A guide to MFA prompt frequency: How often should you require MFA?

Every year, cybercriminals have more opportunities to exploit vulnerable user accounts and gain unauthorized access to corporate networks. Stolen or compromised credentials pose one of the largest financial threats to organizations, at around $4.5m per data breach. Compromised login credentials are the most common initial attack vector.

To protect key assets, organizations can (and should) implement multi-factor authentication (MFA). MFA adds an extra layer of protection to the login process by prompting users for additional verification before granting access. If a genuine user’s credentials fall into the hands of a threat actor, MFA will request further proof of identity — blocking many unauthorized access attempts.

But getting MFA right can be a challenge. You need to protect your systems from unauthorized logins without making life difficult for your end users.

In this blog, we will discuss practical strategies for optimizing MFA prompts — in other words, how to figure out how often you need to require MFA. By applying best practices, you can implement robust security controls and minimize frustration.

What are multi-factor authentication prompts & how do they work?

MFA requires users to provide additional verification beyond a password. When users log in with their credentials, the MFA system will ask them to provide further proof of identity. This adds protection to user accounts should a cybercriminal obtain the user’s credentials.

There are many different ways to requests additional verification. Generally, MFA methods fall under one of the following categories:

• Something the user knows: Such as a code or one-time password (OTP).

• Something the user possesses: Such as a mobile device authenticator app push notification, hardware token, or codes delivered via SMS.

• Something the user is: Such as biometrics (fingerprints, facial recognition, etc.)

By verifying the user’s identity in multiple ways, organizations can decrease the success rate of unauthorized access attempts.

How often should a user receive MFA prompts?

Optimizing MFA prompt frequency is essential for balancing security and usability. It’s easy to think that more frequent prompts improve protection, but that’s not always true. Frequent prompts (think, at every connection) can easily frustrate users, creating an ideal environment for MFA fatigue or brute force attacks, not to mention lower productivity.

MFA prompt frequency best practices

What’s the right frequency for your team? There’s no black and white answer, but try to define what sufficient access protection looks like for your team, while minimizing disruption.

Based on our work with thousands of clients, we’ve pulled together best practices to help you implement MFA well.

Balance security and convenience

To strike the right balance, businesses and organizations need to implement security measures that are effective and appropriate for their specific risks, while ensuring a convenient and efficient user experience. Too many prompts leave users frustrated, increasing abandoned login attempts, and mistakes.

Set different MFA prompt frequencies for different accounts or services

Any compromised user account is, of course, a huge security concern. While it’s important to implement MFA across all users, you can adjust the frequency of prompts to the risk level of the user, group or OU (organizational unit).

You might require additional verification on every login for administrator-level or privileged accounts, for example. Meanwhile, you could configure other policies for standard accounts or users with limited access to sensitive information.

Consider offering more than one authentication method

Research common MFA methods, and ensure that your MFA solution offers flexibility to let you choose more than one secure method.

For example, we often see admin-level accounts authenticate with hardware tokens or keys, while “average” end users authenticate with a push notification or authenticator app. Or, you might offer different options to remote or hybrid employees, using a hardware token in the office, and push notifications when they’re out of office (and may be prompted more frequently for MFA). It’s all about balance.

Review prompt frequency settings regularly

The risk levels of your accounts and services change over time. Likewise, changes in user behavior might mean your security settings are no longer adequate. By checking system logs, understanding usage patterns, and regularly reviewing prompt frequency settings, you can ensure that security measures remain up-to-date and effective.

Follow MFA prompt frequency guidance

Depending on your MFA provider, you may receive some support on system setup. When you onboard UserLock, you receive guidance on implementing MFA policies, including help with frequency, granular settings, and best practices.

Optimizing your prompt frequency setup

When optimizing your prompts, it can be helpful to regularly:

• Review your frequency settings to make sure they match your risk levels

• Check device settings to ensure users can only connect from permitted devices, reducing your potential attack surface

• Install any necessary software updates

Can MFA prompts be customized?

