Hello and welcome, everyone. My name is Phil Hayes and I'm one of our presales managers here at One Identity. I'd like to thank you guys for joining. So today, we'll do a quick review and level set on what MFA is. We'll explore its evolution, discuss ITS importance, and why OneLogin is an ideal choice.
So I'm sure MFA is a concept we are all very familiar with. In its simplest definition, MFA simply adds an extra layer of protection to our digital lives. It's like having a double lock system where you need more than just a password to access something. In describing how it works, we'll use one-time passwords, or OTP, as our example since it's so commonly used, and I'm sure we've all used it at one point in our lives.
So when logging in using OTP, we get a unique code that is generated and it's sent to a user's device via SMS, email, or an app that they have on their phone. They can take this code and they enter it along with their credentials to authenticate, and they can simply move on and access whatever it is they were trying to access. One thing to note with OTP is that they are time-limited, which ensures a higher level of security as they become invalid after a single use, or if they try to use outside the specific time frame.
And there's three main types of MFA methods that I'm sure we're all familiar with. Something you know, this could be a password, or a pin, or security questions. Obviously, these are things you have to commit to memory.
And then something you have, such as a token, or a smartphone, or smart card. These are things that you possess and then something you are. This could be biometric data, behavioral data. These are things that define you as a person.
And then now let's look into the evolution of MFA. In the beginning, authentication was about something you know, which we from earlier that can be just a username or password. However, there's a massive problem with passwords in that they're hard to remember. And we've developed the worst habits, such as credential reuse. And studies have shown that 59% of people use the same or similar password for multiple accounts.
So this is no wonder that humans have become such a prime target for the bad guys. And what this means, that if account or one set of credentials is breached, hackers could potentially gain access to other accounts with that same credential.
And to combat the problem with passwords, authentication systems added the notion of something you have as that secondary factor. This means users could use their phone, a smart card, or a personal device as that secondary authentication factor, and this was really the dawn of MFA. However, there was still a problem with using something you have, like a phone or a laptop. And that's they can be lost, or worse, stolen. In fact, this happens all the time. Studies have shown that laptops get stolen every 53 seconds and over 70 million smartphones are lost each year.
So in order to combat the problem of lost and stolen devices, new technology was introduced to allow MFA to add verification of who you are. This includes using that biometric data we talked about earlier, like fingerprint scanning, facial and iris scans for MFA. And while biometrics are certainly more secure than something you have, like a phone or a laptop, they can still be hacked. A good example is neural networks. They've been designed to enable master prints, which can be used to hack fingerprint recognition software.
And all of this has just-- the problems with these methods is what has led us into today's cutting edge of MFA, which is context-based. In other words, this is how your authenticating. This is commonly known as adaptive MFA, or adaptive authentication, which is combining with what you know, what you have, and who you are with how you're logging in. And what this does, it eases the burden on users by using that context data.
You can start using things like where you're logging in from, what day is it, the time of day, where you're logging in from, what city or country, the device you're using. We can use all this context to determine risk and we can use that risk to determine when to prompt MFA. So for low risk or no risk, we can choose to have no MFA prompt. We can just simply allow them to proceed with a passwordless experience. Or if there is a high risk log in, we could prompt for MFA using one of the factors that were optimal for your user base.
Next, we'll move in and discuss some of the importance of MFA. Before I do, I really want to stress that implementing MFA is essential for organizations looking to bolster their cyber defenses. And this is primarily due to the just alarming frequency of credential theft and web application breaches caused by these compromised credentials. You certainly need MFA to safeguard against the tidal wave of cyber threats that organizations are continually faced with on a daily basis.
And just to build on this, I thought these were some interesting metrics that should reinforce why MFA should matter now. The average cost of a data breach in 2022 was $4.35 million. 80% of web application breaches were caused by compromised credentials, and even more concerning credential theft attacks have increased by 55%.
So I don't know. I don't think I need to keep emphasizing the importance here of having an MFA solution. But now that we understand how important it is, I think it's good to look at some of the dangers it protects us against. Things like phishing, spear phishing, keyloggers, credential stuffing, brute force and reverse brute force attacks, man-in-the-middle. I'm not going to go into dep
08:45