Multi-factor authentication (MFA) is an essential part of your cybersecurity set up – it ensures that a user is who they say they are when logging into their digital accounts. This is achieved by cross-referencing at least two ways of authenticating a user’s identity to verify account ownership.
With a surge in the number of people choosing to work a hybrid or at-home model, maintaining secure accounts is becoming more important than ever. How can account security be maintained when users can log in from their work desktop, their home laptop, or their cell phone? MFA gives an added layer of certainty that only valid users can access important accounts. This ensures that your organization is protected against credential-based cyber threats like phishing and brute force attacks.
There are a lot of different MFA solutions on the market today, so it can be tricky to work out which one is best for your business. As part of your selection process, you may want to demo a few solutions to see how they work. This is a great opportunity to ask the vendor any questions you might have about their product.
Now, we will explore six questions to ask when looking for an MFA solution.
What Are The Different Authentication Factors Offered?
We would recommend a solution that offers multiple authentication factors so that users have a range of ways to verify their identity. Users or admins should be able to select the factors that are easy to integrate into the way your organization works. An authentication factor is a way of verifying identity. It can be something you know (knowledge), something you have (possession), or something you are (inherence).
This is a piece of information that is known uniquely by users who have access to the account. Most commonly this is a password or passcode, but sometimes we might see a “security question” being needed to gain access. This type of knowledge is “static” as it has a predetermined answer.
The problem with static passwords and security questions is that they can be easy to guess or bought through databases of historical password breaches on the dark web. Common security questions might ask for your mother’s maiden name, your first school or name of your pet – these are all things we might post on social media, so are easy to uncover with a little research.
A “dynamic” knowledge-based authenticator (KBA) is continually updated, making it more relevant and less easy to guess. You might be questioned on a recent transaction or trip, for example. As this answer can become outdated, it is harder for a malicious actor to use it, thereby verifying a user’s identity with more accuracy. This method is commonly used when authenticating transactions.
Common possession factors include a one-time passcode (OTP) sent via email or SMS. You will usually have to enter this passcode into a web browser or app before you are allowed into the account. This factor relies on the security of your email or SMS account to act as a means of verification. The fact that you are able to gain access to the email account, or cell phone, associated with the account is proof enough that you are the correct user.
Alternatively, if you have an authentication app, a time-based one-time passcode (TOTP) can be sent. In this case, the passcode will refresh every 30-60 seconds, making it even harder for an attacker to guess this code. Some apps will send you a push notification which the user can simply click to accept and gain access. As users are probably familiar with this type of authentication, it can be rolled out seamlessly. If a vendor offers push notifications as a method of authentication, it’s important that you ask whether admins can define a limit to how many authentication requests result in account lockout, as this can help prevent MFA bypass attacks.
By requiring the account owner to cross-reference a physical piece of hardware with a digital factor, this is one of the most secure methods of authentication. It is unlikely that an attacker can gain both knowledge and hardware. A debit or credit card is a common example of a hardware token; you are only able to spend money when you use the physical card and enter the (knowledge-based) PIN. Vendors like Yubico and HID offer specialized hardware keys with near-field connection (NFC) and anti-tampering features.
Security keys often use FIDO U2F open authentication standard – this is a very robust and effective protocol. With FIDO, your personal details will not leave your device, nor are they stored anywhere. This reduces the risk of phishing, password theft, and replay attacks.
An inherence factor is something that is inherently “you”. With smartphones having face recognition and fingerprint scanners, biometric authentication is more accessible than it has ever been before. Beyond face and fingerprint, some companies have developed innovative authentication and biometric analysis tools. TypingDNA monitors the way you type (it searches for micro-traits, frequency and typing interval) to accurately verify your identity. The hardest thing for a hacker to impersonate is an inherence factor.
What Devices Can Be Used To Authenticate Identity?
The answer to this question will correlate with the way your organization operates. There are a number of dedicated hardware solutions that provide a high level of security but can be expensive and unnecessary for the level of security that your organization requires. Equally, you might want a security card that has a high level of security and can be used as physical identification for your premises too.
One of the most common authentication devices is the cell phone that your users already own. Users can easily register a cell phone by scanning a QR code – this ensures that including MFA in your security set up is frictionless and doesn’t affect employee productivity.
Alternatively, you may want to set up hardware keys as a secure means of verifying identity. A hardware token is a physical object (like a key, memory stick, or smart card) that can be used to authenticate identity. Some hardware keys can connect via Bluetooth or NFC (near field connection) to streamline authentication. You can use a passcode or fingerprint scanner in conjunction with a hardware key.
Depending on the level of security you need, hardware OTPs can be used. These devices display an authentication code that is continually refreshed, thereby providing a high level of security – it is harder to intercept a hardware OTP than a software (SMS or email) based one.
