Multi-factor authentication (MFA) has become the standard for almost any workforce utilizing IT systems. It creates an extra layer of defence against malicious actors attempting to access corporate resources.

However, it is not something that can just be implemented and forgotten about; due consideration must be given to ensuring an organization’s MFA is as effective as possible, as malicious actors are still able to get around this requirement.

Aligning solutions with business needs

While it’s tempting to simply use what is available with your authentication provider or just use whatever system is the least disruptive and most time-efficient (while yes, we do want those things also), it is vital that the organization looks at their needs and chooses the most appropriate system.

Most MFA providers (and authentication providers that provide MFA) have options in what way MFA is provided.

• One-time passwords – delivered by token, SMS, or through an application.
• Hardware devices – security cards, badges, FOBs, etc.
• Biometrics – Retinal scans, fingerprint scans, facial scans, etc.
• Contextual security – Location data, network awareness, and even activity.

Often, successful MFA will combine these systems to increase their level of security further. Commonly, One-time passwords delivered via SMS or application are used alongside contextual security focusing on location data.

Network-wide implementation

At its base, MFA is meant to protect corporate data from malicious access. This means putting a lock on any access point to your secure network, usually endpoints and mobile devices.

Generally, it’s advised to perform an audit to see what devices can access your corporate network and then apply the MFA to all of these devices.

While this should be done for any remote device, this also includes on-premises devices – and the IT team should apply the same level of MFA security on each device.

User training

As is often the case with deployment-wide security implementations, user training is vital. MFA is only secure if the users use it safely; the issue is that with any kind of change, there will be frustration and initial pushback. This is where change management becomes an important and often not considered part of the journey when it comes to MFA. It is important to notify users before the integration of MFA occurs, along with clear reasoning as to why it will be beneficial, as users are more willing to follow protocol if they understand the reasoning. Usually, it is also helpful to provide a step-by-step guide on how to set up MFA and have a source of information for inevitable troubleshooting.

Contextual information

Touched on briefly earlier, contextual information is an extra piece of security that can enhance an MFA strategy. It takes pieces of information on the device in question and its environment and assesses this information against the current IT security policy.

For example, suppose an endpoint attempts to connect with the correct credentials and passes the token check. In that case, another number of checks can occur to ensure the device is in the correct location, the user is updated with the latest OS security patches, or the user is working within a secured environment.

Good MFA policy embraces this extra check of contextual information.

Conclusion

MFA is one of the most accessible and best ways to defend against credential theft and unauthorized access. However, there are ways to ensure it is done correctly and as effectively as possible. An audit of the business needs, as well as an audit of the access points to the corporate network, ensure the organization knows exactly what they need; further, training staff before and during implementation is vital.

Finally, the usage of contextual data will provide an extra layer of defence against unauthorized access or access from unwanted devices.