Corona Virus and 2FA Fatigue?

As more people opt or are forced to work remotely, we’re going to learn a lot about our assumptions, policies, and technical controls surrounding the intersection of remote access and identity management. Already in social media I’m seeing rumblings of session expiration times, with users forced to pull out their phones to reauthenticate… well, that and VPN license limits and costs, but that’s a separate class of users. From the business users, there’s talk of finding ways to keeping network connections alive to avoid the timeouts.

Here’s where the temptation is strong for the security and admin folks to turn on one another in escalating one-upmanship. Hopefully some innovation comes out of it all.

In the meantime, some key areas of focus for you:

  • Assess: What users need access to what resources? From where and when? What is the impact if that resource is compromised? Do your policies and technical controls reflect that? Too loose? Too draconian?
  • Communicate: Ordinary users may not be aware of the business risks and even legal requirements that lead to these inconveniences. Power users may believe they know better. Make sure everyone is informed about why it is this way and make sure everyone is aware that there may be penalties for violations. Tailor the message as necessary. Just as importantly, listen: Pay attention to user experience, incorporate feedback, and periodically revisit your decisions.
  • Innovate: Identity and Access Management (IdAM) is non-trivial. It’s technically complicated, particularly when mixing web access, wired & wireless network access, server access, corporate-owned & BOYD assets, etc. One size rarely fits all. Policy engines that allow or restrict access from this type of device at this location to that asset in that environment between those hours are still rare items, and having all of your different types of devices and services honor those policy engine decisions is another can of worms. Policy engines that make the experience more seamless often do so at the expense of privacy, keeping tabs of your state and the state of your devices — knowing your physical location, your frequent IP addresses, your device IDs, your times of access, and so forth — and using that information to make decisions. Are you okay with that? In the end, decide how we can all do better. Push industry in that direction.

We’ll see where it all leads soon enough!