Identity And Access Management

Q&A: SecureAuth’s Chief Product Officer On The Importance Of Dynamic Workforce MFA

Expert Insights Interviews Brook Lovatt, Chief Product Officer, SecureAuth.

Last updated on Nov 18, 2024
Joel Witts Written by Joel Witts
Chief Product Officer, AecureAuth

Brook Lovatt is the Chief Product Officer at leading Identity and Access Management (IAM) vendor SecureAuth. He defines SecureAuth’s product strategy and leads the teams responsible for building and managing the company’s market leading solutions for workforce and customer Identity & Access Management experiences.

Brook joined SecureAuth following the company’s acquisition of Cloudentity, a leading CIAM provider, where he was CEO. Prior to Cloudentity, Brook co-founded Pragma Technology Group, led global service delivery for IBM Security’s Cloud Identity offering, and has served in leadership posts at Lighthouse Security Group, Oracle, and Encode. 

Expert Insights recently reached out to the SecureAuth team to get Brook’s insights into the challenges in the MFA space today, his top recommendations for CISOs looking for an MFA solution, and his predictions for MFA trends in 2025.

What are the biggest challenges facing organizations in the multi-factor authentication space today, and how are threats evolving?

The biggest challenge we see organizations grappling with today is balancing an experience that is acceptable to the user population with a level of security that is acceptable to the business.

MFA approaches tend to vary widely between workforce and customer-facing solutions. When you’re dealing with the workforce, there is generally more control over the devices that the user is connecting from and/or has in their possession. When you’re dealing with end-users who are outside of your organization (whether they’re partners, distributors, retail customers or business users from your B2B customers) you don’t have that control.

In a workforce MFA scenario, businesses often fear that if the end user is inhibited by the requirements of a more secure authentication factor, their productivity will be affected. As a result, there’s often a fallback to standard password or less-secure MFA mechanisms such as email One-Time Password (OTP).

Threat actors look specifically for organizations that have implemented such fall backs. While they generally cannot circumvent a properly implemented FIDO2 authentication method that’s device or URL bound, if they can fall back to OTP, the attacker can use a simple man-in-the-middle approach to gain access to accounts.

Similarly, for end users who are consumers, customers, or other users who are outside of the business there’s this ever-present pressure to make the user experience as simple as possible. The reality is that account take-over attacks against end users are becoming ever more sophisticated and the risk to the business is very high, even though these users are not operating within the company. Reputational risk and loss of business from breaches directly affect business outcomes. Generally, the best practice is to ensure that consumer users leverage passkeys for access, but this requires that they have passkey-enabled device or a fallback to a less-secure method. 

How does the SecureAuth platform help teams address these challenges, and how do you differentiate the platform in this competitive space?

SecureAuth provides industry leading MFA technology (including both standards-based MFA such as FIDO2 as well as proprietary mechanisms to meet more specific needs) that meets the highest standards of UX and security. Supporting more than 30 methods of authentication, we offer broad flexibility to meet any businesses requirements, but this alone is not enough to achieve the required balance of UX and security.

To meet that important balance goal, our solution will dynamically adjust authentication requirements based on user behavior and context. We do this via an AI/ML Risk Engine that dynamically generates Level-of-Assurance (LOA) scores for each user authentication and transactional authorization to ensure that user authentication friction is always as low as possible. When the LOA is high, users will not be interrupted. When LOA is low, users will need to fulfill MFA requirements that meet the security needs of the business.

What are your top recommendations for CISOs in the process of looking for a multi-factor authentication solution?

First and foremost, don’t configure unsafe “fallback” pathways that enable attackers to circumvent your security.

When evaluating MFA solutions, CISOs should consider:

  • Security robustness: Leverage intelligent AI/ML risk technology to ensure that high-risk scenarios are always required to meet sufficient security standards. Opt for solutions offering adaptive authentication and support for phishing-resistant methods.
  • User experience: Ensure the solution provides a seamless experience to encourage user adoption and mitigate the need for a fallback option.
  • Integration capabilities: Verify compatibility with existing systems and applications to facilitate smooth deployment and lower TCO for the solution as authentication methods evolve and require update.
  • Scalability: Choose a platform that can grow with your organization’s needs.
  • Regulatory compliance: Ensure the solution aligns with relevant data protection and privacy regulations.

What trends do you expect to see in the multi-factor authentication space in 2025? 

New and innovative authentication mechanisms are being created constantly. I believe that as we enter 2025, all successful new methods will leverage available open standards such as FIDO2 to ensure that they are easily integrated into existing access management systems.

Among the successful solutions, I expect to see a unification of workforce authentication for physical building access, as well as access to online systems which will drive MFA for physical access alongside a reduction in the overall devices, credentials, and mechanisms that employees need to deal with.

I also expect to see increased movement to a decentralized identity systems and open wallet implementations that will be powered by government agencies adopting open identity and authorization standards – consequently creating increased need for users to leverage MFA to gain access to their wallets as well as to authorize the distribution of personal data (including zero-knowledge proofs of that personal data) from those wallets to vendors, employers, etc.

In your view, what should organizations’ top multi-factor authentication planning priorities for 2025 be?

Make sure that you’re set up to quickly and easily adopt new MFA technologies as they arise. The choices will become more vast and more powerful. It’s critical to have a flexible access management system in place that knows when and why to invoke these methods. This setup shouldn’t cost a lot of time and money to modify with each MFA change. Maintaining this flexibility will be essential to keep your business safe and competitive.

Further Reading:

Joel Witts

Content Director

LinkedIn Email
Joel Witts is the Content Director at Expert Insights, meaning he oversees all articles published and topics covered. He is an experienced journalist and writer, specialising in identity and access management, Zero Trust, cloud business technologies, and cybersecurity. Joel is a co-host of the Expert Insights Podcast and conducts regular interviews with leading B2B tech industry experts, including directors at Microsoft and Google. Joel holds a First Class Honours degree in Journalism from Cardiff University.