IT Admin Series: 02 MFA best practices

MFA, multi-factor authentication best practices for on-premises and remote workforces

However, it is not something that can just be implemented and forgotten about; due consideration must be given to ensuring an organization’s MFA is as effective as possible, as malicious actors are still able to get around this requirement.

While it’s tempting to simply use what is available with your authentication provider or just use whatever system is the least disruptive and most time-efficient (while yes, we do want those things also), it is vital that the organization looks at their needs and chooses the most appropriate system.

Most MFA providers (and authentication providers that provide MFA) have options in what way MFA is provided.

  • One-time passwords – delivered by token, SMS, or through an application.
  • Hardware devices – security cards, badges, FOBs, etc.
  • Biometrics – Retinal scans, fingerprint scans, facial scans, etc.
  • Contextual security – Location data, network awareness, and even activity.

Often, successful MFA will combine these systems to increase their level of security further. Commonly, One-time passwords delivered via SMS or application are used alongside contextual security focusing on location data.

At its base, MFA is meant to protect corporate data from malicious access. This means putting a lock on any access point to your secure network, usually endpoints and mobile devices.

Generally, it’s advised to perform an audit to see what devices can access your corporate network and then apply the MFA to all of these devices.

While this should be done for any remote device, this also includes on-premises devices – and the IT team should apply the same level of MFA security on each device.

As is often the case with deployment-wide security implementations, user training is vital. MFA is only secure if the users use it safely; the issue is that with any kind of change, there will be frustration and initial pushback. This is where change management becomes an important and often not considered part of the journey when it comes to MFA. It is important to notify users before the integration of MFA occurs, along with clear reasoning as to why it will be beneficial, as users are more willing to follow protocol if they understand the reasoning. Usually, it is also helpful to provide a step-by-step guide on how to set up MFA and have a source of information for inevitable troubleshooting.

Touched on briefly earlier, contextual information is an extra piece of security that can enhance an MFA strategy. It takes pieces of information on the device in question and its environment and assesses this information against the current IT security policy.

For example, suppose an endpoint attempts to connect with the correct credentials and passes the token check. In that case, another number of checks can occur to ensure the device is in the correct location, the user is updated with the latest OS security patches, or the user is working within a secured environment.

Good MFA policy embraces this extra check of contextual information.

Ready to see it in action?