Akamai Technologies launched Akamai MFA, which the vendor says is a phish-proof product that lets enterprises quickly deploy FIDO2 multi-factor authentication (MFA) without hardware security keys. Instead, the MFA product uses a smartphone app.
The reason why more enterprises don’t use MFA that requires a physical security token is because “it’s too heavy of a process for users to get behind,” said Tony Lauro, director of security technology and strategy at Akamai. “Users don’t want to carry a security token, and they may not always have their [hardware security] keys when they go to authenticate an app. So we said: what is a security token, a physical key, that everybody has in their possession and that they always have on them? Their mobile phone.”
MFA is important because it mitigates the risk of an attacker taking over an employee’s account, and FIDO2 is the industry standard for delivering secure MFA. MFA approaches that do not use FIDO2 can be easily manipulated by attackers using phishing or man-in-the-middle attacks.
“If you were to Google MFA bypass, there’s a few hundred YouTube videos that shows people how to bypass MFA,” Lauro said. “And it’s my opinion that once something gets to a YouTube tutorial level, it’s easy enough for anyone to copy. Existing MFA, and I don’t want this to sound too flagrant, but it amounts to security theater, in the sense that for someone to bypass the technology it’s either a technical hack or a process.”
Last year’s high-profile Twitter hack “was a little bit of both,” he said.
Akamai’s solution to this problem is a low-friction approach to authentication, and it doesn’t get more low-friction than a user’s mobile phone.
Akamai MFA, which is available now, is deployed on the Akamai Intelligent Edge Platform and can be activated and managed centrally via Enterprise Center. The service integrates with identity providers including Microsoft Azure AD, Okta, and Akamai’s own Enterprise Application Access. Additional integrations are supported for Secure Shell (SSH) and Windows Login use cases.
Free-Tier for Page Integrity Manager
In addition to its phish-proof MFA, Akamai also recently made available a free tier for its client-side edge security service called Page Integrity Manager. This service focuses on the client-side of applications (in browsers) where end-users submit and access personally identifiable information (PII) needed for payments and account access, and protects against Magecart and other web skimming attacks.
Akamai’s Page Integrity Manager monitors client-side activity and alerts on suspicious activity. The company says the product protects over 1.7 billion page views every month and analyzes more than 3.5 billion script executions every day. It alerts companies on about 40 million suspicious and malicious end-user interactions that are seen every week.
Offering a free tier lets companies “sample this technology to help raise visibility into what the problem set currently is, and how we can help,” Lauro said. It provides real-time alerting and risk scores suspicious activity, along with single-button mitigation, for free.
And then once customers gain visibility into the attempted script attacks, they can upgrade to a paid version that includes Akamai’s additional security services.
