The human element is the weakest link in security. Attackers target users through a variety of social engineering and phishing tactics. To strengthen security for user accounts and prevent account takeover, multifactor authentication is key.
MFA improves security by adding other factors alongside passwords that users need to know, provide or be when logging in. MFA factors include one-time passwords sent through text, email or an authenticator app; tokens; biometrics; and behavioral analysis. By adding more than one factor to authentication, organizations reduce the potential damage caused by compromised passwords and accounts.
For those getting started, here are several tips for implementing MFA, from vendors and implementations to how to evaluate rolling out MFA with user support. These tips come from Marco Fanti, author of Implementing Multifactor Authentication and director of systems engineering at BehavioSec.
1. Choose a vendor
The first step for any organization is to select a vendor for its MFA deployment. Organizations are spoiled for choice with large enterprise vendors and specialized ones.
In Implementing Multifactor Authentication, Fanti recommended Microsoft Entra ID (formerly Azure Active Directory) as a strong option to protect employee, contractor and partner accounts, especially if the organization already uses Microsoft products. Entra ID provides identity and access management (IAM) capabilities, such as MFA, single sign-on (SSO), conditional access and continuous authentication. To strengthen security further, organizations could also adopt Cisco Duo as a secondary authentication factor.
Another option is IAM vendor Okta, which offers cloud-based employee and customer MFA products with Okta Workforce Identity and Okta Customer Identity, respectively. Okta provides phishing-resistant authentication, governance, lifecycle management and more. Organizations can add Okta to their custom apps to manage MFA and other authentication features.
Other IAM vendors Fanti pointed to include ForgeRock, Ping Identity and 1Kosmos.
Fanti highlighted these vendors specifically because they provide free trials for stakeholders to try each with test groups and decide which works best.
If organizations prefer an open source IAM product, consider Keycloak. The IAM tool includes many of the same features that vendor products do, such as MFA, SSO and federation. "I found that Keycloak provides the most support for all the different features an organization and I would want out of an IAM product," Fanti said.
Learn more about Implementing Multifactor Authentication
Check out an excerpt from Chapter 2 that breaks down the MFA challenges of SIM swapping and MFA fatigue and how organizations can overcome them.
2. Decide on MFA methods
Once organizations have selected an MFA vendor, they should determine MFA methods for employees, partners, customers and others.
MFA methods include the following:
- Time-based one-time codes, often sent via text or email.
- Authenticator applications on a user device.
- Hardware security keys.
- Biometrics, which can include facial or fingerprint recognition.
- Adaptive authentication, such as authenticating users via location or device usage.
Organizations should weigh the pros and cons of MFA methods based on how they affect security versus UX. For example, SMS is easy for users, but it isn't the most secure option available.
"SMS was a favorite method at one point because it was easy to implement. But it has a lot of issues that attackers can take advantage of," Fanti said. "For example, they used to be able to call their provider and say, 'I lost my phone; please change my number to this new SIM' and take over your number and trick SMS MFA."
Fanti recommended passkeys, which have become a hot topic in security. "I have high hopes for passkeys," he said, but he noted the approach has a learning curve. "Even with passkeys, if you share it with somebody, it could cause the user problems depending on the type of passkey used. It's not easy for a user to understand that or what a passkey is compared to a password since they sound similar."
3. Involve employees early and explain MFA benefits
Once an organization selects MFA methods, it's time to discuss these security updates with those affected, including employees and customers. While MFA isn't new, employees and customers might not understand what exactly it is, how it affects them and how they should handle it.
Fanti suggested organizations hire a technical writer who understands IAM and MFA processes and technology and can explain the importance of MFA to employees and stakeholders. Employees might not be technical enough to understand MFA at first, and this could help them.
A good communicator can explain what the organization is doing, why and how. They can also address how things will change and improve or how things could get worse before they get better, Fanti said.
User pushback is natural, but users must understand the benefits of MFA. For example, Fanti worked with financial organizations where some traders pushed back against MFA because it slowed down their ability to make or complete trades.
"But, on the other side, they're doing multimillion-dollar trades, and you need security to make sure it's the actual trader," he pointed out. Using a method such as continuous MFA can help counter this. It identifies users' normal browser and location and determines if someone has logged into a user's browser to impersonate them.
4. Prepare for user friction
MFA helps organizations improve their security and keep user accounts out of malicious hands, but it can also create friction and hinder UX by slowing down how quickly users can log in to accounts. Taking additional steps, such as checking an app or email for a code, can frustrate them.
Organizations should expect some initial pushback and complaints as users start using MFA. These complaints lessen as users adjust.
One option is to adopt MFA methods that don't require much effort from users. For example, biometrics are secure, and users are familiar with them in their daily lives, given many mobile devices have facial recognition capabilities. Plus, this approach also doesn't add much time to the login process.
Behavioral and continuous authentication also can work in an organization's favor. Both strengthen account security without changing how users interact with a device. BehaviorSec uses behavioral biometrics internally and with its customers.
"In most cases, if we can guarantee -- or almost guarantee -- the user is who they claim to be, we may not require them to use traditional MFA when we don't need to," Fanti said. For example, IAM monitors where users normally log in to their accounts and notes if a login attempt occurs from somewhere different. "There may be friction at first, but users will adapt," he said. Additionally, vendors make processes and products less intrusive to UX as they advance.
5. Prepare for identity-based attacks
MFA is a powerful tool against password breaches and account takeover attacks. But malicious attackers have learned how to bypass some forms of MFA through social engineering.
To address this, organizations should train employees about the types of social engineering. "Stopping social engineering attacks is largely just making sure users are educated to detect and be wary about suspicious emails, links and more," Fanti said.
Organizations can also opt to only allow more secure MFA use and reduce some of the pressure placed on employees to be perfect.
"A company could use authenticators for MFA, such as Microsoft Authenticator. They put the location where someone is trying to log in from or require users to type in a random selection of digits to confirm they are the correct user," Fanti said.
Another option is to use continuous or behavioral authentication tools. "These monitor whether a user suddenly does something they normally wouldn't or try to log in from an unusual location," he said.
"Still, education is what I'd recommend most," Fanti said. "Try to prevent successful MFA bypass attacks from happening and then try to mitigate them when they do happen."
Kyle Johnson is technology editor for TechTarget Security.