Most MFA solutions allow some level of customization around MFA prompts. The more granular the customization, the easier it will be for you to set up MFA for long-term success.

There are two ways to customize MFA prompts: how you set up the prompts and the text of the prompt itself.

Define who gets prompted, and when

You can enable MFA for any user, group or OU in your Domain for all logon, unlock and reconnections to interactive sessions.

The key to MFA is only prompting when needed.

With granular MFA, you have the choice to apply MFA by the type of operating system (Workstation or Server), the connection type (Local or Remote), and the frequency with which MFA is asked (at every connection, every N days). With UserLock, security teams can also tailor their MFA settings to require MFA by user, device, workstation, location, or country.

Customize the MFA prompt message

It’s also helpful to customize the text your end-users will see when they are prompted to complete MFA. UserLock allows you to completely personalize the MFA prompt your end users will see.

UserLock users can also enable an “Ask for help” button on the displayed dialogs to allow the end user to send e-mail (and consequently, applications compatible with e-mail such as Slack) and/or popup help requests to UserLock administrators responsible for implementing MFA.

The benefits of using MFA prompts properly

While it could seem like a small detail (any MFA is good MFA, right?), fine-tuning how you prompt for MFA can make a big impact on your end-users’ experience and, ultimately, security.

Improve overall security

Frustrated users are more likely to fall victim to an MFA bypass attack. Apply MFA enough to ensure secure connections, but not so often that your users view MFA as a nuisance to swat away at whatever cost. Hitting that balance can help significantly reduce the risk of unauthorized access.

Only get prompts when necessary

The key to MFA is only prompting when needed. With UserLock, security teams can tailor their MFA settings to require MFA by user, device, workstation, location, or country.

The challenge of deciding how often to prompt users for MFA

While MFA brings many benefits, there are also potential challenges.

Choose MFA providers that offer granularity

Granular settings allow administrators to tailor user prompting to their organization, achieving the delicate balance of security versus efficiency. Before implementing an MFA solution, check that it offers the granular controls you need.

Opt for easy-to-install solutions that integrate with your current system

Some MFA solutions may be tricky to install or require the integration of multiple systems. Choose an MFA solution that seamlessly integrates with your existing access management tools, such as Userlock’s integration with on-premises or hybrid Active Directory environments.

Check for compatibility issues upfront

Different applications have varying requirements for authentication protocols and data exchange formats. As a result, integrating MFA tools into existing systems may require compatibility testing and adjustments. Before deciding on an MFA solution, check that it is compatible with your existing environment.

Avoid user frustration

MFA prompt frequency and type should avoid frustrating end-users. Cybercriminals know that repeated requests lead to mistakes — hence the growing occurrence of MFA fatigue social engineering tactics. To provide a frictionless MFA experience for your users, avoid repetitive prompting and tweak settings where necessary.

T teams should customize MFA so that it doesn’t interrupt workflows. If a user might be offline, choose an MFA solution that gives offline access. Likewise, if employees work remotely, choose a platform that can verify users outside of the corporate network.

Calculate the real cost of implementation

Implementing MFA can be a costly process. But — when compared with the $4.45 million average cost of a data breach in the U.S. — this outlay often justifies itself.

Verify the reliability of external factors

MFA requires external factors to work correctly. Before deploying MFA in your organization, check that other factors — like connectivity, software, and device access — will allow your prompts to work efficiently. You should also check that any software or connections involved in the MFA process are secure before using them.

SSO: An alternative to prompting users for MFA

To reduce MFA request frequency further, single sign-on (SSO) is a technology that allows users to access multiple applications and services using a single set of login credentials. Once they have verified their identity once, users can access other services without repeated prompting. SSO can help reduce the frequency of verification, resulting in a more convenient user experience that maintains a high level of security.

UserLock SSO combines MFA with SSO to streamline the login process while ensuring secure user identity verification.