More and more companies have started implementing multi-factor authentication (MFA), a security protocol that enforces that users provide at least two factors to prove their identity. There are three categories of factors:
- Something you know (i.e., username or password)
- Something you have (i.e., hard token)
- Something you are (i.e., facial scan)
Every account you use likely requires a username or password, then you are also required to authenticate with either of the two remaining categories. Sometimes this may seem like a nuisance, but the benefits of MFA are straightforward – MFA makes stealing your information more difficult and less attractive for a cybercriminal.
As an organization, consider the following best practices for MFA, whether you are implementing MFA for the first time or have been using it for years.
1. Have A Plan - Map out budget and scope if you’re in the process of implementing MFA. Consider all systems where you want to utilize MFA and then decide on factors. The factors you choose will likely be based on whether the system is internal (for employees) or external (for customers). Think of all possible use cases (i.e., traveling employees), and find your balance between cost, user experience, and security.
2. Provide Flexibility – The authentication process doesn’t have to be the same every time, for every user. Consider a process that is adaptable based on risk and context. As an example, if a request comes from a familiar device within your office’s network, then maybe you don’t require the second authentication factor. If a request comes during non-business hours from an unknown location, then enforce multiple factors of authentication.
3. Plan for Lost Pins and Passwords – Have protocols in place for when users forget or lose their authentication factors. Remember, it is necessary to avoid a recovery process that is based on the same (forgotten/lost) factor. Decide on the steps to be taken when hardware (i.e., physical token) is lost, including ending active sessions and revoking access.
4. Consider Existing System Compatibility and Compliance Regulations – Some software may require MFA implementation to follow a particular standard, or certain industries may require specific MFA requirements. Make sure you know whether this is the case for your software/industry.
5. Provide Options for Verification – A user may not always have access to their email, or they might not always be able to answer a phone call. It’s a more user-friendly experience if the user gets to choose their verification method (i.e., an OTP sent as either email, text, or phone call).
6. If It Makes Sense, Implement SSO - Larger companies likely utilize a variety of software, each with unique credentials. Consider implementing single sign-on (SSO) to eliminate the multiple credential problem, improve user experience, and support an overall more secure environment.
7. Make Updates When Necessary – Once MFA implementation is completed doesn’t mean the process is over. Stay up to date on new features and capabilities. It is also a good idea to collect and engage with user feedback so that you can make improvements to MFA use.
8. Keep Your Identity Directory Clean – Your identity directory service, or database that stores user information (i.e., usernames, passwords, etc.) should be frequently updated to ensure accuracy. This activity supports MFA and makes for an orderly environment.
With these MFA best practices in mind, the benefits of MFA can be better realized. You don’t have to compromise the user experience, data will be more secure, and you will be prepared for all of the scenarios the workplace may throw at you.