Paul Trulove On The Future Of Identity Security, And How The Industry Can Encourage Widespread MFA Adoption

For the past few years, many identity experts have dreamed of a “passwordless future”, in which users no longer have to enter their username and password in order to log into an account; they would simply scan their fingerprint or connect their hardware authenticator to their device. But some experts believe that passwordless is just one step on the journey to the true future of identity security. A journey where user authentication becomes a means of detecting and blocking threats before they enter the network. 

“Passwordless is just a change in the authentication paradigm. So many users struggle with usernames and passwords and trying to remember all of those various credentials, that passwordless is kind of the easy part of the journey,” says Paul Trulove, CEO of SecureAuth. “I think the really important part is not just eliminating passwords, but using authentication and access to fundamentally change the risk profile for an organization.”

Paul has over 15 years of experience in the identity space, having previously held management, marketing, and strategy roles at other cybersecurity companies, including SailPoint Technologies. In his current role, Paul is leading SecureAuth through its latest stages of growth—including the launch of Arculix, their frictionless authentication platform.

In an exclusive interview with Expert Insights at RSAC 2023, Paul discusses some of the main pain points businesses are facing when it comes to user authentication, what the identity industry needs to do to encourage more widespread MFA adoption, and what the future of identity security looks like.

You can listen to our full conversation with Paul on the Expert Insights Podcast. 

The Challenge: MFA Causes Friction

Before we can discuss the future of identity security, we need to address the state of authentication as it stands now. 82% of all data breaches involve a human element, such as phishing or the use of stolen credentials. If an attacker manages to steal a user’s login details via phishing, or even crack them using brute force, they can access that user’s account—and all the corporate data stored in that account—without anyone knowing. From a compromised account, attackers can steal data or carry out further social engineering attacks, climbing further up the chain to try and gain access to critical business systems. 

Multi-factor authentication (MFA) can help prevent account compromise by requiring a user to verify their identity in two or more ways before they’re granted access to an account, application, or system. They can do this with something they know, like a password; something they have, like a smartcard or authentication token; or something they are, i.e., their biometrics. Some methods of authentication are stronger than others—it’s harder to scan someone’s retina without them knowing than to crack a four-digit PIN, for example—but two methods are almost always better than one. 

Despite this, the adoption rate of multi-factor authentication is still relatively low (around 22%, according to Microsoft). The first reason for this, says Paul, is that some companies are still at the start of their identity security journey. 

“For a lot of organizations, they’re still very early in their overall IAM journey, and so they just haven’t reached the point at which MFA has become a requirement for various reasons,” he says. “So, they haven’t implemented it, but I think that’s going to change really rapidly over the course of the next seven years.”

The second reason why MFA hasn’t been implimented is that many businesses struggle to overcome the friction that its introduction would cause. 

“Think about the number of times that, as a consumer—as an employee of a business—you authenticate into something on a daily basis, and the amount of friction that it causes in many cases with different username and password combinations.”

“Now moving more to the second-factor or multi-factor authentication, what we hear from people—whether they are consumers or whether they are employees—is that there’s a lot of friction. Over the last 20 years, what has happened is, as the enterprise workforce and our personal lives have become more digital, people have kind of forced security as a paradigm over convenience. 

“Especially in the enterprise. We regularly hear from organizations: ‘What we’re trying to do is make our employees work experience better by reducing friction.’”

“I was having breakfast with a gentleman today […] and he was talking about how much he hated their interface because, right at the point that he’s trying to do something important, he gets stopped. And he was describing a situation where he was trying to access something on his laptop, it prompted for an MFA, but he was on a plane, and he hadn’t spent the $20 on the Wi-Fi package. So he had to stop what he was doing to connect to the Wi-Fi on both devices […] because that’s the way that this organization has set it up.”

The Solution: Continuous, Frictionless Authentication

In order to mitigate the friction created by so many MFA products, some identity security providers have shifted the way that they approach user authentication to focus on providing a seamless authentication experience. These solutions are often referred to as “continuous” or “risk-based” authentication, and usually involve analyzing the context of each login attempt for anomalous behavior, and “stepping up” authentication as needed.

“By leveraging an analytics engine like we have in Arculix, we can make a lot of the decisions around what level of assurance is required in order to allow someone to authenticate with as little friction as possible,” explains Paul. “We have to make that decision dynamically, in real time. If you’ve tried to build static rules to implement that, you end up having to put a lot more friction into it, which is what you’re seeing today. 

“If you can make that decision dynamically, based on real-time information that has been collected both before the authentication event, and also you are actively monitoring things after the person gets authorized, then, all of a sudden, you can make more intelligent decisions on whether there really is risk present.”

“Multi-factor authentication just means I’m going to use multiple pieces of data or interaction models in order to allow somebody to authenticate. So, I can do multi factor authentication invisibly to the user by checking where they are, whether they’re accessing an application that is part of their normal access profile. And if all of those things are true, I can let them go through the authentication without ever prompting for a second factor directly […] but I can also—because I’m looking at it dynamically—determine whether the level of risk is high. If I have low assurance that this person is who they say they are, then I can throw up the more gating factors to try to avoid a situation where a malicious person is attempting to gain access.”

This shift is pivotal in the challenge of encouraging more widespread MFA adoption, says Paul. But in order for more vendors to start producing frictionless authentication solutions, there needs to be an industry-wide discussion about adopting standards that will enable stronger and easier integrations between authentication tools and other third-party applications. 

“And one of the reasons that MFA is not rolled out as widely as people would expect it to be is because sometimes it is hard to integrate. And so, there’s cooperation that has to happen between vendors. Standards, I think, are going to have a lot to do with that.”

“Adopting standards allows for the industry at large to settle on an integration path and avoid a lot of the customization that tends to be one of the other challenges when you’re implementing IAM technologies. There tends to be a lot of customization that organizations want to have to try to replicate a past workflow or business process, where the right answer may be to actually evolve the business process so that you can implement the tool faster, and get more value out of it.”

The Future: Identity Threat Detection And Response 

With many technology providers encouraging their users to adopt passwordless FIDO authentication technologies, the identity industry does seem to be moving towards the “passwordless future” that so many identity security experts have dreamed of in years. But according to Paul, passwordless is just a “point on the journey” to continuous, frictionless authentication. 

“I think identity security is going to have to continue that rotation from what was originally a very operational-oriented technology stack—regardless of which part of identity you’re referencing—into becoming more of a real-time detection response,” explains Paul. 

“Identity management and access management is a perfect place in a digital transaction to take action—not waiting until something is detected on the back end that was malicious, and then trying to go put new controls in […] after the events have already happened.” 

“What we want to be able to do is detect when something bad is happening and begin to shut down access very quickly. And that’s where I think the journey beyond passwordless really gets exciting. Passwordless is just a change in the authentication paradigm. So many users struggle with usernames and passwords and trying to remember all of those various credentials, that passwordless is kind of the easy part of the journey. I think the really important part is not just eliminating passwords, but using authentication and access to fundamentally change the risk profile for an organization in terms of the wrong person getting access to critical resources.”

Listen On Spotify:

Listen On Apple Podcasts

About Expert Insights

Expert Insights provides leading research, reviews, and interviews to help organizations make the right IT purchasing decisions. You can find all of our podcasts here.