Last month, I had the opportunity to attend the Gartner Identity & Access Management Summit at the Gaylord Texan Hotel and Convention Center in Grapevine, Texas. I sat in on Gartner VP Ant Allan’s presentation titled “Go Passwordless Whenever You Can, Wherever You Can.”His presentation got me thinking about multi-factor authentication (MFA) as it relates to going passwordless, and I wanted to share five main points with you that I felt were important about this topic:

  1. MFA is a given. In today’s day and age – and with cybercrime like phishing and ransomware attacks on the rise – MFA has become a basic hygiene requirement for any organization. However, the focus now is not why MFA is needed, it’s how to best implement it. In my mind, security executives must consider the user experience and make it as simple as possible. Passwordless MFA provides the optimal experience because it removes the burden from users having to remember a new complex password every 90 days. Not to mention, it’s a more secure form of MFA because it eliminates unsafe password management practices and thus, reduces the number of potential attack vectors.
  2. Not all MFA is equal. As MFA becomes widely used, threat actors continuously look at ways to break through it. Methods such as SIM swapping and push bombing are increasingly being used to bypass traditional MFA. Security professionals should look to implement phishing-resistant MFA, which means utilizing FIDO2 (e.g., passkeys), certificate-based authentication (CBA) and public key infrastructure (PKI). The U.S. government, including DHS, NIST and CISA – plus the White House OMB – are now urging organizations to adopt phishing-resistant MFA to further mitigate cyber risks.
  3. Prioritize MFA implementations for the “broadest impact”– Organizations should take a pragmatic approach to implementing MFA because not all use cases are equal. The most critical of these will depend on an organization’s business and processes. For most, login to their workstation and to their cloud-based business applications is a must, but for others, it may be virtual desktops or shared workstations with many users performing mission-critical operations in these environments. To be future proof, select a solution that can address the most use cases and adapt to the changes that your ecosystem will inevitably go through over time.
  4. Investigate a hybrid approach to MFA. In my opinion, to implement phishing-resistant MFA across many use cases, organizations need both a passkey and CBA. Additionally, those implementing it will need to offer a choice in terms of an authenticator, whether it’s a YubiKey, a phone, or an embedded solution such as Windows Hello for Business. Unfortunately, there is no “silver bullet” solution for phishing-resistant MFA.
  5. Credential enrollment and account recovery (CEAR) is critical. If an organization doesn’t pay proper attention to CEAR, it can very quickly become a weak point of an MFA approach. In the presentation slides, one of Allan’s recommendations said to “implement well-designed credential enrollment and account recovery procedures.” I also believe these are two key components of MFA that can be leveraged for an attack. For example, if enrollment is based on a weak credential, an organization can put the entire MFA infrastructure at risk. And, if the process is too painful for the end user, there is risk of facing pushback from its user population and significant delays in adoption. Account recovery should be secure and convenient – and not rely on temporary passwords, knowledge-based authentication or rely on help desks, which are costly. Self-service options are essential to help circumvent additional risks.

All these points regarding MFA are important to consider. I agree that organizations should be getting rid of passwords whenever and wherever they can and utilizing a hybrid approach to employ the best tools such as CBA, PKI, passkeys and FIDO2. Security professionals need to make sure the proper CEAR procedures are in place. And ultimately, MFA should be incorporated in the areas that will make the biggest impact on the business. When it comes to MFA, security executives need to be purposeful and implement strategies that reduce the most risk.GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved.