podcasts Market Intelligence /marketintelligence/en/news-insights/podcasts/451-research-episode-35 content esgSubNav
In This List
Podcast

Next in Tech | Episode 35: Multifactor authentication needs and hesitations

Podcast

Next in Tech | Episode 83: (Re)Building the Digital Workplace

Blog

Insight Weekly: Bank boards lag on gender parity; future of office in doubt; US LNG exports leap

Podcast

Next in Tech | Episode 82: Flexible Infrastructure

Podcast

MediaTalk | Episode 26: Video game industry growth softens amid post-pandemic hurdles

Listen: Next in Tech | Episode 35: Multifactor authentication needs and hesitations

The need for more modern authentication techniques has never been more pressing and multi-factor authentication (MFA) is a key building block of zero trust approaches. Tom Gersic, VP of customer success at Salesforce, and Garrett Bekker from the 451 security team join host Eric Hanselman to talk about what’s needed. The threat landscape demands MFA, but users can be hesitant. It doesn’t have to be this way. For further insights, register to listen to Garrett’s fireside chat at the 451Nexus conference: https://www.spglobal.com/451Nexus

Learn more about 451 Research
Click Here

Transcript provided by Kensho.


Eric Hanselman

Welcome to Next in Tech, an S&P Global Market Intelligence Podcast where the world of Emerging Tech lives. I'm your host, Eric Hanselman, Principal Research Analyst for the 451 Research arm of S&P Global Market Intelligence.

And today, we'll be discussing the transition to more modern authentication and technologies and some aspects of rollout with Tom Gersic, the VP of Customer Success at Salesforce; and Garrett Bekker, Principal Research Analyst with 451 Research. Welcome to the podcast to both of you.

Tom Gersic

Thanks, Eric. I'm really happy to be here today.

Garrett Bekker

Likewise, Thanks, Eric. Thanks for having us.

Eric Hanselman

We've got a really interesting topic that I think if we look at a lot of the broad concerns in security has been something that's always been a more problematic shift, although one that is all that much more important today with a lot of the shift in the attacker community and work from home and a lot of these things that are making authentication a more complex task.

Tom, you've been working at Salesforce with the technologies to put some of this in place. It'd be great to hear your experiences, your thoughts and some of your goals in making this transition.

Tom Gersic

Yes, absolutely. Thank you, Eric. MFA is such an important aspect of security today. It's something that is really the easiest and most effective way to secure user access to really any system. We believe this is so strongly at Salesforce, in fact, we've actually made MFA a requirement for all of our customers on all of our products.

The reason for this is we just really think that it's extremely important to make sure that we are helping our customers and partnering with our customers to protect these things like phishing attacks, credential stuffing attacks and other ways in which especially a hybrid workforce, people who are working from home, people who are going in this or working from home.

We're just seeing overall across the industry, such an increase in the number of attacks that we believe it's really important that we help our customers to secure their access to Salesforce systems against those types of things.

Eric Hanselman

And credential compromise is the new black. And that's one of the unfortunate realities that we've been facing in this day and age.

Garrett Bekker

Great point to bring up there, Eric. In fact, been a lot of mileage out of the Verizon data breach investigation report in recent years. I forget what the most recent data is, but something around I think 81% of breaches are actually due to somehow compromised or lost or stolen credentials. In fact, I think that number might have actually gone up in the most recent DBIR. But yes, to your point, I mean, I think it's fairly low-hanging fruit that MFA could certainly help to address that fact.

Eric Hanselman

Well, low-hanging fruit maybe, but it's something in which there's been a lot of traditional resistance to moving multifactor. A lot of user perception, and we can debate whether or not that's perception, confusion, misunderstanding.

That this makes their lives more complex. And that's something, if you think about the Salesforce user community, to push that forward, that's going to take some work and some convincing.

Garrett Bekker

For sure. We've done a fair amount of survey work in the past few years. As you know, we have a service called Voice of the Enterprise or VotE for short. And we surveyed several hundred senior level IT decision-makers around various topics. And one of the things we've done pretty consistently in the last few years is we ask what is the deployment status of various security technologies from firewalls to e-mail security and probably 25 different ones.

And what we find pretty consistently is not surprisingly the ones at the top of the list are the fairly common things, as I mentioned, firewalls and e-mail security and endpoint security and SIM tools, et cetera, often excess of 90% deployment in the enterprise.

When we look at MFA, however, it's not such a happy picture. Up until the pandemic hit, it was hovering around 50%, 51%, 52% enterprise adoption levels. And that's not even enterprise wide. That just means that somewhere in the organization, somebody is using MFA.

We got a little bit of a boost due to the pandemic with all the work from home going on. That's come up to 61%, but it's still way below other security technologies. And to your point, there's a number of reasons for that, but one of which has been a poor user experience alongside other factors like cost and complexity and things like that.

Tom Gersic

Yes. I think the user experience is really important. And I think that one of the things we really want to consider is that while there is an additional step at login, the additional security offered by having MFA in place really allows that end user, that worker to be able to do so much more while off of a secure facility or off of a secure network.

And I think that's a really important thing to consider that yes, while it does add that additional step, it really enables a better level of security to do more than you could do in the past. From a remote setting, from a work-from-home setting, from working at Starbucks, from working at who knows where because you're able to then verify the end users who they purport to be when they're logging into our system.

In an older scenario, you might have said, okay, I'm just going to verify that people logging into the system are in this building and on this network. And as long as that's true, then they are able to access all systems.

But when you don't have that you rely on a sure that you have a good way to secure things even when you're off network. So there's a user experience, but I think in some ways, it actually improves the user experience because it enables that remote workforce.

Eric Hanselman

Well, you make a really good point, which is that when we were all sitting in known places, we were able to presume a certain amount of context. We knew location because we knew that was the only place you could actually be when you could get to this stuff.

Now because location, device, device status and health, all these other pieces are now up for grabs because we're operating in an environment where they're simply many more variables for that working environment for end users.

Garrett Bekker

Yes. I think that brings up a topic that you know who's near and dear to my heart. There I bring up the whole concept of zero trust. But to your point, Eric, with -- now is if you look at with the movement to cloud and work from home and mobility, the old network-based model that was largely predicated on assuming you're in a certain location, it's kind of got out the window, right?

And I would argue that in the zero trust paradigm that seems to be emerging to take its place, arguably, it really can't get off the ground without identity in order to establish identity, you really need MFA. So my view, at least, I don't know if Tom has a view on that, but zero trust initiatives can't really get off the ground if we can't get MFA right.

Tom Gersic

I think that's true. I think MFA is a building block, and it's an enabler and the low-hanging fruit of really making a major difference to access security, to user security in a way in which enables so much more. And it's not the be all and end all of security either because there are other things to consider. But it is a really important building block to it.

Eric Hanselman

So Tom, what has been your experience in terms of the rollout? How did you go about it? And what has been the overall experience in that process?

Tom Gersic

That's a great question. We've made a number of announcements this year about MFA and requiring it for our customers. And that's been met by all sorts of feedback. In some cases, customers have been really excited about it. I've talked to a number of our customers where their security team was telling them the same thing, and that's exactly what they told us that we know we need to make these improvements.

These are things that we're already working on. And it's something that makes a ton of sense. We have others that have really come to us with some particular challenges. And I think it's really helped us to understand and work through some specific use cases. A really good example of that is call centers. A call center being an area where you do have a secure location.

In many cases, it's a secure location where phones are not allowed, so you don't have the ability to have an authenticator-type app. And you also likely have virtualized systems that don't have USB devices. So you can't use something like a YubiKey.

And for those scenarios, we've really had to work with our customers to understand how their accessing Salesforce, how they're securing those user accounts and helping them -- helping guide them to meet the requirement that we have out there in a way that works for them. And that's been a really good experience for the way in which we're working with [indiscernible].

Eric Hanselman

Well, it's a situation in which you've been able to buy back a certain amount of context because you do know where they are. And if you can make that fit into a multifactor context, again, you've covered sufficient basis to be able to manage that risk.

Tom Gersic

Yes, that's exactly it. I think where we can verify that a user is on a specific device, a specific network, and we're doing that in a secure fashion. And that's something that we're able to consider as a secure login as well.

When we have users that are leaving a secure location and need to be able to access a system securely from the road or from the road or from home, those are the areas in which we're really focusing on helping our customers better understand and better plan for secure access with MFA.

Garrett Bekker

Also brings an interesting point, too, I was thinking. I've said this and written about this years ago about that there's essentially no single authenticator to rule them all. I think MFA is very much a horses for courses kind of game. And there are a variety of different ways you can implement it.

