noodls browser compatibility check

The security settings of your browser are blocking the execution of scripts.

To use noodls, javascript support must be enabled. Please change your browser's security settings to enable javascript.

If you have changed your browser's security settings, you can click here.

related announcements

News

ETA - Employment and Training[...]

Unemployment Insurance Weekly Claims Report
City of New Orleans, LA

NOFD RESPONDS TO TWO-ALARM FIRE
The University of Texas Health[...]

Innovative stem cell trial for bipolar disorder at UTHealth Houston[...]

Finance

Oracle Corporation

10/10/2024 | Press release | Distributed by Public on 10/10/2024 06:45

MFA everywhere: Tailored strategies for securing diverse industries

In the current, evolving threat landscape, securing access to enterprise digital assets is more critical than ever. Existing and new global regulations mandate the uptake of multifactor authentication (MFA) as the recommended technology to combat these threats. MFA is a powerful defense as it places multiple locks on the door of digital assets, but a one-size-fits-all approach isn't sufficient for the varied business needs of different industries. From higher education to banking and healthcare to manufacturing and retail, each sector requires a tailored MFA strategy that balances security with usability. In this blog post, we explore how to tailor MFA to fit specific industry requirements, encouraging robust protection without compromising efficiency.

Security developments from SSO to MFA to zero login.

Figure 1: MFA uptake journey

MFA best practices

The MFA approach must enforce strong security principles, while keeping the authentication process efficient and user-friendly. To maintain balance, consider the following primary best practices:

Assess risk levels: Match MFA factors to the sensitivity of the resource. Use stronger factors for high-risk access to digital assets.

Minimize friction: Choose MFA methods that are convenient for users.

Provide flexibility: Offer multiple authentication options, allowing users to select the method that suits their preference and circumstances.

Use adaptive authentication: Implement context-aware MFA that adjusts based on factors and increase by steps automatically to enforce more strict measures only when anomalies are detected.

Regularly update policies: Continuously evaluate and refine MFA policies as threats evolve, providing robust security without hindering user experience.

Areas to implement zero code change: Existing web apps, thick client apps, cloud services, mobile apps, and others.

Figure 2: Implement MFA everywhere with zero code changes

Although the best practices for MFA are generally applicable, each industry has unique business needs shaped by their operations, regulatory requirements, and risk profiles. For example, financial services demand rigorous security to protect sensitive financial data, healthcare must comply with the Health Insurance Portability and Accountability Act (HIPAA) to safeguard patient information, and higher education adheres to the Family Educational Rights and Privacy Act (FERPA) to secure academic records.

Standards for information security

Retailers prioritize a frictionless user experience to prevent cart abandonment, while government agencies focus on securing classified information and critical infrastructure. Organizations also vary in their consideration of certain MFA solutions because of cost and levels of risk assurance. For example, in education, mobile device-based verification like push notifications and SMS one-time passwords offer a more cost-effective form of MFA as opposed to specialized hardware-dependent methods.

However, government organizations that face inherently high risk might highly value the adoption of smart cards, biometric scanners, and hardware-dependent MFA. These distinct requirements drive the need for industry-specific MFA solutions that address tailored security challenges and compliance requirements.

In Omdia's 2024 Decision Maker Survey, enterprise IT decision makers were asked, "Which passwordless authentication technologies are you using or planning to use?" Don Tait, senior analyst at Omdia, reveals the following answers:

"It was found that technological priorities for passwordless authentication tend to vary notably among verticals. For example, the most popular responses within the government sector were OTP tokens (60% of respondents), biometrics (40%) and behavioral patterns (40%). Whilst for the retail and e-commerce industries, biometrics (67%) and OTP tokens (67%) were the most popular authentication technology mentioned. For critical infrastructure such as energy, strong authentication is required and technologies such as biometrics (50%), smart cards (50%) and tokens (50%) were the most popular which were mentioned by respondents."

Based on our customer and partner feedback, we present our tailored MFA best practices for each industry vertical. These suggestions aim to enhance security while maintaining usability, tailored to each industry's unique challenges and operational requirements.

Government: A government employee accessing a remote desktop or classified database might use a smart card and fingerprint, while internal communication tools might require only a password and a one-time password (OTP). As a best practice, implement stronger MFA measures, such as hardware tokens and biometrics, for systems handling classified or sensitive information. Use adaptive authentication for lower-risk tasks, such as email and noncritical databases, and trigger more strict checks only for unusual activity.

