Choosing the right factors for your MFA implementation
(Last updated on February 5, 2021)
Passwords alone are not enough to secure business data. Organizations that are solely using passwords for authentication are putting their data at risk.
You can mitigate credential-based attacks with additional security factors during authentication. Whether that is two-factor authentication (2FA), or multi-factor authentication (MFA), anything more than just a password is a good start.
But, what factors should be a part of your “more-than-one-factor” authentication strategy?
In this blog, I want to take a high-level look at the factors that can play a role, highlighting the value of each from both a security and productivity standpoint.
In general, more is better. Too few factors, and authentication is in question. But if it’s too complex, it will negatively impact user productivity.
Something you know
- Passwords – Legacy standard for authentication. Also referred to as “Memorized Secrets” in the NIST 800-63b guidelines.
- Security Questions – Questions that only the credential owner will know the answer to can serve as an authenticator. The trick here is avoiding questions like “Mother’s maiden name?” but instead those whose answers cannot be found online, such as “What was your favorite toy as a child?”
Something you have
- Out-of-Band Verification – This method is widely implemented as verification codes via SMS, or phone calls to mobile devices. The challenge here is that mobile device SIM cards can be hacked to hijack this part of the authentication process.
- One-Time Passwords (OTP) – An authenticator app that provide a single-use passcode. These are usually more secure than an out-of-band solution, as the app is tied to a device which is synced with the server-side of the application.
- Smart Card – This can be virtual or physical, and is considered to be a cryptographic device. Physical devices require a reader, while virtual devices in Windows use a combination of an installed certificate and PIN.
Something you are
- Biometrics – Fingerprints, retina scans, and the such all fit into this category. Use of a physical biometric device or a fingerprint app can be used to meet the requirements of this form of authentication.
- Third-Party Authentication – This is where MFA gets interesting. There are a ton of third-parties that support providing authentication of a user. Microsoft, Google, Social Media sites, and others all offer up an ability to act as an external authentication factor. The catch here is you need to have the user provide these at onboarding.
Which authentication factors should you use?
The more factors that are required, the more disruptive it is to users. I’m a big fan of having varying requirements for different levels of risk within the organization – so the mailroom clerk can use a password or SMS verification code, but the CEO needs to use additional factors.
On a more technical note, the NIST guideline offers three authentication assurance levels (AALs), with each requiring more secure authentication methods. Those may assist in helping you define what’s needed from mailroom to CEO.
To balance the issue of user productivity and authentication security, you need to find a solution that provides flexible MFA. This will enable varying levels of authentication requirements, and allow them to be modified based on user feedback.
The most important part of the password and MFA discussion is doing something. Some form of 2FA or MFA is an absolute must today. There are a ton of authentication options so there’s no excuse to not implement MFA across your organization. Get started – your organization’s security will thank you.