“Don’t put all your eggs in one basket,”—a good life lesson, and one that absolutely applies to information security. The best way to protect networks and devices from harm is to have multiple layers of security in place, rather than relying on a single solution. But with the rise of cloud applications, even data that is stored across multiple cloud and on-prem locations has just one access point that must be secured: our digital accounts.
We all know how frustrating it can be to manage digital accounts and passwords. Managing hundreds of passwords is never easy, especially when every password needs to be unique and complex; too often, this makes them impossible to remember. Accounts are also increasingly targeted by cybercriminals. Account takeover attacks rose by 20% last year, with cybercriminals developing more sophisticated ways to compromise passwords and hack accounts.
So, what’s the takeaway? If all your eggs are in one basket, secure that basket. The best way for businesses to secure their user accounts is with multi-factor authentication (MFA), a security standard that requires users to verify their identity via two (or more) methods of authentication before they can gain access to accounts.
Many digital services offer multi-factor authentication for accounts as standard, which users can turn on themselves. There are also a range of third-party solutions (both paid and free) which organizations can implement to enforce multi-factor authentication across corporate accounts and devices. The best of these solutions includes configurable policies, remote controls, and customizable reports for admins to help manage and secure access for all employees and users whether working in an office, or remotely at home.
In this article, we’ll talk through why multi-factor authentication is important, and our top tips for evaluating and choosing an MFA solution.
Why Does Your Organization Need Multi-Factor Authentication?
First and foremost, MFA significantly reduces the risk of a breach. As we’ve covered, account takeover attacks are on the rise, and cybercriminals are investing a lot of effort in compromising corporate accounts through brute force password attacks, social engineering, and password theft. With an extra layer of account security in place, it becomes much, much harder for cybercriminals to compromise accounts and access corporate data.
Multi-factor authentication secures business accounts by enforcing additional authentication requirements, or factors, on top of the standard username and password; research indicates MFA can prevent over 99.9% of attacks that target user credentials. Multi-factor authentication typically includes the following factors:
- Knowledge: something the user knows, including a password or secret answer
- Possession: Something the user has, such as a smartphone, or security token
- Inherence: Something the user is, such as a fingerprint scan or facial recognition
It is often difficult for admins to know which users have access to which applications, and what security measures are in place to protect the data associated with those accounts. MFA ensures that critical security is in place across all corporate applications, and the best enterprise solutions include policy configuration options to ensure all applications have the right levels of authentication applied to them.
MFA can also help organizations meet compliance regulations, such as PCI-DSS. Data privacy policies are increasingly putting more pressure on organizations to secure customer data and employee access to that data. Multi-factor authentication can be an important way for organizations to meet these compliance needs, and it’s use is recommended by many organizations that advise on compliance for data protection regulations, such as GDPR.
How Should You Evaluate A Multi-Factor Authentication Solution?
So, we know how important MFA is to secure our digital accounts. But how can you find the right MFA solution for your organization?
There are a few ways you can implement MFA. Often, individual services allow you to enforce MFA across connected apps and services. Two popular examples of this can be seen within Microsoft Office 365 and Google Workspace, both of which allow admins to configure MFA for users.
There are also a number of ”free” multi-factor authentication solutions that enable admins to enforce authentication standards as part of an open-source platform or service. While this may seem convenient, these services are often complex to configure and don’t provide the in-depth controls and policies that admins need to secure account access.
To evaluate an MFA solution, we’d recommend researching several solutions and implementing free trials or interactive demos of the solutions that best fit your use cases.
Recommended Solution: Duo Security
Our recommended solution for organizations considering multi-factor authentication is Duo. Duo is a multi-factor authentication solution that enables secure access to corporate applications using the principles of zero trust. Duo uses risk-based multi-factor authentication to secure application access, analyzing users’ login behavior based on adaptive risk factors and granular admin policies.
Duo enables seamless, easy configuration and management across all of your applications. The solution is simple to deploy and highly scalable, suitable for cloud, on-premises, and hybrid network environments. Duo also offers over 120 pre-built integrations, enabling it to secure access to all corporate accounts and services, including custom applications and device logins. You can read our full review of the Duo Access solution here.
What Should You Consider When Choosing An MFA Solution?
To help you get started finding the right multi-factor authentication for your organization, here are some tips to consider as you compare and evaluate different solutions.
