Best Practices for Multi-factor Authentication (MFA)
These days, it’s pretty clear that to protect systems and data, organizations need to go beyond traditional perimeter defenses. Because most modern cyber-criminals exploit user credentials to get a foot in the door, user identities have become the new perimeter. And leading organizations are turning to MFA to secure their complex, heterogeneous environments.
MFA mitigates password risk by requiring additional factors of authentication: something the user knows, has, and is. It’s not difficult to implement, but some up-front planning can further enhance security and save a lot of time and effort. MFA is one of the best ways to prevent unauthorized users from accessing corporate data. It is an integral part of Delinea Identity Services, and we recommend the following best practices for MFA:
Implement MFA across the enterprise
Deploying MFA in silos is the same as locking your front door and leaving your back door wide open. To minimize exposure to attack, you need to consider all access points within the organization, including the cloud. Too many companies are moving data and workloads to the cloud without implementing consistent security across cloud components. Don’t be one of them.
Server login and privilege elevation are common links in the cyber-attack chain, so MFA should be deployed for remote network access for distributed employees and business partners across all servers. And ensure you require MFA for users that want to execute privileged commands. This will significantly minimize the damage that can be done if cyber criminals do gain access to your network.
Implementing MFA across all end and privileged users, cloud and on-premise applications, VPN, server login, and privilege elevation helps protect against unauthorized access, data breaches, and password-based cyber-attacks.
Leverage context for Adaptive MFA
The main benefit of adaptive MFA is the improved user experience. Rather than an “always-on” approach that constantly asks the user for secondary credentials, use context to create an adaptive, step-up approach that only requires additional factors when necessary. Contextual information might include location, network, device settings, or time of day to help determine whether the user is who they claim to be.
For example, a user logging in via the corporate network on a managed device can be granted access with their password. A user logging in from an unknown network on an unmanaged device should be asked for additional authentication.
Provide a variety of authentication factors
User experience is critical for a successful MFA rollout, so you must balance user convenience with security. An inflexible, “one-size-fits-all” approach doesn’t suit the needs of different users. A range of authentication methods has emerged to provide organizations with an MFA solution that balances risk, usability, and cost. The latest is biometrics, which includes fingerprint, retina scans, and facial recognition. Other options include:
- Hardware tokens
- Soft tokens
- SMS/Text message
- Phone call
- Security questions
Opt for a standards-based approach
Standards help ensure that your MFA solution can operate within your existing IT infrastructure. For example, an MFA solution should comply with standards such as Remote Authentication Dial-in User Service (RADIUS) and Open Authentication (OATH). RADIUS is a networking protocol that provides centralized authentication, authorization, and accounting management for users who connect and use a network service. OATH is an open technology standard that enables solutions to deliver strong authentication of all users on all devices, across all networks.
Implement MFA in combination with complementary identity security tools
Mitigate password risk by combining MFA with other solutions such as single sign-on (SSO) and least privilege access. SSO eliminates the need for multiple passwords by authenticating users to all the apps and cloud services they’ve been given rights to. This eliminates the use of weak, re-used, and improperly stored passwords.
By implementing least privilege–providing users with the lowest level of privilege to perform their daily duties while enabling them to elevate their privilege when needed–businesses can reduce the risk associated with shared accounts as well as the risks associated with compromised credentials.
Regularly re-evaluate MFA
Security vulnerabilities and the threat landscape are constantly changing, as are IT infrastructures, authentication mechanisms, and the applications available to users.
Because of this dynamic environment, companies need to conduct regular assessments to ensure their MFA technology is continuing to meet the needs of users and the organization as a whole, and that it’s being applied appropriately.