Retail: A customer logging into an online store from a new location might need to verify their identity with an OTP, while repeat customers using familiar devices can log in with only a password. To reduce cart abandonment, focus on user-friendly MFA for customers, such as a password and OTP delivered by SMS or email. Use adaptive MFA to detect unusual shopping patterns or logins from new devices, prompting additional verification when necessary.

Healthcare: A doctor accessing patient records might use biometric verification and a hardware token, while patients accessing their test results use an email-based OTP and password. As a best practice, enforce strict MFA measures to access electronic health records (EHRs), using biometrics, such as a fingerprint or facial recognition. and hardware tokens for healthcare providers. For patient portals, offer flexible options like password and SMS OTP to maintain security without compromising ease of access.

Education: A student accessing a learning management system might only need a password, while a finance administrator must authenticate using a password and fingerprint to process payments. As a best practice, use adaptive MFA for students and staff to access learning platforms. For administrative staff handling sensitive data, such as payroll or student records, enforce stronger MFA methods like password and push notification or biometrics.

Energy: An engineer accessing a power grid remotely uses a combination of a password, smart card, and geolocation verification to ensure that they're within a designated area. As a best practice, protect critical infrastructure with strong MFA, such as smart cards, hardware tokens, or biometrics, especially for remote access to operational technology (OT) systems. Use geolocation-based MFA for field workers, restricting access to critical systems based on physical location.

Telecom: A customer service representative accessing sensitive billing information may authenticate using biometrics, while a customer updating their account information uses password + SMS OTP. For administrative access to customer accounts, use adaptive MFA that escalates based on risk (e.g., unusual login locations). Use biometrics or smart tokens for staff accessing sensitive data, while customers can authenticate via password + OTP for account management.

Transportation: An airline employee accessing a flight control system might use facial recognition and a smart card, while a field technician logging into the transportation network from an unexpected location receives an extra OTP challenge. As a best practice, implement location-based MFA for on-site systems, such as at airports or transport hubs, and biometric MFA for staff accessing critical systems. Use adaptive MFA for field workers accessing operational data, prompting further verification when logging in from new devices or unfamiliar locations.

Banking: A bank teller accessing customer accounts might use a smart card and biometric verification, while customers making large or international transfers might need to verify with an OTP or a mobile app push notification. As a best practice, deploy high-assurance MFA like hardware tokens, smart cards, and biometrics for employees accessing core systems, such as transaction processing and risk management. For customers, use a combination of adaptive MFA, based on transaction size or access device, and convenient verification methods like SMS OTP or push notifications.

Financial services: A financial advisor logging into a trading platform might authenticate using a password and facial recognition, while a client managing their investment portfolio uses a password and a push notification on their phone. As a best practice, employ strong MFA, such as biometrics and hardware tokens, for advisors or brokers handling sensitive client data and executing trades. Use adaptive authentication for clients, escalating to higher security factors for high-value transactions or access from unusual devices and locations.

Manufacturing: An engineer accessing a factory's operational technology (OT) system might authenticate using a smart card and a fingerprint scan, while a contractor trying to access the same system remotely is restricted based on geolocation and requires more OTP verification. Use possession-based MFA, such as smart cards and hardware tokens, and biometrics to secure access to OT systems and sensitive data like intellectual property. For field workers and contractors, use geolocation-based MFA to grant remote access only from authorized physical locations.

How Oracle can help

Tailoring MFA to the specific demands of each industry is essential for balancing robust protection with user convenience and business continuity. Oracle Access Management helps customers achieve this goal with robust MFA that extends any user connecting from any device anywhere. Enhanced with microservices, Oracle Access Management delivers risk-aware MFA and now offers device-level SSO and MFA with the Oracle Universal Authenticator microservice. Oracle Access Management is available to deploy as an image in Oracle Cloud Infrastructure (OCI) or in on-premises data centers. With this service, organizations gain flexibility to control access for existing enterprise platforms and support their migration to cloud. Oracle Access Management is also recognized as a 2024 Gartner Peer Insights™ Customers' Choice for Access Management.

You can also use MFA to secure your OCI tenancy with OCI Identity and Access Management (IAM). In fact, every new cloud tenancy on OCI IAM is created with MFA enabled by default for cloud administrators. You can also secure their Fusion Cloud Applications by enforcing MFA for all Fusion Cloud users from the Oracle Cloud Console.

Conclusion

The implementation of MFA must be thoughtfully adapted to the distinct needs of each industry. A one-size-fits-all approach can lead to potential security gaps, increased user friction, and inefficiencies. By understanding the unique requirements and challenges of different sectors, organizations can deploy MFA solutions that not only enhance security but also support achieving compliance and operational effectiveness.

Sharing and Personal Tools

Please select the service you want to use:

Back