And as Tom mentioned, with different use cases, at least my view, at least, is that there may be certain types of authenticators that lend themselves better to certain use cases and some that don't work so well on other use cases. For example, Google got a lot of attention a few years back, they mandated MFA across their employee base as well.

And they claim to have gotten phishing attacks down to about zero. They were using hardware-based keys, which was one way to go. And there's certainly some advantages to hardware-based keys, but there are also some drawbacks as well. So -- anyway, just food for thought. I don't know, Tom, if you had any thoughts on some of the different form factors that are there.

Tom Gersic

Yes, there's a lot. And I think that's a really important aspect of it. It's making sure that we have options available for customers with all sorts of different use cases. Salesforce provides an authenticator app. That works really well. It has a lot of really unique features like the GPS-based location authentication, where you don't actually have an extra step if you are typically working from the same location.

But we also make sure that we have a lot of other form factors that are available for customers that are either logging in directly to our systems or using an IDP, an SSO based system where they have additions available to them. The one thing that we do make sure of 100% across the board, you can do MFA on every single one of our products and you can do it for free.

Eric Hanselman

While we're talking about form factors, I know we had a chance to discuss a little bit beforehand. You're making the point that there are some of the interchange mechanisms that are less secure, but nonetheless seem to get an awful lot of use in various applications.

Tom Gersic

You mean -- you're referring to like an SMS or e-mail based form factor?

Eric Hanselman

Exactly.

Tom Gersic

Yes, absolutely.

Eric Hanselman

These are things that, while they're in common use, come with a set of risks.

Tom Gersic

Yes, absolutely. We see a lot of people using e-mail or SMS as a form factor for MFA, they do have risks. If you are using an SSO system and you're logging into all of your apps with the exact same username and password, then your e-mail has the exact same username and password as your Salesforce login .

Has the exact username and password is everything else that you have. So e-mail-based MFA, it has a lot of risks to it because it doesn't really segment the login from the MFA mechanism. And so met has its own challenges as well.

There are a lot of attacks that have been pretty well publicized over the years with SIM cloning attacks and things like that. So we recommend against them, and we really try to steer our customers towards a much more -- a strong factor of MFA, like an authenticator app or hardware device.

Garrett Bekker

SMS based, I believe, has been deprecated by Nest as well. So following this guidelines is important, that's certainly something to pay attention to.

Eric Hanselman

Well, essentially, what you've done, if you're using those mechanisms, you're not using a separate factor because you don't have enough distance from the potential risks of compromise from all of the other factors that trapping to pull into place. So -- yes, something interesting to keep in mind in terms of implementation.

Garrett Bekker

Yes, certainly. I think in general, we sometimes tend to forget what multifactor actually means, right? It's about having more than 1, ideally more than 2 factors, right? Something you are, something you have, something you know. And I would argue there may be a few others like something you are or something you do.

But point taken, it's -- there's perhaps not enough separation between some of the factors in SMS. But I also think broadly, there's -- at least historically, there's been a little bit of an inverse relationship or a curve, so to speak, between ease of use and the security level of a form -- of an authentication form factor. And essentially forced firms to choose where they wanted to be on that curve.

I mean, either you are willing to accept a little less security for more convenience or you'd basically accept less convenience for a higher level of security. And I think to some extent, that's still true, but hopefully some new initiatives around passwordless MFA and adaptive and contextual authentication, to some extent, are helping to overcome that.

Eric Hanselman

Well, and actually, I should hop in here with one particular note. You're going to be hosting a fireside chat about multifactor authentication at 451 Nexus that's coming up the 19th of October. And at which, Salesforce is going to be speaking.

Garrett Bekker

Exactly. We do have that coming up and my guest will be Ian Glazer from Salesforce, I've known Ian for many years. And we will be going into more detail on MFA overall and MFA adoption, some of the challenges that we've laid out today. And I think just a broader view of MFA throughout the industry and also Salesforce's role within that. So please keep an eye on for that, it should be an interesting discussion.

Eric Hanselman

Well, I guess my hope is that you've come through an area in which really multifactor is now the commonsense approach for just about everything. And yet, we still get a certain outstations. And I wonder the extent to which it's still that long-standing user percept so that we've got to get people over. And some of those factors that come into play around misperceptions about MFA and especially in light of the substantial security benefits that it delivers.

Tom Gersic

What I've seeing is that in a lot of cases, we're hearing from people that they understand that this is an important security mechanism, but it takes time to roll out. And there is a user perception issue that I think can be overcome with good change management and good materials as you roll out to a workforce.

