IS Decisions logo

IS Decisions Blog

6 ways to prepare your business for multi-factor authentication

No matter the size of your company, focus on these six key points to prepare a smooth deployment of multi-factor authentication for Active Directory.

Published September 13, 2019

Enabling multi-factor authentication (MFA) for Active Directory (AD) is one of the best steps you can take to protect your end-users network access. The threat from poor login security is putting all companies at risk of a breach and non-compliance.

However, research shows that MFA solutions for Active Directory are not being widely adopted. Why? Most likely, because they are thought to prove costly, complex and time-consuming to manage. What’s more, it's a common misconception that a company needs to be a certain size in order to benefit from MFA.

Adopting an on-premise MFA solution should be a key security initiative for any company, regardless of size and can be one of the easiest and simplest ways to keep accounts protected.

Whatever the size of your organization, here are the six key points to remember for a smooth, successful deployment of your MFA solution.

1. Secure logons significantly improves your security stance

Authentication is at the core of (nearly) every type of attack

Whether accomplished using a remote session, via PowerShell, leveraging a mapping of a drive, or by logging on locally at a console, your network requires that a user authenticate themselves prior to being given any kind of access. MFA for windows server login, for example, puts an extra layer of security to verify that anyone trying to access your AD is in fact authorized to do so.

It limits false positives

The dreaded part of any security solution is the potential for a storm of alerts that turn out to be false positives. With so many users logging on and at just about any time of the day it’s critical that IT have solutions in place that recognize the risk, and take action before the damage is done, without the need for IT to intervene.

It actually can stop an attack

Nearly every security solution on the market says they stop attacks. Be careful here does the solution just alert IT to a threat potential, or does it actually take action and stop the attack?

2. Don’t make MFA frustrating for IT departments

IT departments will quickly dismiss MFA if it proves complex and time-consuming to set up and manage. A survey found that 54% of small to mid-sized organizations do not use MFA.

Our own research from 2015 also showed MFA solutions are not widely adopted, with (once again) 62% of respondents not using MFA to guard against compromised network credentials.

However, MFA security does not have to be frustrating:

  • Focus on solutions that are easy to deploy across all users without the need for additional hardware or software such as tokens.

  • Select a solution that works alongside your existing IT infrastructure (and its investment), that can be seamlessly installed without the need to go to each workstation to deploy it and without the need for complex or customized code.

  • Most importantly, select an MFA solution that is easy to manage, allows administrators to react quickly to end-user problems, and can scale with your company.

3. Balance user security and user productivity

An organization will not sanction MFA security controls if they believe they are impeding end-users. From a business point of view, security procedures are there to aid and protect the organizations as a whole, not hinder the productivity of its employees, and ultimately the profitability of the business.

  • Avoid prompting the user for MFA every time. Choose the circumstances and frequency for when MFA is required that balances security with user productivity.

  • Make it easy and intuitive for the user. For example, hardware tokens or smartphone authenticator applications are highly secure, easy to use and work from anywhere (even offline).

  • Be confident in offering more "non-MFA circumstances" by relying on contextual access factors that are transparent to the user (location, time of day, and number of simultaneous connections...).

4. Educate and empower your users to support MFA

Outside of work, most people ignore the option of two-factor authentication. Less than 10% of Google accounts have two-factor authentication enabled, and only about 12% of Americans use password managers.

Perceptions on the real security merits of two-factor authentication remain and when left to their own devices, users are probably okay with sacrificing their security for convenience!

But informed employees can act as an important and additional line of defense.

  • Alerting end-users themselves when their own credentials are used (successfully or not) helps highlight their own careless user activity.

  • Notifications with tailor-made messages and login alerts discourages employees who might be thinking of doing something malicious.

  • Alerts empower users to take responsibility for their own trusted access, encouraging them to assess for themselves any suspicious login activity.

5. Don't apply MFA only for privileged users

Sometimes, IT sees Active Directory 2FA as a security measure that's only needed to protect privileged access: local administrator accounts, Windows domain administrator accounts, Active Directory service accounts, and anything that has rule over a major part of the network environment. It certainly augment’s IT’s ability to restrict and respond to privileged account use.

But the real value is realized when it’s used to protect any account with access to critical data, applications, and systems. For example, the user account for the head of Sales doesn’t seem particularly “privileged”, but it does have complete access to your customer database. The same goes for many customer support accounts.

6. Get management commitment and buy-in

MFA can be one of those things that only the IT department cares about. In many organizations, senior management doesn't pay enough attention to the issue of IT security. For the importance of MFA to be properly enforced from the top down, remind management of why they should care about IT security. Hint: It goes beyond keeping your company safe.

  • Better security can help you build trust with your customers and supply chains
    The perception of security is starting to become a big part in a customer’s decisions on what companies they choose to do business with. New deals can be won if you can demonstrate how seriously you take security.

  • Better security can help you remain competitive
    Today any business can quickly adopt a new technology to gain new capabilities, improve efficiency and/or reduce costs. But those without effective IT security solutions will have difficulty adopting new technologies and are likely to fall behind more nimble competitors. IT security should be viewed an enabler of business solutions, rather than as an unwelcome cost.

MFA can be good for both security and business

A little planning goes a long way towards ensuring a smooth MFA deployment.

Before you even start looking at MFA solutions, try to map out what your goal is. Do you just need MFA to check a box? Do you want to prevent a breach? Both?

If you know the answers to those questions, you'll be able to identify, test, and evaluate solutions much faster. Then, follow these 6 tips to make your deployment run smoothly and successfully.

Try UserLock for free

3400+ organizations like yours choose UserLock to secure access for Active Directory identities and meet compliance requirements.

Download a free trial