Nine Ways to Rethink MFA: Maximize the Value of Your Investment
Multi-factor authentication (MFA) is everywhere. But as with anything in the cybersecurity world, it’s crucial to implement technologies that actually work for your users and with your organization, and not just something that works for everyone else. MFA is now a vital piece of any workforce cybersecurity strategy due to its benefits when protecting against attacks and phishing. Adding MFA to systems that are accessed by the workforce is critical, but the true advantages become apparent when organizations deploy MFA technologies that:
- Provide flexibility
- Promote usable security
- Offer opportunities to derive additional benefits from their investment to address specific authentication requirements
Our current environment has supercharged existing trends that allow organizations to operate without boundaries. A Zero Trust approach is more important than ever to ensure IT resources are protected. Every change brings new lessons and opportunities to not only improve security practices in our organizations, but also maximize what we have, optimize the user experience and ensure that we are adapting to the new world of work.
Nine Questions to Ask Yourself When It Comes to Your Organization’s Multi-Factor Authentication Usage
You may have MFA deployed across your organization, but have you thought about how it could work better for you? Perhaps it’s time to re-evaluate your current solution, in which case, you should consider the following:
Providing secure multi-factor authentication without sacrificing the effortless experience users and admin expect is sometimes a balancing act, resulting in user experience being overlooked for the desire for high security. With the right products, it doesn’t have to be like that. One-size-fits-all approaches comprised of just a handful of authenticators limit your options to what some vendors believe are needed. To appropriately address your risk and provide a delightful user experience, you want to use the right authenticator for your workflow.
1. Do your current workflows allow for flexibility in the types and combinations of authenticators?
There are so many different identities within your organization, and so there will be many authentication methods which best suit their environment — remote, hybrid or contract workers, workers who need access to shared workstations, etc. With changing requirements and business needs, it’s valuable to have flexibility in your authenticators. With MFA software such as DigitalPersona®, a wide range of authentication methods and combinations can be configured across your entire workforce using an intuitive interface:
- Choose between knowledge, hardware or software-based authenticators
- Then match it with the method that fits each use case — biometrics, cards, mobile devices or security keys.
2. Does unnecessary friction happen when using those authenticators?
Having various MFA systems for multiple areas of your business can create friction and be inconvenient for both users and admin who need to constantly manage devices and solve password problems. Your users may also become frustrated when they need to repeatedly authenticate, in situations where repeated authentication is not necessary. Instead, how about using a single credential for access to a diverse range of digital resources and physical workspaces?
- Create a zero-touch authentication experience with contactless cards or combine Bluetooth and face recognition authentication using DigitalPersona for a log-in experience that starts as soon as your employees sit at their desks
- With our MFA solutions, users have the convenience to only authenticate when they need to, reducing friction and wasted time
3. Do unfamiliar interfaces make it more difficult for your users to comply with MFA?
Achieving compliance is all about creating the easiest possible experience for your users, otherwise your security could be at risk. DigitalPersona helps make MFA seem invisible to your workforce with seamless Windows Logon integration, and the ability to offer an intuitive self-service interface on both the desktop client and the DigitalPersona Self Service Portal.
For a cloud-based self-service portal, WorkforceID™ Digital Credential Manager provides an intuitive interface where users can independently reset pins and manage their devices. The simplified workflows translate into less calls for support or administrator intervention for issuing, managing or using high assurance credentials that support certificate-based authentication and FIDO.
Leverage Existing Infrastructure
Who wants to spend money? Leveraging existing infrastructure means that you can utilize existing servers to improve your security posture without incurring any significant performance impact.
4. Do you have existing infrastructure that you could be utilizing?
Existing systems that you are using to operate authentication services or that offer embedded support for FIDO-enabled and certificate-based authenticators are already compatible with HID’s Crescendo® smart cards and security keys, which run natively in Windows either through FIDO or PKI. You could also leverage a solution such as DigitalPersona to implement MFA in your environment without the need to set up new servers or add additional infrastructure. This way, you can enhance your security without incurring additional expenses for complex architecture.