1) User-Friendly Authentication
Ease of use is perhaps the single most important consideration when choosing an MFA solution. If your end users cannot easily access their corporate accounts, you’ll see major drops in productivity and a lot of support tickets, as people will turn to the IT department for help.
The best way to avoid this problem is to look for an MFA solution that offers a wide range of authentication options. The most common type of MFA that most users will be familiar with is one-time passcodes (OTPs) but, there are also many other methods of authentication available.
Users should be able to choose between getting push notifications sent to their smartphones via a mobile application or using U2F keys and biometric authentication such as facial recognition or a fingerprint scan.
It should also be very easy for users to create an account and choose their preferred MFA options. Modern, easy-to-use applications and intuitive user interfaces will go a long way. It’s also important that you make sure everyone in the organization knows the importance of MFA, and the security benefits it can offer.
Of course, it’s unavoidable that at some point or another, a user will become locked out of their accounts when using multi-factor authentication. If you’re using a smartphone for SMS codes for example, it can easily get lost or stolen, preventing a user from receiving verification codes. This can be a major annoyance for users and a headache for IT teams, especially with basic or free MFA solutions that don’t offer central admin controls.
MFA services like Duo, mitigate this problem by allowing users to have two authentication devices in use at any given time: a primary device and a backup device. If one is stolen, the second can be used to ensure accounts can still be accessed. Your chosen solution should also enable admins to easily reset account access from the management console, so users can quickly regain access to their accounts if needed.
2) Look for Broad Coverage Of Authentication Use Cases
Considering which accounts and services you need to secure with multi-factor authentication is hugely important to finding the right solution. Do you need to secure just one application, or all of your users’ accounts? What about on-premises applications, or custom applications your organization has developed internally?
Our recommendation is to look for a solution that will allow you to easily enforce multi-factor authentication across all your users’ applications and services. While some free or bundled MFA solutions may provide protection for just few applications and only covers few use cases, it’s important that every account is protected, and even better when there is a central admin location to manage all connected applications and users.
The best MFA solutions provide authentication for a broad range of use cases and applications, so you don’t have to pick and choose which apps you want to secure and which to leave unprotected. Platforms like Duo allow admins to protect any system that requires users to log in. Duo even enables MFA when signing into local devices offline, for Windows and MacOS.
You may also require security for custom applications, or a combination of cloud and on-premises applications, so it’s important to find a solution that handles these specific use cases. Of course, not every organization will require all these features, and basic MFA can provide adequate protection if you have only a small number of use cases and narrow security requirements. But largely, we recommend looking for a comprehensive solution that can fully secure all workplace users and applications.
3) Easy Deployment And User Onboarding
Deploying MFA will be a major step forward in protecting your organization against account takeover and data loss. But it’s critically important that the solution you choose can be easily deployed across all your corporate applications and services.
The deployment process for MFA can be complex with the wrong solution, with time consuming configurations needed to onboard users across your different applications. This can be even more complex if your network environment comprises of a mix of on-premises, cloud-based and custom applications. But there are some key features to look out for which make onboarding users much easier.
We recommend looking for solutions that allow users to self-enroll, which will save admins a lot of time when it comes to onboarding. End users should be able to set up their preferred methods of authentication and devices without admins having to deal with that level of granularity.
Many large organizations will also already have user directory services, such as Microsoft Azure Active Directory. We recommend looking for a solution that integrates with your directory for easier management, automatic user enrolment. Duo for example, will integrate with active directory services to automatically onboard all users, and automatically revoke access when users are removed from the original directory service.
You should also look for extensive documentation and support options to help you through the initial deployment process, as well as support for active directory syncs and user self-enrolment.
4) Check The Pre-Built Integrations Available
Integrations are extremely important when it comes to multi-factor authentication, and to identity services in general. Whichever solution you choose needs to integrate with a wide range of applications and services, both to authenticate access to your users, and to help you more easily manage your security network.
First of all, it’s important to consider which pre-built integrations the solution supports. The best MFA providers offer pre-built integrations with hundreds of the most popular business applications, which allows you to more easily protect and manage MFA across the applications your users access on a daily basis.
However, it’s likely there will be some integrations you need which are not available off the shelf, such as custom applications your organization has developed, or more industry-specific applications.
For this reason, we recommend looking for a solution which supports custom integrations with applications and services. Duo supports generic integrations with any applications that use the LDAP, RADIUS or SAML standards, while also providing pre-built integrations with over 120 enterprise applications.
