Multi-factor Authentication (MFA) is a cybersecurity best practice. It has become an industry standard for preventing unauthorized access as it can strengthen security measures and further verify the identity of any user trying to gain access. Ideally, this is also done without introducing friction into the user's workflow. Which authentication options for MFA are used should depend on specific security goals/policies and the user's preference. Without options though, issues can appear quickly.
As Gartner, Inc. reported in their 2020 Authentication Market Guide, "one method does not fit all... mobile MFA methods (those using a mobile device) are impractical for up to 15% of employees and 50% of customers".
With that understanding, there are a few ways to implement MFA options that will not introduce friction, risk, or cost.
Implement MFA Across the Enterprise
When implementing MFA across the enterprise, a primary goal is to minimize exposure to cyberattacks. Every access point within the organization has the potential to create vulnerabilities, especially with the expansion of cloud-based access and remote users. Many companies are not consistent or complete in their approach to implementing MFA. This leaves areas wide open for attacks by making it easier for hackers to pinpoint a specific vulnerable target and gain access. Specifically, server logins and privileged users are common targets in cloud-based attacks. Increasingly, due to COVID-19, more users are working remotely, meaning cyberattacks have even more targets through a user who is not using MFA for access.
With the multiple attack vectors, organizations need to consider expanding their deployments of multi-factor authentication.
Leverage Context for Adaptive Authentication
Reducing friction while strengthening security seems like a 'hypocritical' task. Having to use more than one method of authentication seems to ruin the user experience, right?
Incorrect. Adaptive Authentication can strike that perfect balance between increased security and improved user experience. It does not work on an "always-on" approach that requires the user to provide those additional authentication factors. Instead, it will use context to create an adaptive approach that only demands the additional credentials when necessary. Context like location, network, device settings, or time will determine if the user is required to use more or fewer authentication methods when logging in. For example, there is a higher risk for a user logging in at 3 AM on a Sunday morning from a guest network in the United States, when the user doesn't typically log in on Sundays and resides in France.
Therefore, implementing Adaptive Authentication not only reduces friction for users but will also change based on the level of cyber risk.
Provide a Variety of Authentication Factors
To further reduce friction and improve user experience, MFA rollouts should include a large variety of authentication options. Having a "one-size fits all" approach will not work for different users. After all, many users may not be able to use phone-based authentication methods as stated above. A lack of flexibility negatively impacts the user experience, while a large variety of authentication options will give users the flexibility to choose what works best for them.
Although there are many options to choose from, one thing is clear - all MFA strategies should include some form of biometric authentication. Biometrics has been proven to be the only method for positively identifying the person and not just a device. It also removes the burden on the user to remember to have their phone or token to log in. Many argue that biometrics is the most convenient and secure authentication method available today.
It's Your Choice...
While there is pressure to choose an Identity and Access Management (IAM) solution that may seem 'obvious', it is better to understand how your IAM strategy affects your users, customers, and the digital experience for the company.
With that in mind, choosing an MFA solution that can reduce friction, risk, and cost is usually one of the first choices you'll make for your IAM strategy.
While MFA is not the only component of your IAM strategy, the wrong MFA solution and poor implementation can quickly limit its effectiveness. The best advice is, “don’t overthink it, MFA is all about options”. With unique requirements across your users and a dynamic environment that constantly changes, it is not about selecting a single method. MFA needs to be adjustable and able to accommodate your users. Without options a solution can quickly constrain your ability to provide the ideal secure experience, resulting in frustrated users and a stressed-out IT team.