WHAT IS MULTI-FACTOR AUTHENTICATION?

It’s an all-too-common occurrence: a bad actor has managed to get their hands on employee login information and is now seeking access to a corporate network, along with all of the sensitive information it contains. Thankfully, the bad actor runs into an issue. Because they’re using an unrecognized device, they are asked to confirm their identity via multi-factor authentication (MFA), often by providing a code sent to a mobile device or using biometrics through an authentication application.

In short, MFA can help prevent those who have wrongfully obtained login information from gaining access to an organization’s network. While it was initially slow to catch on, it's now considered a building block of cybersecurity, both on an individual and organizational level, and has become widely adopted. MFA is so widely accepted, in fact, that the National Cybersecurity Alliance has named MFA as one of its four key behaviors of focus for National Cybersecurity Awareness Month (NCAM).

Like other types of security solutions, though, MFA should never be considered a “set it and forget it” solution. For MFA to provide an effective layer of security, organizations must follow best practices.

HOW CAN MULTI-FACTOR AUTHENTICATION FALL SHORT?

MFA won’t necessarily look the same for every organization, but MFA processes can fall victim to a lot of the same threats: phishing and social engineering. Motivated hackers could try to intercept an authentication code through a fake website via a man-in-the-middle attack, for example; or they could try to intercept a session cookie in what is known as a pass-the-cookie attack.

Attackers can take aggressive approaches to bypass MFA. If an attacker were to target an employee whose organization uses SMS authentication, for example, the attacker could gain control of the employee’s phone number associated with the authentication process through a SIM swap scam. Alternatively, a hacker could employ a technique known as MFA fatigue—an attack in which the target’s device is bombarded with nonstop MFA notifications by the attacker until they confirm their identity, therefore granting the attacker access.

5 MULTI-FACTOR AUTHENTICATION BEST PRACTICES

1. CHOOSE A TRANSPARENT AND HONEST VENDOR

The successful implementation of MFA begins long before your organization’s employees begin using it or even learning how to use it. Organizations must first ensure that the MFA vendors they’re considering are honest and transparent about their products. Does a potential vendor make any bold claims, like having a “silver bullet” or “unhackable” solution? Do they specify what kind of encryption and cryptography their products use? Even if your security leaders don’t run into any red flags, will the product be easy to deploy across the entire organization and scale as it grows? These are all important questions to ask before choosing an MFA solution.

2. EDUCATE AND SUPPORT EMPLOYEES

Both before and during the deployment of your organization’s MFA solution, it’s incredibly important to bring your employees up to speed on what MFA is (assuming your organization has never had a solution in place before), how it helps to protect your organization’s critical assets, and why employees should feel the need to use it. Consider holding thorough training sessions that serve as an introduction to MFA, go into detail about why some factors are considered more secure than others, teach employees how to avoid phishing and social engineering attacks, and show what using an MFA solution will look like in practice. This will help to ensure employee buy-in before and during its rollout.

3. DEPLOY MFA ACROSS THE ENTIRE ORGANIZATION

Implementing MFA across your entire organization, rather than in silos, is considered more secure and helps to reduce your organization’s attack surface. This is particularly applicable to organizations with large remote workforces, whose employees are accessing servers and handling sensitive data from outside the corporate network.

4. PRIORITIZE EASE OF USE

At this point in your organization’s MFA implementation, your security leaders may have already chosen a solution, know to apply the solution to every area of the business, and perhaps have even begun the process of educating employees. But before rolling out your MFA solution, it’s important to configure it properly while prioritizing ease of use for your employees.

When an MFA system is difficult for employees to use, several issues can emerge including MFA fatigue, MFA workaround, overworked IT staff, and a general lack of buy-in across the organization. Ultimately, if an MFA solution is too difficult or troublesome for employees to use, it can lead to more problems than solutions.

There will almost inevitably be an adjustment period for employees when MFA is first rolled out, but employees’ initial frustrations can be alleviated by ensuring your MFA solution is configured to be user-friendly. This can be accomplished by pairing MFA with a single sign-on (SSO) application, for example, so as to deter burnout associated with having to sign into several applications separately. Employees should also be given choices as to what factors they can use, whether that means using biometrics to confirm their identity, a code received through SMS or an authentication app, or a physical security key, among other factors.

5. CONSIDER EMPLOYING ATTACK-RESISTANT FACTORS

Ease of use should be a big priority in the implementation of MFA across your organization, but it should never come at the expense of security. While employees should be given the option to choose between different authentication factors, they should also be knowledgeable about the security differences between factors. For example, employees should understand the risks associated with SMS authentication, and specifically, the chance of falling victim to a SIM swap scam. And when security leaders are considering which factors to allow employees to choose from, a good question to ask is, “which employees need good enough, better, and best security?”

Employees should be encouraged to use attack-resistant factors. FIDO authentication, which uses public-private key cryptography, for example, has been dubbed by the Cybersecurity and Infrastructure Security Agency (CISA) as the gold standard and most secure form of MFA.