Strong passwords are no longer strong enough for most businesses or even personal accounts containing sensitive information. If a password is your only line of defense, it becomes simple for a cybercriminal to gain access. They can gain access through keylogging, an employee slip-up, or the reuse of passwords. Multi-factor authentication (MFA) steps in to protect your information by requiring users to input a security code before accessing specific data or making changes to accounts or settings. With MFA, a password alone is not enough for a hacker to gain access. This gives you an extra level of protection from cybercriminals.
How Multi-Factor Authentication Works
As mentioned, multi-factor authentication involves inputting another security code before gaining access or making changes. This code replaces the username and password fields. There are a few options available, letting you choose the one that works best for your business. You can have the system send the security code to that person’s mobile phone via text message or to their email address. Alternatively, you can require multi-factor authentication via an application, such as Google Authenticator. This last option is sometimes considered the most secure due to the extra layer of security within the application. With your improved understanding of multi-factor authentication, it is time to take a look at its best practices.
Choose the Appropriate Technology
There are several technologies available for multi-factor authentication, and your policy should include whichever technology (or technologies) best meet your needs. One-Time Passwords (OTP) involves an authentication device that stores a shared seed. The authentication takes place by the system generating a single-use passcode that is based on the secret of the token.
Certificate-Based Authentication (CBA) uses both a public and a private encryption key. Each key is unique to the person possessing it and the authentication device. These devices can ensure non-repudiation and work for digital signatures.
Finally, context-based authentication relies on contextual information to figure out whether a user’s identity is accurate. It should complement other technologies but not necessarily stand alone.
Require Multi-Factor Authentication Everywhere
The absolute best practice when it comes to multi-factor authentication is to require it across the board for all users. At a minimum, you need to require it when accessing sensitive information or making changes to important settings. However, a piecemeal approach to MFA can leave you susceptible. What happens if you miss an important access point? Avoid that problem by requiring it for everything, including endpoints, privileged commands, servers, and on-premise and cloud resources and applications.
Or Opt for Context-Based Requirements
Some businesses do not want to deal with the hassle of having to use multi-factor authentication for every login or action. They see it as a waste of time and can frustrate employees. If this is the case, be very thorough when creating your list of instances when MFA is required. At a minimum, require MFA for the first login from a specific device and when accessing sensitive information or performing changes with far-reaching effects.
Supplement this with some context-based requirements that trigger an adaptive step-up methodology. In this situation, a user would be able to access their account from a familiar device without using multi-factor authentication. However, if the system noticed something unusual about the location, device settings, network, time of day, or day of the week, it would automatically step up the security requirements, enforcing MFA. This method can reduce user frustration from constantly having to log in with multi-factor authentication. It also saves wasted time while taking advantage of the extra security from MFA.
Make User Experience a Priority
When it comes to enforcing multi-factor authentication for your business security, make sure to prioritize the user experience. Employees will not adopt multi-factor authentication if the user experience is bad. The best way to prevent a poor user experience and encourage adoption is to offer multiple methods. Instead of limiting the MFA methods to just a smartphone app, let employees choose the method. Just some options include text messages, phone calls, security questions, emails, soft tokens, hardware tokens, and biometrics.
Combine It with Other Measures
To further enhance your multi-factor authentication solution, be sure to combine it with other related measures. For example, least privilege access will ensure that each employee can only access the information and applications needed to complete their jobs. The access can always be increased based on need, but this method reduces the risk due to shared accounts or compromised credentials. Single sign-on (SSO) prevents each new cloud application or service from needing multiple passwords. This provides a more streamlined and user-friendly experience that does not sacrifice security. Using SSO will eliminate the risk of employees reusing passwords that are weak and not stored securely.
Ensure Multi-Factor Authentication Is Practical
Ensure that your multi-factor authentication solution is interoperable with the current IT infrastructure. Otherwise, you will need to either scrap the MFA solution or do a complete system overhaul, either of which will waste time and effort.
You must also ensure that your solution complies with the standards like Open Authentication (OAuth) and Remote Authentication Dial-In User Service (RADIUS). OAuth is the open technology standard enabling various solutions to provide strong authentication for all users across all networks and devices. RADIUS is the networking protocol with centralized authentication, accounting management, and authorization for those who use a network service.
Take Time to Reevaluate Your Policy
Just like all of the security policies in place on your network, do not just create a multi-factor authentication policy and then leave it in place. The vulnerabilities associated with networks are always changing, with cybercriminals adapting to new technology to get ahead. Additionally, IT infrastructure constantly changes, as do the applications we use and even the mechanisms and solutions available for authentication. Because of this, you must regularly assess your MFA policy to ensure that it accounts for all known threats and uses the strongest multi-factor authentication methods currently available.