MFA Was Never Enough

2017 saw the launch of our bottom up redesign of the authentication capability within Access Management. Our previous functionality focused on linear authentication chains.  While this provided considerable power and maturity, we knew many customers wanted more. We started analysing the market, working with key customers and analysts back at the start of 2016.  We went through a root and branch approach and released our intelligent authentication trees feature later in 2017. The premise was simple: MFA was not enough, and we saw a common pattern where customers wanted 8, 10 or 15 different “factors” or signals in their user login journeys. Adaptability and agility were now as important as security.

Security + User Experience = Intelligent Authentication

Intelligent Authentication provides a rich digital canvas, where login workflows can be created and managed intuitively.  A collection of authentication components forms a “tree” with lots of different permutations and “branches,” that dynamically respond to the user and context being processed.

But not all signals or “nodes” are purely related to security. The end user consuming a service or application is a critical stakeholder in how it should be designed and operated. Signup and signin features need to be unnoticeable. To quote Coco Chanel “Dress shabbily and they remember the dress; dress impeccably and they remember the woman.”  Deliver a poor end user login process and you immediately create a barrier to the service or application you are trying to build trust with.

5 Steps to be “Authenti-great”

But what were the problems we were trying to solve?  Every ForgeRock customer uses authentication. Every (Ok, nearly every) web service out there requires authentication of some sort - even anonymous authentication, is not really anonymous.  So what is intelligent authentication fixing?

  • Improved end user choice - as an end user I want much more control over how I am identified - which device I use, which MFA option I want to use and when and so on.  Can that be done dynamically and responsively?

  • Improved device analysis - as a both an end user and security administrator I want to provide flexible login journeys that vary based on the device being used - a mobile login experience should vary to a laptop.  An Android experience may vary compared to iOS with FaceId for example

  • Improved threat detection - both end users and service owners want trust - trust is built on security and a key component is being able to integrate malware and botnet detection systems.  Can this be done as a business as usual configuration exercise? Can actors be identified as human or machine? As trusted or untrusted humans?

  • Improved insight - as login is such a critical component of an app or service, how can user and device insight be used to increase personalisation or create adaptive experiences?  Can you articulate for example how many users in EMEA login via Android or Chrome v66? Or, do abandoned shopping carts correlate to the login process taking more than 2 seconds?

  • Improve agility - whatever biometric or MFA is chosen today, tomorrow something new will come along.  How can CISO’s plan and allow business as usual changes to the authentication landscape?  Tight coupling and binding of authentication modalities is expensive and increases vendor dependencies and rigidity.

A new array of use cases, stakeholders and decision makers are now involved in the login design process.




What Next?

Start to understand not only your authentication requirements today, but roadmap future requirements - not only for both your end user community but your applications too.

The Intelligent Authentication video series will help you to understand how intelligent authentication can accelerate end user integration, improve security posture and allow for a future proofed digital canvas, application and service owners can build upon. Check out our first video below and click here to learn more about Intelligent Authentication.


KuppingerCole Leadership Compass - Adaptive Auth
Who Is Simon Moffatt?

Who’s Simon? Simon is a technical product dude here at ForgeRock. He has 16 years working in the identity game at companies like Oracle, Sun Microsystems, and Vaau. At ForgeRock, he helps to design new products - specifically in the Access Management space. Not only is he ambidextrous, but he can design with both hands...oh wait.

Recent Posts:

Augment Your Legacy IAM

Have you ever run into a situation where you know exactly what you have to do to solve the problem but can’t do it?

Modernize IAM for Government: A Real World Example

I recently had the chance to do a podcast with my friend and colleague Tommy Cathey, ForgeRock RVP of Public Sector. Tommy and I have worked together for years, and I am thrilled that he is bringing his deep public sector knowledge to ForgeRock (and this podcast).

How to Compare Digital Identity Providers for CIAM

Comparing and selecting digital identity providers for CIAM (customer identity and access management) is a daunting task. With the fast-paced nature of business and technology today, you need to ensure that you’re not only able to meet all your current requirements, but those to come.