Authentication service outage or compromise? How to keep your business running
User authentication services for MFA impact many systems running in businesses today. But what happens when that authentication service is down or no longer reliable? Planning for the potential pitfalls and challenges in authentication means that your organization won’t be caught off-guard when the worst happens!
Far from theoretical, a recent example was the Twitter SMS problems. Delayed and non-existent two-factor SMS messages meant that legitimate users and customers could not log in to their accounts. It was only sometimes clear that the service was down, as delayed messages indicated that the service was working but in a degraded state, adding to the confusion.
Authentication service outages are often fleeting, but when they occur, they cause havoc with IT service desks. Part of the problem for service desks is that the tools they rely on to solve the problems may be inaccessible due to the outage. Adding to the challenge is the large volume of emails and calls from affected users.
Despite their best efforts, there is only so much a service desk can do other than record the tickets and check the status. The disruption that even a minimal authentication service outage brings is usually significant and challenging to manage.
With authentication services playing such a critical role in any organization, how does one mitigate the impact that an outage can have? There are a few options, and depending on the situation, some may be more palatable than others.
- Disable MFA entirely
- Replace the existing MFA solution
- Quickly switch between MFA solutions as needed
The option you pick depends on the problem at hand, and they are not mutually exclusive. Proactively planning for an MFA authentication outage, technically and through procedures and training, will position your organization to handle most situations as they arise, saving time and money.
Resorting to disabling MFA may seem necessary in dire situations. With MFA turned off, your organization might fall out of some compliance regulations, and/or cyber liability insurance requirements. It will also open your organization up to potential compromise. A malicious actor tracking the outage, especially for a standard authentication service, may see the removal of MFA as the crack in the protection that they need to use a previously compromised weak password and grab a foothold before two-factor is re-enabled.
This response should be considered a last resort option, only to get individuals running if other options are no longer available.
Depending on the outage length, switching out the existing MFA to a new service may be feasible. But, as anyone who has set MFA services up, it’s not always trivial to make this switch. There is not only the cost to consider but the re-enrollment of user devices and configuration of the service itself. As re-enrolling user devices are necessary, a considerable amount of time and support is needed to get all users back in the system.
In addition, not all systems may be compatible with the new authentication system. An organization may find that there are legacy systems that worked with the prior system, but not with the replacement.
The best solution is to use multiple MFA solutions and a flexible architecture that can toggle between the MFA services as necessary. A robust system would have fallbacks provided by differing authentication providers.
For example, if the standard authentication service fails (such as an authenticator app), you could fall back to two-factor SMS codes through a service such as Twilio. This way, even if one service is down, no re-enrollment is necessary, and users can get back to work quickly.
Downed authentication services can cause real damage, frustration, and cost that organizations do not need to bear with the proper planning. Using multiple MFA services with flexible usage allows an organization to adjust to an unexpected outage rapidly.
Specops Software offers a robust authentication system to ensure that the IT service desk can always verify the identity of callers, with more than 15 supported authentication services for MFA. The same authentication system is used in the self-service password reset solution to ensure that users can always manage or reset their password, even if the preferred authentication service fails. With multiple authentication options for the service desk and password resets, Specops keeps your business running even if an authentication service is unavailable.
For the complete list of supported authentication services for the service desk and self-service password resets, see Identity Services Overview.
(Last updated on January 30, 2023)