5. Do you have existing technologies that might be going unused?
You may have investments that you don’t even realize could be contributing to your MFA security. Perhaps your workforce uses laptops with built-in contact and contactless security features, or fingerprint readers that may not be in active use at the moment. Use your existing technologies to help fortify your security through MFA software that can flexibly incorporate these methods as a second authentication factor.
6. Do you have multiple complex solutions that could be brought together to reduce costs?
Perhaps you currently have two or three one-time password (OTP) solutions across your organization, but having multiple solutions performing the same task adds unnecessary complexities and costs to your security strategy, not to mention creates a cumbersome user experience. This involves having multiple places to go for support as well as duplicated payments and maintenance costs. Not only can alternative solutions provide a range of MFA choices across your whole organization, but also using a unified and centralized platform to do so gives you the power to manage every digital identity from a single system.
The Borderless Organization
Your network endpoints now can reside anywhere — the corner coffee shop, a resort town, an airport, a hotel — the possibilities are endless. Therefore, it is important to ensure your MFA system can fully support your dispersed workforce.
7. Does your MFA have capabilities that ensure your critical systems and resources are safe, regardless of where they are being accessed?
With remote workforces and less visibility of users who may be accessing critical information, it is important that your MFA solution is able to recognize where users are and leverage risk appropriate to the scenario. When there is increased risk of compromised log-ins, it’s essential to have MFA that utilizes step-up capabilities and additional security factors such as time of day, location, IP address and behavior, which can easily be accomplished by implementing software such as DigitalPersona.
8. Are you bridging the gap between your on-premise systems and user management to interact with services and applications that live outside of your organization?
As an organization, you have spent time identifying, vetting and creating digital identities for your employees. You issue these identities with employees' badges to enter the door, credentials to access their computers and a host of other applications. By knowing what to leverage, you can make your authenticators multi-purpose by bridging the physical and digital divide. The same high-assurance authentication device that securely logs you into your computer and other applications can allow you through the door.
Are you using federation through technologies such as OpenID® Connect, Security Assertion Markup Language (SAML) or WS-Federation? By using an identity federation protocol, you can maximize the use of the digital identity of your users by making it truly multi-purpose:
- These technologies can be configured to support MFA and can enforce an authentication workflow based on location, resulting in more stringent authentication when outside the corporate network
- An MFA solution like DigitalPersona with an identity provider (IdP) and support for multiple authenticators can be leveraged to provide users with the most convenient authentication workflow for their particular situation
9. Does your approach to remote access combine technologies that simplify integration?
Proven technologies such as OAuth OpenID Connect, SAML 2.0, Remote Access Dial-Up Server (RADIUS) and WS-Federation allow you to use digital identities securely throughout your whole ecosystem.
- This includes on-premise applications such as Active Directory, as well as cloud-based services such as Office 365 and Salesforce — meaning you can easily weave them into your organization without heavy integration work
- An example of how you can add MFA to your RADIUS clients, such as VPN, is through a solution like WorkforceID Authentication
As shown in the example above, it is completely within the realm of possibility to leverage the best of two worlds — a trusted and reliable protocol like RADIUS with the convenience and availability of the cloud.
Taking your MFA to the next step in order to maximize your investment to work for your unique needs while still delivering a frictionless user experience does not need to be complicated. In fact, you might already have the components to reduce your risk and leverage your current resources without a lot of added complexity. We are with you in this journey and ready to help you chart your path. What do you say? Are you ready to maximize your MFA investments?
Darwin Rivera leads the Sales Engineering and Architecture team in the Americas for the IAM Workforce Authentication business line. He has over 25 years of experience in Information Technology operations, engineering, systems architecture, and cybersecurity and has supported military, federal and local government, financial services and health care organizations around the world. Darwin has been with HID Global for 11 years holding positions within HID Professional Services and Sales Engineering and Architecture. He also conducts research on how organizations can best balance information systems security risk management and compliance. His research has been presented at international conferences like the International Conference on Information Systems and the Workshop on Information Security and Privacy.