6 steps to effectively deploy MFA

Enabling multi-factor authentication (MFA) for Active Directory (AD) is one of the best steps you can take to protect your end-users network access. The threat from poor login security is putting all companies at risk of a breach and non-compliance. Here are 6 steps you can take to plan your MFA deployment.

MFA has a reputation of being expensive, complex and time-consuming to manage. What’s more, it's a common misconception that a company needs to be a certain size in order to benefit from MFA.

Adopting an on-premise MFA solution should be a key security initiative for any company, regardless of size, and can be one of the easiest and simplest ways to protect account access.

Whatever the size of your organization, here are the six steps to plan a smooth MFA deployment.

The value of MFA

The first step to a smooth MFA deployment is key: get the whole organization to buy into the value of MFA. Get management behind you, and communicate how securing logons significantly improves your security stance.

Here's a cheat-sheet for quickly communicating the value of MFA to management:

Authentication is at the core of (nearly) every type of attack

A user has to authenticate before gaining any kind of access to your network. And that's true whether the point of access is via a remote session, via PowerShell, by leveraging a mapping of a drive, or via a local logon. A MFA for windows server login, for example, adds an extra layer of security to verify that the person trying to access your AD has the authorization to do so.

It limits false positives

The dreaded part of any security solution is the potential for a storm of alerts that turn out to be false positives. With so many users logging on — and at just about any time of the day — it’s critical that IT have solutions in place that recognize the risk, and take action before the damage is done, without the need for IT to intervene.

It actually can stop an attack

Nearly every security solution on the market says they stop attacks. Be careful here — does the solution just alert IT to a threat potential, or does it actually take action and stop the attack?

1. Get management commitment and buy-in

MFA can be one of those things that only the IT department cares about. In many organizations, senior management doesn't pay enough attention to the issue of IT security. For the importance of MFA to be properly enforced from the top down, remind management of why they should care about IT security. Hint: It goes beyond keeping your company safe.

• Better security can help you build trust with your customers and supply chains
  The perception of security is starting to become a big part in a customer’s decisions on what companies they choose to do business with. New deals can be won if you can demonstrate how seriously you take security.

• Better security can help you remain competitive
  Today any business can quickly adopt a new technology to gain new capabilities, improve efficiency and/or reduce costs. But those without effective IT security solutions will have difficulty adopting new technologies and are likely to fall behind more nimble competitors. IT security should be viewed an enabler of business solutions, rather than as an unwelcome cost.

2. Don’t make MFA frustrating for IT

IT departments will quickly dismiss MFA if it proves complex and time-consuming to set up and manage. A survey found that 54% of small to mid-sized organizations do not use MFA.

Our own research from 2015 also showed MFA solutions are not widely adopted, with (once again) 62% of respondents not using MFA to guard against compromised network credentials.

However, MFA security does not have to be frustrating:

• Focus on solutions that are easy to deploy across all users without the need for additional hardware or software such as tokens.

• Select a solution that works alongside your existing IT infrastructure (and its investment), that can be seamlessly installed without the need to go to each workstation to deploy it and without the need for complex or customized code.

• Most importantly, select an MFA solution that is easy to manage, allows administrators to react quickly to end-user problems, and can scale with your company.

3. Consider MFA policies that balance user productivity and security

An organization will not sanction MFA security controls if they believe they are impeding end-users. From a business point of view, security procedures are there to aid and protect the organizations as a whole, not hinder the productivity of its employees, and ultimately the profitability of the business.

• Avoid prompting the user for MFA every time. Choose the circumstances and frequency for when MFA is required that balances security with user productivity.

• Make it easy and intuitive for the user. For example, hardware tokens or smartphone authenticator applications are highly secure, easy to use and work from anywhere (even offline).

• Be confident in offering more "non-MFA circumstances" by relying on contextual access factors that are transparent to the user (location, time of day, and number of simultaneous connections...).

4. Don't apply MFA only for privileged users

Sometimes, IT sees Active Directory 2FA as a security measure that's only needed to protect privileged access: local administrator accounts, Windows domain administrator accounts, Active Directory service accounts, and anything that has rule over a major part of the network environment. It certainly augment’s IT’s ability to restrict and respond to privileged account use.

But the real value is realized when it’s used to protect any account with access to critical data, applications, and systems. For example, the user account for the head of Sales doesn’t seem particularly “privileged”, but it does have complete access to your customer database. The same goes for many customer support accounts.

5. Check MFA compliance requirements

Many IT compliance standards require strong authentication controls. To name a few, there's NIST-800-53, the Health and Portability and Accountability Act (HIPAA) MFA mandate, Payment Card Industry Data Security Standard (PCI DSS), and Sarbanes-Oxley Act (SOX).

Regulatory and cyber insurance requirements are often key drivers behind MFA adoption. If this is you, do make sure you understand in detail where auditors want to see MFA deployed. Then, configure your MFA policies accordingly.

And don't forget about maintaining compliance, which often requires documenting your MFA policies and proving enforcement. Be sure your MFA solution offers accurate auditing for Active Directory user logon activities and reporting on Windows Active Directory user logon and activity, including MFA events.

6. Plan for an MFA backup method

Make sure you have a plan B for lost or stolen hardware authentication keys and security tokens. If you're offering authenticator apps or push notifications, smartphones can of course get lost or stolen as well.

Make sure your users have an alternate way to authenticate. Ensure your MFA solution offers at least two MFA methods, and make sure users have access to MFA recovery codes as well.

7. Educate your users about MFA

Outside of work, most people ignore the option of two-factor authentication. Less than 10% of Google accounts have two-factor authentication enabled, and only about 12% of Americans use password managers.

Perceptions on the real security merits of two-factor authentication remain and when left to their own devices, users are probably okay with sacrificing their security for convenience!

But informed employees can act as an important and additional line of defense.

• Alerting end-users themselves when their own credentials are used (successfully or not) helps highlight their own careless user activity.

• Notifications with tailor-made messages and login alerts discourages employees who might be thinking of doing something malicious.

• Alerts empower users to take responsibility for their own trusted access, encouraging them to assess for themselves any suspicious login activity.