How Much MFA is Too Much MFA?

BrandPost By Chris Carroll
Dec 15, 2016

The goal: Ensure optimum security and preserve user convenience

istock 504342951

In today’s sophisticated IT world, relying on simple username and password authentication is no longer enough to ward off the growing volume and variety of cyberattacks. Because multi-factor authentication (MFA) requires multiple methods for identification, it’s one of the best ways to prevent unauthorized access to corporate data.

At the same time, however, MFA must be reasonably easy to use to ensure high acceptance—adding too many steps can limit widespread adoption. In order to make MFA as painless and easy to use as possible, and avoid “too much MFA,” organizations should choose from a selection of authentication methods. What follows is a list of considerations to keep in mind when implementing MFA.

Deploying MFA across the enterprise

To best secure resources and encourage user adoption of standardized authentication processes, organizations should implement MFA across the enterprise. In contrast, deploying MFA only for certain apps, users, or resources leaves your organization exposed. Implementing MFA across every user (end users and privileged users), and every IT resource (cloud and on-premises apps, VPNs, endpoints, and servers) effectively blocks cyberattacks at multiple points in the attack chain.

Leverage context for adaptive MFA

Organizations should use an adaptive, step-up MFA approach based on context, versus an “always on” approach. This allows authentication requests to leverage contextual information such as location, network, device settings, and time of day when confirming identity. Adaptive MFA also improves the user experience—rather than constantly asking for MFA credentials, the user is only asked to provide an additional authentication factor when necessary.

Opt for a standards-based approach

Compliance with standards such as Remote AuthenticationDial-in User Service (RADIUS) and Open Authentication (OATH) help ensure that your MFA solution can integrate and operate with your existing IT infrastructure.

Provide a choice of authentication factors

Because user experience is critical for a successful MFA implementation, organizations need to balance user convenience with adequate levels of security. A “one-size-fits all” approach for authentication factors doesn’t allow organizations to implement a solution that suits the needs of different user populations. Today, there are a wide range of authentication methods available, including:

  • Hardware tokens
  • Soft tokens
  • SMS text messages
  • Automated phone calls
  • Automated emails
  • Security questions
  • Biometrics

Conduct periodic assessments

Last but not least, because security vulnerabilities and the threat landscape are constantly changing, organizations should conduct periodic MFA assessments. This helps ensure the chosen MFA technology meets the evolving needs of users and the organization.

For more information on successfully implementing MFA, click here.