Multi-Factor Authentication, or MFA for short, is an important technical control that can help protect accounts from being compromised by a malicious party as part of a greater layered security strategy. MFA can be done in a multitude of ways such as:
- Code Generation – A code generated on a physical token or authenticator application on your mobile device.
- Push Notification – A notification via your authenticator application to confirm your login attempt.
- SMS – A text message received that can contains a time-sensitive code.
- Phone – A call that comes to your registered phone number that asks you to press a number to confirm your login attempt.
- Physical Device – A smart card or USB device you tap or plug into your device.
- Biometrics – Can be eye / retina scan, fingerprint, or facial recognition.
Each of these various forms have various pro’s and con’s you should consider before implementing in your environment.
If you have already implemented MFA, it’s a good practice to revisit it annually to ensure you are keeping on top of attacker trends, and changes in your organization and making adjustments appropriately.
Which MFA Form Should You Choose?
Which MFA form(s) you choose will depend on a multitude of factors including your resources, consideration of existing company policy, and any regulatory requirements you may have to comply with. Many organizations end up having a mix of different MFA methods based on the information or applications a user has access to, and their obligations. So, what are things you should consider between the different forms?
For the phone-based MFA methodologies, the code generation method is one of the most secure in our opinion because it requires the user to interact with the authenticator app, and it resides on their device. Push authentication can be spammed by a malicious actor which can lead the user to accidentally or unintentionally approve the login request, as has happened with recent breaches. Phone call and SMS-based methods can be breached by doing what is known as a “SIM Swap” on the employee’s mobile provider.
If you do leverage a phone-based MFA that relies on employees’ personal devices, be sure to talk with your HR department to ensure there is language in the Employee Handbook or Employment agreement around requirements for having a phone.
For physical device-based MFA methodologies, it really comes down to compatibility, price, and ease-of-use for the user. The more secure forms of this are hardware security keys like Yubikey or hardware tokens that generate a code on them and are hard to duplicate. If you already invest in Smart cards for physical access to locations, it may be beneficial to consider them as a factor for login. However, you’ll want to ensure that users still have to enter a password to avoid the risk that someone could copy an individual’s Smart Card at a local hardware store and then gain access to their account.
When it comes to biometrics, while the technology has advanced over the years, they are not without their own risks. Biometrics such as Windows Hello are bound to the system they are registered to, which can help avoid complications with privacy laws around centrally storing biometrics but makes it generally useless for shared computing environments. If you do consider a centralized biometric system, be sure to consult legal counsel before investing in it to avoid a costly mistake.
Considerations When Enforcing MFA
When it comes to enforcing MFA and defining when a user is challenged with an MFA prompt, it’s important to balance the security needs of the organization while maintaining user experience.
One such way to maintain or even improve user experience is leveraging Single Sign-On (SSO). SSO allows you to leverage one authentication across multiple servers and applications through the use of an authentication token. This token will tell the target resource(s) that you’ve been authenticated. The target resource will then present the token to the SSO service, which will confirm it, and then you’ll have access to what you need. No additional credentials or additional MFA challenge needed.
To help avoid frequent MFA challenges to users, you can also consider a technology called Conditional Access. Conditional Access allows you define a series of conditions by which a user will be challenged.
For example, users should generally only be challenged when necessary to verify their identity, such as their first login of the day from a shared system, or if they login from a new / unexpected location, untrusted device, or begin experiencing irregular login activity. An untrusted device is one that is not enrolled in a device management tool, which can ensure a device meets certain security standards to reduce the risk it may be compromised or stolen.
If a user is logged in via their mobile phone, and it’s enrolled in Mobile Device Management (MDM) that is protected by PIN or biometrics, it is likely not worth putting the user through additional MFA challenges unless their credentials or device change.
Conditional Access can also be used to define a geographic fence that prevents attempted logins from areas where you don’t do business, limiting the potential for account compromise.
In conclusion, there are many ways you can go about leveraging Multi-Factor Authentication in your environment along with enhancing its potential through things like Conditional Access, Single-Sign On (SSO), and Device Management. All of these synergistically will promote the adoption of MFA and reduce the potential that users will look for ways to circumvent it. Lastly, be sure to revisit your MFA practices annually to ensure they meet the needs of your users, and the organization.
Featured photo from Pexels by Loren Castillo.