What Are the Best Practices for Implementing Multi-Factor Authentication?
Multi-factor authentication (MFA) is one of the best ways to reduce your risk of cloud account compromise. Microsoft, which sees about 300 million fraudulent sign-in attempts per day on its cloud services, states that MFA is 99.9% effective at blocking them.
So why don’t more companies use it?
According to LastPass, roughly 57% of companies implement some form of MFA. That leaves a lot of companies that don’t. The various reasons for this include:
- Employees find it inconvenient
- It’s an extra expense
- It’s too complicated
Here are some of the important reasons to use MFA for improved cybersecurity and business continuity:
- Increased security
- Securing sensitive data
- Improving work-from-home security
- Modernizing the cloud account access process
- Data privacy compliance
- Preventing insider threats
- Combatting phishing
- Part of a zero-trust architecture
If you follow best practices when setting up multi-factor authentication, you can make the experience better for your staff, keep costs to a minimum, and simplify your login experience.
Implement MFA Company-wide
It doesn’t do you any good to deploy MFA in silos. If you use it for one department or team and not another, you’re greatly reducing the security benefit from using it.
It’s best to deploy MFA across the company, including all users and all accounts. This simplifies the workflow because employees aren’t using a different login procedure for different apps.
You can also more easily protect all your cloud accounts with consistent security policies that use the same types of MFA factors.
Offer Different Types of MFA
There are different types of multi-factor authentication that can be used, depending upon the security needed for a particular account or user. If you try to implement a “one size fits all” approach, then you may be sacrificing either convenience or security, depending on the situation.
For example, for a user in the accounting department with a login to your online banking, you might decide that a security key (the more secure method of MFA) is warranted. But for your marketing team logging into your social media posting software, SMS-based MFA might be fine.
There are three main types of MFA you can choose from and with any of these, you can deploy additional measures. These all receive the PIN a little differently:
- Receiving the MFA PIN by SMS (least secure, most convenient)
- Receiving the MFA PIN through an app (mid-level of security & convenience)
- Receiving the MFA PIN via a security key (most secure, also costs the most)
Use Adaptive MFA
A great way to balance user convenience with data security is to use adaptive techniques with your multi-factor authentication. For example, you might have a higher level of authentication required if the person is logging in from outside the city where your company resides.
You could also use contextual information, such as network, device settings, or time of day. While this takes a little more time to set up, it can increase the convenience factor for your employees by giving them fewer barriers to cross if they meet the contextual requirements that designate someone as a legitimate user.
Some examples of adaptive MFA include setting up an additional security question if someone is logging in from an unknown IP address. You might also remove one of the authentication requirements if the person logging in is on-premises.
Adaptive MFA gives you more power to refine user access security by automating some of the checks and balances, such as where a user is located, when they’re logging in (e.g., is it midnight on a Saturday?). For user activity that is out of the norm, you can create the necessary additional authentications to ensure they’re an actual authorized user and not someone trying to break into your account with a stolen password.
Use MFA With a Single Sign-On (SSO) Solution
You can get over a big hurdle of user pushback on MFA by implementing it alongside a single sign-on (SSO) solution. This is a session and user authentication service that allows people to sign in once and gain access to all connected accounts.
So, if there were six different cloud applications that an employee used daily, instead of having to log in to each one and then go through the process of receiving and inputting the MFA code for each, users would only have to do it once.
Once they’ve authenticated through SSO, the SSO app authenticates them and signs them into the various cloud accounts that are connected.
Set Up MFA That Works for You and Your Employees
AhelioTech can help your Columbus area business set up multi-factor authentication to increase security and compliance without slowing down your staff.
Contact us today for a free quote. Call 614-333-0000 or reach out online.