I think that overall, what we're -- more what we're hearing is that it's less about a pushback around using MFA at all and more of the amount of time and the amount of effort it takes to roll out into a more secure system. So with that, there comes a cost to whatever the form factor is.

If a company isn't supplying mobile devices to their workforce and some jurisdictions can't require personal devices to be used for work in any respect, then an authenticator app, while free, still carries a cost of having another device that a company would have to purchase.

And the same thing is true of a hardware token. So in some cases, we're seeing people use soft tokens in order to overcome that. But in other cases, it's really more of a time -- more of a planning period of how to move forward over the future budgeting cycles for how to roll this out.

Garrett Bekker

I think those barriers and those perceptions, actually, you could divide them into 2 camps, really, there's the enterprise side of things where firms thinking about rolling out MFA after thinking about costs, thinking about distribution. They have to think about how MFA is going to integrate with certain apps and what if it doesn't work with certain applications, et cetera.

And then on the user side, there's -- for the users is typically they're worried about friction, right? Is MFA just one more thing that they need to -- one more hoop that they need to jump through to get that e-mail sent or if they're a consumer to get that order placed, right?

And so I think that's part of the problem. I also think there's a little bit of a perception that, hey, this isn't really my problem. Why should I care if this is a phishing attack, it's not really my problem. I'm not going to have to clean it up. So I think to some extent, by requiring this of all your users, I think, is somewhat removes that barrier.

But I also think some of those frictions can be upfront, right? Like whether it involves getting your token, getting it set up, getting the registration. But once that's actually set up and going, on a go-forward basis, it can actually be simpler sometimes than using something like a password.

Eric Hanselman

Well, you both made a set of what I think are particularly important points around this, which is that, again, like a lot of the transformative processes we're going through, this comes down to the people aspect of ensuring that you're able to identify what the value is, help users through this process and make us really something that has benefits for them as they move forward.

We know what the benefits are, but the trick is ensuring that those end users understand what those benefits are as well. Again, particularly in light of today's security landscape.

Tom Gersic

I think that's a really great point, that it's important that end users understand the reasons for MFA. And I think that, that -- as you think about how to roll out MFA within an organization, make sure people understand the reason why it is a really important part of it. It's not there to make your life more difficult.

It's there to enable a secure workforce, and it's there to enable the ability to reduce the risk of losing access to really important information. And it's no secret that companies all over the world are getting hacked way more frequently than they used to, and it's something that we really want to make sure that we're doing everything we can to reduce those attacks.

Garrett Bekker

Yes. I think for me, it's just -- again, it comes back to the importance of user experience. And if you go back to the earlier comments I made about the different security technologies having higher levels of deployment. And I think part of that is for a lot of them, they're completely transparent to the user.

Back in the day, years ago, I used to sell firewalls and it was easy. We'd come in on Friday night and spend the weekend setting up the firewalls rules. And when employees would come in on Monday morning, they were none the wiser that anything had changed for the most part. It's pretty much similar with SIM tools and endpoint security to some extent.

And one of the challenges, again, with MFA is it's front and center. Employees are acutely aware that they've been asked to do MFA if it's not done right. So again, to me, that brings back to the importance of user experience because if introduce more friction, it's just -- it's going to be a painful experience.

Eric Hanselman

Well, and it sounds like we've got a slate of technologies that can actually help that happen. I want to thank both of you for all of your perspectives on what is a very important topic in terms of securing our environment. So thank you very much for being on the podcast.

Tom Gersic

Thank you, Eric. Thank you for having me on and thanks, Garrett, too.

Garrett Bekker

Thank you, Tom. Thank you, Eric. This was a lot of fun, and it's a topic that I'm very passionate about and looking forward to chatting with Ian at our -- at our Nexus event.

Eric Hanselman

October 19, we hope that our audience will be there. And with that, that is it for this episode of Next In Tech. Thank you very much for staying with us and hope you will join us for our next episode where we'll be talking about a range of different technology topics because there is always something Next In Tech.

No content (including ratings, credit-related analyses and data, valuations, model, software or other application or output therefrom) or any part thereof (Content) may be modified, reverse engineered, reproduced or distributed in any form by any means, or stored in a database or retrieval system, without the prior written permission of Standard & Poor's Financial Services LLC or its affiliates (collectively, S&P).