In part 1 of our MFA 101 series, we talked about what multi-factor authentication is and many of the common terms and factor types. Now that we’ve covered the basics of multi-factor authentication, it’s important to consider the WHY. As in, what motivates an organization to implement multi-factor authentication?
While the obvious reason for multi-factor authentication is that it adds additional layers of security, what does this really mean? Each organization is different, and therefore, will have unique needs. While the right MFA solution should strike a balance between added security and user convenience, there’s no magic, one-size-fits-all solution that works for every organization.
Thus, it’s crucial that you thoroughly understand your organization’s motivations and needs for multi-factor authentication, as well as MFA’s challenges and benefits to ensure you select a solution that’s right for your organization.
Purpose, Needs, and Motivations for Multi-factor Authentication
There are typically three primary motivations for why people and organizations use MFA: security, compliance, and usability.
The strength of authentication systems are largely determined by the number of factors or layers incorporated into the system. While each authentication method has strengths and weaknesses, systems that use two or more different factors are typically considered stronger than those that use only one factor.
Almost every organization has some level of local, state, and/or federal compliance to which they must adhere. Many of these regulations specify that organizations must utilize MFA under certain circumstances, like when accessing particular types of data or connecting from certain locations. There is pressure for organizations to maintain compliance in order to mitigate audit findings and avoid potential fines and other penalties.
The key need regarding usability revolves around the concept that “passwords are dead.” This phrase commonly heard has two core meanings. First, people have too many passwords for their devices and applications, whether personal and/or professional. Furthermore, if you follow password best practices and make each one different and complex, most technical folks even struggle with the task. While password managers and IAM systems with single sign-on provide significantly reduce password-related headaches, with MFA, there are some opportunities to eliminate the use of passwords altogether by securely authenticating users via other methods—a significant motivator on the usability front.
Multi-factor Authentication Benefits
The benefits for MFA align very closely to the motivations for having multi-factor authentication.
The primary benefit of multi-factor authentication is that it provides additional security by adding protection in layers. The more layers/factors in place, the more the risk of an intruder gaining access to critical systems and data is reduced.
A second benefit of multi-factor authentication is being able to achieve the necessary compliance requirements specific to my organization which in turn mitigate audit findings and avoiding potential fines.
Increase Flexibility and Productivity
And finally, being able to remove the burden of passwords by replacing them with alternatives has the potential to increase productivity and bring a better usability experience due to the increased flexibility of factor types. In the right environment and situation, there could even be an opportunity for a potential reduction in operational costs.
Multi-factor Authentication Challenges
While there are well-known benefits for MFA, as with any technology, there will be potential challenges as well. Below we have listed common sticking points for MFA.
In most MFA implementations, passwords are still present. So, now in addition to having to manage the password, users have to manage an additional layer of security. But perhaps the biggest usability challenge is that your applications and systems often require different types of MFA. You may find yourself asking the question: How is this any better than having a different password for every application?
The is probably the number one challenge for multi-factor authentication, but it is not a unique challenge. Most new technology deployments incur a cost increase, at least initially. MFA brings potential cost increases for things like additional support, training, maintenance, SMS Gateway or services, mobile app development, hardware and software tokens, and stipends for mobile phone expenses.
How do you blend MFA for local devices and cloud-based applications? Does your local device have MFA? What about your local email client or local devices?
Some physical authenticators require additional drivers. adding another dimension of complexity for deployment, support, and maintenance. This also requires constant compatibility checking as environments change.
Do you have a backup plan in place for your multi-factor solution? For example, what if a user loses his or her phone or token? Is there a way for users to gain emergency access?
Lack of Bandwidth
Technology roll-outs are time- and resource-draining. It can be difficult to balance an MFA implementation with existing priorities. MFA takes a significant amount of planning and training because it’s critical that you research and understand any related compliance requirements and then figure out which solutions best align not only to those requirements but also with your industry and user needs.
Keep in mind, some methods stronger than others (see AAL1-3) and each method has its own security risks. It important to understand these risks and which will provide the right level of security for your organization.
Finding the Right MFA Solution
By understanding what’s motivating your organization to implement multi-factor authentication, you will be better positioned to weigh the benefits and challenges of potential MFA options and to select a solution that best fits for your organization’s needs and requirements.
Remember, the right solution should help your organization improve security, meet compliance requirements, and even improve the productivity of your users, while minimizing challenges, such as technical gaps, usability issues, and complexity. And, our next installment of the MFA 101 series will cover six guiding principles to help your organization select a multi-factor authentication solution that fits this bill.