In addition, we recommend considering solutions that offer tight integrations with other security products. This ensures that you can more easily manage your security services, and means you have access to much more streamlined reporting and analytics. Look for integrations with other identity providers, such as password managers, endpoint security solutions, and other business applications.
5) Admin Controls And Policies
One of the main benefits of implementing a multi-factor authentication solution is that it provides admins with far more control over access to corporate data and applications. This is also a key principle of zero trust, the security ideal for ensuring that user access is continuously verified, and that access is granted on a need-to-have basis.
For this reason, admin controls and policies available are hugely important when choosing an MFA solution. We recommend looking for a solution that allows you to configure policies at a per-application level, at a user and group level and at a global level. Per-application and per-group policies allow you to enforce extra protections for certain applications which may be highly sensitive, or for groups of high-risk users, such as C-level executives.
Global policies can help ensure a baseline of access security is applied across the organization. Duo allows admins to configure policies that determine how unenrolled users are treated in the system, which devices, browsers and networks can access corporate accounts, and which factors can be used to verify identities.
We’d also recommend looking for a solution with high levels of documentation around policy configurations. Sometimes granular configurations can be overwhelming, so ensure that there are adequate support materials available to help you manage admin controls and policies. A modern, easy-to-use admin console is also very helpful in this regard, which you’ll be able to test at the trial/demo stage.
6) Reporting And Analytics
Another key benefit of MFA is that it gives you a much better oversight and understanding of your organization’s security landscape. This is not only beneficial for improving your security processes but can also demonstrate the security tools you have in place to protect account access for compliance and auditing purposes.
For this reason, the reporting, and analytics available should be one of the top things you look for when considering the pros and cons of an MFA solution.
Reports should be easily accessible in the admin console. When trialing a solution, look for the amount of information shown, and the ability to easily generate, schedule and access reports. Reports should be easy to find and easy to export, allowing you to see all the information you need at a glance, as soon as you need it.
You’ll likely want to generate reports specific to your business needs, but we recommend looking for a solution which offers the baseline functionality of detailed overviews of how many users are deployed in the service, how many users have been locked out due to failing login attempts, any security events and detailed authentication logs.
The best authentication providers will also provide reports that detail when and where authentication attempts are taking place, with information about the devices and operating systems in use. This can be extremely helpful for detecting malicious logins and revoking access to unsecured or compromised devices.
Duo, for example, displays the device name, operating system, model and displays securing warnings, such as verification methods being disabled, all from the admin console dashboard.
7) Consider The Total Cost Of Ownership
Price will be a key consideration for any organization when choosing an MFA solution. But our key recommendation here is to consider the total cost of ownership, and not just the initial cost of set up.
To break this down, there are a number of “free” MFA providers that claim to cost nothing to set up. Services like Microsoft Authentication are included with some business plans, and so may seem like the most cost-effective option for deploying MFA.
However, it’s important to remember that these solutions will not provide many of the features discussed in this article, such as covering a broad range of MFA use cases, offering reports and analytics, integrations with custom applications or admin controls and policies. Some MFA vendors may also have lower onboarding costs but additional fees down the line, such as added costs for securing certain applications.
It’s also worth mentioning that some solutions may claim to be low-cost but actually require you to spend more money in terms of admin overhead or outside contractors. Weaker MFA solutions can take a lot of time to set-up and manage, particularly when they don’t offer comprehensive support documentation online. Because of this, the set-up and support costs are often much lower with an established, paid-for solution, over that of a “free” service.
We’d recommend looking for a solution with clear, per-user pricing models to avoid the problem of hidden fees. Look for an established, scalable solution that can help you minimize overhead costs in deployment and support.
Also, be prepared to trial a number of solutions. MFA will affect all of your users, so make sure you test the solution for user-friendliness, how well it meets your use cases, whether your users will adopt it as a new security tool, and whether it’s worth the cost.
MFA is a powerful tool that can vastly improve your organization’s access security. It addresses the “password problem” within account security, which puts your users and corporate data at risk, so finding the right solution is critically important for security teams.
But a successful MFA solution will be used by everyone in your organization, so it’s also important to find a solution that everyone can get on board with. By following these considerations, you can find a rounded, flexible service that will work for both admins and end users.
Expert Insights’ recommended MFA solution is Duo. Duo Security is a market leading authentication and access management provider which offers several powerful security features, including multi-factor authentication with seamless end-user access and granular admin controls, alongside powerful reporting, and customization.