Why Cyber Insurance is Driving Innovation in MFA Technology

Whether you are a cyber security professional or just someone who spends much of their day working, communicating, socialising, shopping or banking online, you will know how long we have been told about the dangers of using poor password practices. But the truth is that coming up with and remembering complex passwords is difficult. One recent study by NordPass suggests that we're each juggling up to 100 passwords across various sites and services and that number is increasing.

Verizon’s 2021 Data Breach Investigations Report confirms the precarity of passwords as a security measure: Credentials are one of the most commonly compromised types of information and are involved in 61 percent of data breaches.  So since simple passwords are easy to guess and password theft is relatively common, it is time to take a different look at how we authenticate ourselves and make it harder for criminals to hack into our accounts.

Last year, Microsoft made a stand and Windows for the first time went password less for digital validation. But they stuck with using single-factor authentication for Windows logins, simply repeating the mistakes from history. Windows 10 and 11 will now allow you to set up completely password less authentication, using options like Microsoft’s biometric solution Hello, a hardware token, or an email with a one-time password (OTP).

The fact is that all these single factor processes have all been compromised by cyber criminals and researchers, and the only strong solution to digital identify validation is multi-factor authentication (MFA). Microsoft and others could have truly solved the digital authentication problems by making MFA mandatory and easy to use in Windows. It’s now still up to organisations to force users to pair a second form of identification, such as a push approval to your mobile phone that’s sent over an encrypted channel.

Users tend to use the same password every time they can, with 4 or 5 variations. This means that if a user’s credentials end up in the Dark Web for any reason, chances are the same password would work for other applications, such as your company’s cloud application. Looking through this perspective, Salesforce recently made the use of MFA mandatory for users, since February 1^st, and will be enforcing it throughout the year. They also made it clear that OTP based on SMS, email, or phone calls won’t be accepted, due to its fragility.

Another force at play in cyber insurance

Well, it may come from the growing cyber insurance industry. The increasing popularity of cyber insurance will drive the uptake of strong MFA for remote access, as insurers demand better cyber defences to reduce soaring premiums. It’s a bit like putting in extra locks and an alarm system to reduce the cost of your home insurance.

The problem for cyber security insurers is that the pay-out costs to cover ransomware threats have increased dramatically. According to a report from S&P Global, cyber insurers’ loss ratio increased for the third consecutive year in 2020 by 25 points or more than 72%. This resulted in premiums for stand-alone cyber insurance policies to increase 28.6% in 2020 to $1.62 billion. And for businesses, the financial damages associated with data breaches and cyberattacks have become increasingly severe. The average total cost of a data breach worldwide grew from $3.86 million in 2020 to $4.24 million this year, according to IBM’s 2021 Cost of a Data Breach Report.

So, the risk-averse cyber insurers are not just demanding higher premiums but also now actively scan and audit the security of clients before providing cover. Cyber liability insurance applications will often ask not only about MFA but also other factors like encryption, vulnerability management, and employee security awareness training.

Easy as 123

Cloud-based MFA cuts down on deployment and management, while a choice of authentication methods such as push notifications, one-time passwords, or QR codes sent to a mobile device provides good security and user experience. And by using a mobile device ‘DNA’ it is possible to match the authorised user’s phone when granting access. This means that any attacker who tries to clone a user’s device to access protected systems would be blocked.

So, it looks as if the insurers may succeed where the tech and cyber security industry has failed. In 2022 and beyond, if you don’t have the proper defenses and protections in place, including MFA, you may not get the cyber insurance you need at the price you would like.