SSO/MFA, Managed Security Services

Does MFA Need a Re-think for Zero Trust Network Access?

Companies are adopting zero trust as an effective security approach in today’s cloud-first world, but the architecture remains a major challenge for many organizations.

And while multi-factor authentication is central to implementing an effective zero trust architecture, it's not a silver bullet that can do it all. Here's why.

What is Zero Trust?

First, here's a deeper dive into the definition of zero trust. CrowdStrike, a cloud security specialist, has a good take: “A security framework requiring all users, whether in or outside the organization’s network, to be authenticated, authorized and continuously validated for security configuration and posture before being granted or keeping access to applications and data.”

“Trust but verify” is now commonly used to describe zero trust. Interestingly, the phrase has a political background stretching back nearly 50 years. "Trust but verify" is a rhyming Russian proverb, famously used by President Ronald Reagan in the 1980s when discussing U.S. relationships with the Soviet Union. The tech industry has embraced it for zero trust technology.

In other words, zero trust assumes that every request for access is a potential threat and it requires organizations to continuously monitor and validate that a user and their device has the correct privileges and attributes.

It’s a policy and framework that will become more customized in 2024, said Almog Apirion, chief executive and co-founder of Cyolo, an Israeli secure access specialist.

“To address mounting pressure from the federal government to bolster zero trust defenses, organizations will transition from compliance-centric security to customized, asset-focused zero trust strategies,” Apirion said. “In 2024, we can expect organizations to prioritize crafting zero trust strategies that align with their specific objectives and risks.”

MFA Can't Do It Alone

Along those lines, the authentication system multi-factor authentication (MFA) is central to zero trust architecture in that it reinforces the principle that trust is not automatically given to any user or device. It’s widely believed to be highly secure when it provides many identification factors.

Now, however, some security experts believe MFA needs a rethink. As such, MFA is “no longer the silver bullet for authentication woes,” said Mike Wilson, founder and chief technology officer at Enzoic, a Boulder, Colorado-based security provider.

As he explained, “In 2024, I think we’ll see a collective recognition that MFA is no longer a security fail-safe. We’ve seen instances of infostealers being used to bypass MFA, and this will only intensify as enterprises continue the mass migration to MFA. There will also be further erosion of SMS-based MFA something that is still ubiquitous throughout consumer authentication as a 'better than nothing' approach despite being rejected by cybersecurity pros for years.

“Push-notification-based MFA, long considered a secure option, is now being undermined as well. These MFA weaknesses will converge in 2024, forcing the cybersecurity community to adopt a more modern, layered approach to authentication.”

MFA Market Forecasts

So, with zero trust trending up and traditional MFA perhaps under a review, where does the MFA market stand, according to analysts? In a word, it's a bullish market.

In its latest market sizing report, ResearchandMarkets pegs the sector to more than double from $15.2 billion in 2023 to $34.8 billion by 2028 at a compound annual growth rate (CAGR) of 18%.

The MFA market is “propelled” by key factors framing its “growth trajectory,” including the rising number of market breaches, sophisticated cyberattacks and the lack of skilled cybersecurity professionals to hamper market growth, the researcher said.

While ResearchandMarkets does not segment the market by the number of factors as other researchers do. For example, 360ResearchandReports takes a more conservative outlook as it considers MFA by two, three, four and five factors. The market watcher estimates MFA will grow by a CAGR of 10.4% in 2028, progressing from $12.2 billion in 2022 to $22.1 billion in 2028.

On the other hand, Allied Market Research expects the MFA market, which it valued at $10.3 billion in 2020, to quadruple to $40 billion by 2030 at a CAGR of 18%.

Of note, none of these three reports mentions zero trust as a factor in MFA’s growth. Rather, the reports rely on the proliferation of cyberattacks and emerging technologies, such as artificial intelligence (AI), face and fingerprint recognition and other factors to catapult the sector forward.

D. Howard Kass

D. Howard Kass is a contributing editor to MSSP Alert. He brings a career in journalism and market research to the role. He has served as CRN News Editor, Dataquest Channel Analyst, and West Coast Senior Contributing Editor at Channelnomics. As the CEO of The Viewpoint Group, he led groundbreaking market research.