2018-10-23
In spirit of National Cyber Security Awareness Month, I wanted to briefly touch on points on MFA challenges that I've seen and come across and what to look for when you search for an MFA solution for your organization. First, be sure to watch my video blog to learn about what Multi-Factor Authentication is:
In my experience, the challenges that most organizations face with MFA tend to be:
- Complexity
- The Possession Factor
- Cost
If your organization is looking to implement MFA there are some things you need to look for:
- User Experience
- Security
- Futureproofing
MFA Challenges
Complexity
Each organization has a specific use case, and they can be easy or complex depending on the environment. There are still some organizations out there that are running off legacy systems that date past the Windows XP era. Software compatibility would be a challenge because it opens up a huge can of worms. Another complexity issue would be relying on outside authenticator providers like Google Authenticator, Microsoft Authenticator, or RSA as that soft token OTP (one-time password) factor. If you aren't setting up automatic updates on those soft tokens you may run into some login issues.
The Possession Factor
With MFA one of the factors required is "Something the user has", the first thing that comes mind is that physical hardware token that generates a one-time code each minute. You would need to attach it to your set of car keys or house keys, it eventually becomes clunky and annoying. Since we are in the age of smartphones and apps, there are soft token applications that can be used to meet that one-time password requirement. That one-time code would need to be entered after your password during authentication. You also have smart-cards that require smart car readers either built-in your machine or get a USB smart card reader.
One of the challenges I see in the possession factor would be deploying hardware or software tokens. If users are not issued a company phone, they might have an issue with installing that software token app. Think about this...if they are already using their personal device to receive company email, then they can download the software token app. The software-token app is just a number generator and it does not ask for personal information. There will also be an instance where users don't have smart phones, so then you are going to have to purchase those hardware tokens like a Yubikey or RSA token.
Outside of corporate use, everyone is already using their personal device for MFA for logging into their personal emails, banks, social media sites, etc. These organizations have been ramping up their security and recommending their users improve security by using MFA either with a soft token like Google Authenticator and/or SMS.
Cost
When you are trying to deploy MFA in your organization, cost is a challenge. Cloud-Based Identity Management/Security Vendors license per user, app, MFA factor and support. If your organization wants to deploy hardware tokens, then you would need to price out the cost of these tokens. There are different flavors of tokens, some are USB tokens, and some are key fob tokens.
Some vendors offer appliances to be either installed in your datacenter or go in the cloud. Depending on the vendor, you will require more than one appliance for High-availability.
User Experience
User experience has always been part of my research criteria when I look for solutions. For MFA, you always want it easy for users to access to their data as secure as possible. The user experience begins when they have to register for MFA then normally accessing applications.
Most solutions have the ability to integrate with the identity provider you use such as Active Directory. Having to use their corporate username and password will reduce remembering additional credentials for accessing applications. Single Sign-On (SSO) is another way of improving the user experience as well. SSO provides one password to access multiple applications in one place.
Another great example of user experience is to provide some type of self service for the users. Users frequently forget passwords or lock themselves out of their accounts. The user would need to call the help desk to help them out and it can take some time depending on the call wait or ticket queue. MFA solutions nowadays offer a number of self-service processes to help them get back to accessing their data as quickly as possible. Processes include SMS text verifications, security questions, a voice call and sometimes a secondary form of contact (email address).
Finding a solution that makes the user experience as easy as possible will make you look like a rockstar to them!
Security
MFA is all about security and adding that additional layer. There are many types of security features to consider and it all depends on what would fit best for your organization. Look for the following:
- A solid enforcement of using strong passwords
- Ability to support modern authentication protocols
- Security polices for:
- Per application basis
- User/ Group sign on
- On/Off network policies
- Session lifetime
- Security Reporting and Visibility
When looking for MFA solutions, I came across vendors like Okta, Duo and Resilient Networks that offer a solid security foundation for MFA. All were really easy to setup and have granular control, but I did like how Resilient Networks has a drag and drop style of configuration when it came to setup of policies.
Another thing to point out is the security reports. Having the ability to create and view reports of lockouts, MFA types, MFA access logs and even Geo tracking where they are logging in from is good to know. To help out with deployment, there are some solutions that offer a report of users that haven't registered for MFA. But look at it this way, if they haven't registered then that means they didn't need access to those applications right away.
Futureproofing
The reason why I think futureproofing is something to consider when looking for an MFA solution is because, to me, it means reducing costs and improving infrastructure design. When you go through the implementation phases you will find that most MFA solutions only require some type of low resource Agent to connect your infrastructure to the MFA solution. These agents will usually reduce the complexity of your infrastructure because you can deploy it on a current machine running in your environment. While looking at those vendors, Okta, Duo and Resilient have those agents and the deployment is really quick and simple. Depending on the size of the organization and complexity, you will find that your processes will require some tweaking. Those tweaks can either add more steps in the process or cut it down. So, if you can find a solution to shrink your server footprint and reduce or improve on your normal processes, you are one step close in finding your MFA solution.