With possession factors, you should consider what a user will be able to have with them when they need to get into their account. Manufacturing or particularly secure environments might not allow users to have their cell phones with them – a SMS based OTP wouldn’t help here.
What Happens If Users Lose Their MFA Devices?
With so much emphasis placed on OTPs and hardware security keys, it’s important to understand how an MFA provider will respond to a lost device. You want to ensure that your account will be kept safe, whilst allowing other verification methods to grant the user access their account. MFA is an effective security solution because it does not rely on or favour any one type of authentication. This makes it an adaptable and versatile solution that suits all users’ way of working.
If a user loses their device, the account administrator should be able to deactivate that device to prevent anyone else using it to gain access. The admin should also be able to set up a new authentication device easily. In the meantime, there should be an option for a user to use an alternative factor to gain access. For example, if the user loses their cell phone, they should be able to use an email OTP to verify their identity and login.
Many MFA providers offer backup codes to recover account access. It is important to manage how these passwords are stored as they could grant fraudulent users access if they have the code. Equally, if a user stores them on their cell phone, then loses their cell phone, they have no way of using these recovery codes.
What Integrations Are Offered?
Most online accounts offer the opportunity to enable MFA, with many taking a risk-based approach – MFA is required when registering, using a new device, or changing account settings. Setting this up is usually as simple as ticking a box in the account settings panel. From there, users have to link the account with an authenticator app – LastPass, Authy and Microsoft Authenticator are all popular options. These apps are a convenient way to access TOTPs for all your accounts, in one place.
Most MFA providers have worked to ensure that integration with common accounts is easy. Microsoft 365, Box, Evernote, DropBox, Slack, Salesforce, and Google Workspace are some of the most common workplace accounts that have MFA features ready to go. MFA is not limited to online accounts though. MFA can be used to authenticate access to VPNs and other software programs, too.
It’s important that your chosen solution integrates easily with all of the common apps that your users are signing into on a daily basis. This will make the solution easier to deploy, as well as reduce friction in the login process for your end users.
Is Adaptive Authentication Available?
We would recommend using adaptive authentication to streamline your login process, whilst ensuring your accounts are secure. Adaptive authentication understands your user’s normal behavior, and can step up security protocols if any behaviour is suspicious.
Adaptive authentication is a means of balancing the security risk with usability by deciding when it is appropriate to require MFA. Some high-security organizations might require MFA every time an account is accessed, this does not have to be the default. Rather than setting a specific frequency of authentication, adaptive authentication pulls in other, contextual factors to make an informed decision.
By monitoring when and where a user usually accesses an account, the software can build up a picture of usual habits. If there is a login attempt that does not sit within this pattern, the attempt can be flagged, and a further authentication factor can be required.
For example, if an account is usually accessed in Pasadena between 9:00 – 18:00, a login attempt at 5:13 from Berlin would be flagged as suspicious. Rather than blocking the account – this could still be a valid login attempt – adaptive authentication will require a further verification factor to be passed, before allowing access.
Other contextual warning signs include the use of a new device, the area of the account they are trying to access, and use of an outdated OS. As users continue to use their accounts, the behavioral baseline will continue to get more accurate and specific, thereby reducing the number of false negatives. This means that anomalous behavior will be easier to detect.
How Is The MFA Solution Costed?
Some services offer a subscription model, based on the number of active users, while other services charge per authentication. Depending on the number of users your businesses has and the regularity of the authentication, one option may prove more cost-effective than another.
Subscription models offer multiple plans depending on the level of service and features required. These typically range from $3 per user per month, to $9 per user per month. The more expensive plans usually offer features that improve your security posture through device vulnerability analysis and greater control over what devices can be use (i.e., wearable tech being valid authenticator). With cost per authentication plans, costs are usually a couple of cents per authentication.
It is worth considering how often your employees will need to login, to work out which pricing structure suits the way you work. Frequency of authentication can be configured by admins, to ensure that users do not have to use MFA more than necessary, whilst ensuring accounts are kept secure.
For instance, do you want your employees using MFA every time they log in to their account? Is that once a day, each morning and afternoon, or do they only need to verify their identity weekly? Should they only authenticate if other contextual factors suggest there is something suspicious going on?
When thinking about the cost of an MFA solution, it is important to consider training time. While MFA solutions are easy to implement and use, taking the time to ensure your users understand how the system works can improve your security posture. Rather than complacently relying on MFA to keep accounts safe, users will understand the significance of an unexpected push notification, or a phishing email asking them to share details with someone claiming to be “from IT”. You might choose to use a formal training session, or one run by your own IT team.
For more about Security Awareness Training (SAT), read our article here.
There is a wealth of vendors offering MFA solutions to improve your account security. It’s critical that you consider your business’ specific needs when comparing solutions, and research different products to find the one that best fits your requirements.
MFA is an essential part of your security set up. If you need help finding the right vendor for your needs, take a look at our list of The Top Multi-Factor MFA Solutions For Business.