Making Multi-factor Authentication Easy to Use

BrandPost By Crystal Bedell
Jan 05, 2017

A user-friendly approach to MFA can boost security and increase adoption

istock 531249946
Credit: iStock/BeeBright

Compromised credentials are a common means of unauthorized access. Attackers use a legitimate username and password to obtain access to network resources and, if needed, escalate privileges in order to access valuable systems and data.

Multi-factor authentication (MFA) can help reduce the risk of compromised credentials—but unfortunately many organizations deploy MFA in silos, which still leaves them vulnerable to attack. To be effective, MFA must be deployed everywhere: across both end and privileged users, and across all enterprise resources—cloud and on-premises applications, VPNs, endpoints, server logins, and privilege escalation. At the same time, to ensure adoption, MFA must also be easy to use.

Make MFA Adapt, Not Your Users

Security and ease of use are often directly in conflict with each other. If a new security control requires users to make significant changes to their work processes, you can count on poor adoption. The number 1 way to improve MFA’s ease of use (and increase adoption) is to make it adapt to your users, not the other way around.

With adaptive MFA, context-based policies govern when MFA is needed. Users authenticate with a first factor, which is usually a password. The authentication process checks contextual information such as location, network device settings, and time of day to determine whether the user is who they claim to be. If the context doesn’t match the pre-defined policy, then the system requests a second authentication method.

Adaptive MFA improves the user experience while also improving security. Users are only asked to provide an additional authentication factor when necessary, in turn limiting the operational overhead associated with stronger security controls. If a user attempts to log in from the corporate network on a managed device, access may be granted with only a password. However, if a user attempts to log in from an unknown network on an unmanaged device, MFA can require a second form of authentication.

Give Users a Choice

A wide variety of authentication techniques are available, and for good reason—different user populations have different needs. Unfortunately, there is no one-size-fits-all authentication technique. To ensure MFA adoption, organizations need flexibility. An MFA solution should let users choose from a variety of authentication methods, including:

  • Hardware tokens – A small hardware device, such as a smart card or key fob, that generates a one-time passcode (OTP). Users must carry the hardware token, which can be lost (or stolen).
  • Soft tokens – A software-based token or application (such as a smartphone app) that generates an OTP. Organizations (and users) often prefer software tokens over hardware because they leverage a device the user already has, and the tokens themselves are easier and less expensive to distribute. Of course, smart phones can also be lost or stolen.
  • SMS/text message – The user receives an OTP via SMS or text message.
  • Phone call – The user receives a phone call via a registered phone number and provides the correct response to a voice prompt. A phone call, unlike an SMS or text message, does not require a smartphone.
  • Email – The user receives a link via email. Clicking on the link completes the authentication process.
  • Security questions – The user answers a pre-determined question. This approach is often used by financial services websites.
  • Biometric – The user provides a fingerprint or retina scan to authenticate their identity. This authentication factor offers more robust security (it is more difficult to compromise), but tends to be costlier to implement.

Integrate with Apps, VPN, endpoints, and PIM

Deploying an MFA solution that integrates with your existing IT infrastructure will also help improve security and facilitate adoption. This requires a standards-based approach. For example, an MFA solution that complies with Remote Authentication Dial-in User Service (RADIUS) can integrate with a VPN that also supports RADIUS, allowing IT to block unauthorized access.

Other standards to consider include Open Authentication (OATH), which delivers strong authentication of all users on all devices, across all networks. Thus, IT organizations can provide secure access to Windows PCs, Macs, and mobile devices with the same factors used across applications and devices. Support for standards such as SAML, WS-Fed, or OpenID Connect allow MFA integration with single sign-on (SSO) solutions. This integration protects access to both cloud and on-premises applications while ensuring that users can still enjoy the ease of use that comes with SSO.

Finally, organizations can strengthen least privilege access by configuring MFA on servers at both login and privilege escalation. This approach reduces the risk associated with shared accounts while allowing IT administrators to elevate their privileges—but only when needed.

All security controls must strike a balance between cost, ease of use, and protection, and MFA is no different. When applied in silos or pockets across different user environments and IT services, MFA can be inconvenient and unsustainable. Moreover, it leaves parts of the environment exposed.

A holistic, user-friendly approach to MFA combines adaptive MFA with federated identity and SSO to help protect credentials against compromise while incorporating additional authentication factors for high-risk/sensitive applications. When applied organization-wide, this approach helps reduce the risk of compromised credentials and protects valuable assets.

For more information, read our MFA guide here.