Enabling multi-factor authentication (MFA) is one of the best steps you can take to protect your end-users network access. The threat from poor login security is putting all companies at risk of a breach and non-compliance.
However, research shows that MFA solutions are not being widely adopted and most likely because they are thought to prove costly, complex and time-consuming to manage. What’s more, a common misconception exists that a company needs to be a certain size in order to benefit from MFA.
Adopting an MFA solution should be a key security initiative for any company, regardless of size and can be one of the easiest and simplest ways to keep accounts protected.
Whatever the size of your company, here are six key points to remember when preparing for a successful MFA deployment:
1. Securing logons significantly improves your security stance
- Authentication is at the core of (nearly) every type of attack
Whether accomplished using a remote session, via PowerShell, leveraging a mapping of a drive, or by logging on locally at a console, your network requires that a user authenticate themselves prior to being given any kind of access.
- It limits false positives
The dreaded part of any security solution is the potential for a storm of alerts that turn out to be false positives. With so many users logging on – and at just about any time of the day – it’s critical that IT have solutions in place that are certain about the attack potential, and takes action before the damage is done – not only when IT intervenes.
- It actually can stop an attack
Nearly every security solution on the market says they stop attacks. Be careful here – does the solution just alert IT to a threat potential, or does it actually take action and stop the attack?
2. Don’t make MFA frustrating for IT departments
IT Departments will quickly dismiss MFA if it proves complex and time-consuming to set up and manage. A survey found that 62 percent of small to mid-sized organizations do not use MFA.
Our own research from 2015 also showed MFA solutions are not widely adopted, with (once again) 62 percent of respondents not using MFA to guard against compromised network credentials.
However, MFA security does not have to be frustrating:
- Focus on solutions that are easy to deploy across all users without the need for additional hardware or software such as tokens.
- Select a solution that works alongside your existing IT infrastructure (and its investment), that can be seamlessly installed without the need to go to each workstation to deploy it and without the need for complex or customized code.
- Most importantly, select an MFA solution that is easy to manage, allows administrators to react quickly to end-user problems, and can scale with your company.
3. MFA must balance user security and user productivity
An organization will not sanction MFA security controls if they believe they are impeding end-users. From a business point of view, security procedures are there to aid and protect the organizations as a whole, not hinder the productivity of its employees, and ultimately the profitability of the business.
- Avoid prompting the user for MFA every time. Choose the circumstances and frequency for when MFA is required that balances security with user productivity.
- Make it easy and intuitive for the user. For example, smartphone authenticator applications are highly secure, easy to use and can be used everywhere (even offline).
- Be confident in offering more ‘non-MFA circumstances’ by relying on contextual access factors that are transparent to the user (location, time of day, and number of simultaneous connections...).
4. Educate and empower your users to support MFA
Outside of work, most people ignore the option of two-factor authentication. Less than 10 percent of Google accounts have two-factor authentication enabled, and only about 12 percent of Americans use password managers.
Perceptions on the real security merits of two-factor authentication remain and when left to their own devices, users are probably okay with sacrificing their security for convenience!
But informed employees can act as an important and additional line of defense.
- Alerting end-users themselves when their own credentials are used (successfully or not) helps highlight their own careless user activity.
- Notifications with tailor-made messages and login alerts discourages employees who might be thinking of doing something malicious.
- Alerts empower users to take responsibility for their own trusted access, encouraging them to assess for themselves any suspicious login activity.
5. MFA is not just for privileged users
Sometimes, MFA is primarily seen as being used to protect the most privileged of accounts - Windows local administrator accounts, domain admin accounts, Active Directory service accounts, and anything that has rule over a major part of the network environment. It certainly augment’s IT’s ability to restrict and respond to privileged account use.
But the real value is realized when it’s used to protect any account with access to critical data, applications, and systems. For example, the user account for the head of Sales doesn’t seem particularly “privileged”, but it does have complete access to your customer database.
6. Get management commitment and buy-in
Using MFA can be one of those things that only the IT department cares about. We know that in many organizations, senior management don’t pay enough attention to the issue of IT security. In order that it be properly enforced from the top down, remind management how IT Security goes beyond keeping your company safe.
- Better security can help you build trust with your customers and supply chains
The perception of security is starting to become a big part in a customer’s decisions on what companies they choose to do business with. New deals can be won if you can demonstrate how seriously you take security.
- Better security can help you remain competitive
Today any business can quickly adopt a new technology to gain new capabilities, improve efficiency and/or reduce costs. But those without effective IT security solutions will have difficulty adopting new technologies and are likely to fall behind more nimble competitors. IT Security should be viewed an enabler of business solutions, rather than as an unwelcome cost.
Download this White Paper in PDF