Which is the right MFA solution?

We can all agree that if you want to protect your organization’s data, you will need to enforce multi-factor authentication (MFA) for your users. But the challenge to balance, implement, and train users to manage MFA effectively is a burden many organizations would rather not face.

Remote employees, online users, and external partners further contribute to the challenge by providing new avenues for cyberattacks and account takeovers. This is especially true if the user’s authentication method is weak. While it is everyone’s responsibility to protect company data assets, organizations cannot count on everyone to perform this due diligence all the time. 

This lack of due diligence begs the question, are there better ways to manage identity? The answer is yes and it is MFA.  But which MFA is right for you?

Let’s review some of the multi-factors and how unique attributes can be used to boost digital identity security and help you decide which MFA solution is right for your organization.

Knowledge factors. Known as “something you know” is knowledge-based authentication and typically a memorized secret / password or an answer to a secret question. It is the simplest and most ubiquitous form of authentication.

Possession factors. Known as “something you have” is a registered hardware device such as a security token or a mobile phone with a piece of software that may receive or generate a unique number via SMS or with a synchronization. 

Inherence factors. Known as “something you are” is used in biometric verification (i.e. Biological traits of the user). These factors include iris and retina scans, fingerprints, hand geometry, facial recognition, and forms of voice recognition.

In addition to these human specific factors there are several other factors that can be introduced at the time of authentication. These are helpful if not imperative for any non-human authentication like machine-to-machine logins. These factors contribute to an assessment of the authenticity of the login request but should never be the only deciding factor as they should prompt for additional credentials or step-up authentication such as location, time, and behavioral.

Location factors. Known less commonly as “somewhere you are” , the user is authenticating from a location and the system compares it to more common locations previously recorded to determine the authenticity of the login request. The location is typically detected using GPS or derived from the IP address of the machine or browser session.

Time factors. Known as “some time it is”, the current time either on the service or at the location of the login is assessed in reference to the location. For example, if a banking request is more commonly performed at 8 AM – 5 PM PST in New York, and then suddenly at 3 AM in Los Angeles, it’s flagged as suspicious because it doesn’t reflect previous access times. 

Behavioral factors. Known as “some behavior we are used to” includes assessing behavioral tendencies unique to a user from previously recorded behavior such as typing speed, finger pressure on the keypad, voice intonation, and swiping and mouse patterns. Behavioral biometrics has been around for many years and is being advanced each year as it’s usually considered less intrusive and more secure than physical biometrics.

So, what is the right MFA solution for your organization?

The right MFA solution is the one that balances the security needs of the organization, has 100% user adoption, creates the least amount of friction, and costs less than the data it protects or a potential breach it prevents.

So how do you compare the MFA technologies against your needs and ensure this technology is future proof?

1. First balance risk with your needs. Not all digital assets or systems need to be prompted for 2FA or MFA at every login. Don’t mistake this sentence for conveying that not every application requires MFA. They do. But evaluate as if every authentication request requires MFA. For example, do you need it for 3rd party SaaS apps like Slack or Monday.com after every logout? 
2. Forecast your anticipated growth. Will the MFA solution need to be easily accessible and usable for all employees or will vendors or contractors be required to use it while accessing your systems? Is the technology future proof and does it leverage current standards like U2F vs Fido2 W3C?
3. Simplify your objectives. Do you need a fingerprint and token? FaceID with retinal scanning? Usually, an app is much simpler for deployment and control, but always implement a mobile device policy to ensure your users use approved mobility devices and institute passwords on all their devices.  Many PC and MAC’s now have Fido2 W3C compatible faceID or touchID options. Passwords protect your VPN and monitor traffic. There are a number of ways to institute MFA without burdening the service desk or having the employee track a special card or token.
4. Choose readily available options that users are familiar with. Microsoft and Google provide simple push notification options that can be registered with your application or single sign-on service or directly with some IAM systems. The more common the MFA Solution, the easier it is to protect and administer. Usually, a trusted company will continuously improve its security and expand its support natively with popular online systems. If you have a mixed computing environment, choose a service that includes self-service and reset options or account lockout. If your IAM solution doesn’t already embed an MFA solution make sure that you use a service that has high availability on a trusted cloud service. Remember if they go down, you go down!
5. Choose MFA alternatives that aren’t bound to any one mobile device. Consider another MFA solution like using FaceID or a web-based service protected by CAPTCHA from other machine hacking devices to reduce the likelihood of impersonation.
6. Select an IAM solution that includes an MFA solution but doesn’t lock you in.

Choosing the right MFA is a matter of what makes the most sense for your business. If your IAM solution comes with an MFA service or “app”, constantly evaluate its ease of use and manageability. Balancing your user’s needs with your business risk will pay off in the long term. 

MFA will also make your GRC Officer sleep a whole lot better when used correctly.