The IT buzz has a new focus based on all of the increased cybersecurity risk that’s flooding small businesses: multi-factor authentication (MFA) or 2-factor authentication (2FA). They’re slightly different ways of naming the same security requirement that demands a user provide at least one extra verification factor during the sign-in process, such as receiving a PIN code then entering it.
MFA/2FA is now the industry’s standard response to the fact that poor passwords are responsible for the majority of data breaches. Especially since employers find it almost impossible to enforce good password hygiene since each one is typically set by the end user.
The only problem is that not all MFA implementations are equally effective. Some implementations can even be detrimental, providing little to no additional security and negatively affecting productivity.
Multi-Factor Authentication Works When It Works
To prevent virtual and real-world intruders from forcing their way into your organization, it’s not enough to install an additional lock on your front door if it can be unlocked with minimal effort. A lock like that would only annoy employees and provide a false sense of security.
Unfortunately, some of the most common multi-factor authentication policies in use today are not nearly as beneficial as they first seem.
Avoiding common implementation mistakes should be every organization’s top priority because the benefits of a well-implemented MFA plan are worth the effort. According to Microsoft, MFA can block over 99.9% of account compromise attacks when implemented correctly, making it one of the most cost-effective cybersecurity practices today.
The key word here is “well-implemented.” As we’ll soon explain organizations are sometimes so eager to install extra locks on their digital doors that they don’t even pause and consider how much security they add over existing controls.
When they experience a data breach, they can’t believe that all that time spent entering PIN codes, fiddling with hardware tokens, and taking fingerprint scans amounted to nothing. The bitter truth is that their MFA implementation was always going to fail for a few key reasons.
Implementing Multi-Factor Authentication the Right Way
Let’s take a closer at three of the most common reasons why an MFA implementation fails and explain what can be done to implement MFA the right way:
Lack of End-User Training
The whole point of MFA is that it requires the user to do more when proving that they are who they say they are. This means that MFA inherently places the additional burden on end-users, even in applications that they bounce in and out of multiple times a day.
Many organizations treat this as a simple login exercise, and they don’t consider the true impact to a user’s standard mode of operations. For some users, this “simple” addition can slow them down dramatically. And when training is given low priority or ignored completely, they’re more likely to become locked out of their accounts when traveling or working on a new computer.
Solution: Before you enable MFA, get employee buy-in by explaining the reasons for the extra steps during the sign-in process (real-world examples are excellent!). Demonstrate how MFA works in practice and provide plenty of documentation that employees can refer to as needed.
Partial Implementation
It doesn’t make much sense to go through the trouble of installing a deadbolt on your front door if you leave the window next to it unlocked. It might sound like an oversimplification, but that’s exactly what a company does when they enable MFA only for selected users and applications.
Cybercriminals are smart enough to pick the path of least resistance. They won’t waste their time trying to get into an MFA-enabled administrator account when they can get access to a heap of sensitive data by targeting regular employees and moving laterally across the network.
Solution: You must eventually enable MFA for all users because each user is a potential entry point in the eyes of cybercriminals. Of course, it makes sense to start with the low-hanging fruit, but you should always have a plan for wider deployment.
Text Messages Used as a Verification Factor
MFA verification factors may include something the user has (security token), something the user knows (PIN), or something the user is (biometrics). Each available factor is characterized by its security and convenience levels. The most secure factors, such as security tokens, also tend to be the most inconvenient, so more balanced factors are typically used which is why there verification options.
Codes send via text messages seem to provide a nice balance of security and convenience, but they actually don’t because they’re not as secure and we’d like to believe. Cybercriminals are able to intercept text messages containing authentication codes using readily available tools, trick phone network employees into transferring phone numbers to their SIM cards, or phish codes using tools like Modlishka.
Solution: Instead of codes sent via text messages, use authenticator apps like Microsoft Authenticator, Duo Security, or Google Authenticator. Since authenticator apps reveal the code only after they’re unlocked with a pattern, PIN, fingerprint, or retina scan, attackers can’t use them even when they have physical access to the mobile device.
Multi-Factor Authentication Made Easy
Nothing is fool proof, but by avoiding these three MFA implementation mistakes, you can greatly increase your chances of staying secure while you decrease the end-users frustrations and higher risks of a poorly implemented MFA.
After hundreds of small business implementations, we understand that MFA can be tricky and know how to implement it so that it delivers on its original promise. With our help, you’ll be able to protect all your sensitive resources from unauthorized authentication attempts without making your employees dread their work. Contact usand see how we can make multi-factor authentication easy for you.