The combination of username and password is no longer enough to secure your data. This is why multi-factor authentication (MFA) is being adopted by a growing number of organizations and businesses.
The goal of MFA is to throw three or more hurdles at cybercriminals to deter them from pursuing access to your network to get to your sensitive data.
It achieves this by requiring users to provide three or more pieces of information to verify that they are who they claim they are. These factors fall in either of these four categories:
- Knowledge (something you know): PIN, username and password, security question
- Possession (something you have): token, USB key, magic link, or card
- Inherence (something you are): biometrics—e.g., fingerprint, voice, palm veins, complex iris/retina patterns, behavior patterns, etc.
- Location (someplace you are): actual physical location determined through GPS tracking
Mistakes and Risky Practices When It Comes to MFA Implementation
Deploying multifactor authentication is not without its challenges. From companies who are reluctant to adopt MFA for several reasons to companies who are committing mistakes in their implementation, it’s clear there’s still a bit to go before MFA is deployed as it should be.
Here are 6 mistakes that companies commit in their MFA implementation.
1. Failing to make MFA mandatory
MFA shouldn’t be an optional process for end users; however, many organizations mistakenly treat it as an option rather than a must.
2. Limiting MFA deployment only for certain users and apps
When you deploy MFA only to those employees who handle critical or sensitive tasks, you are not effectively securing your entire organization. Unfortunately, this is a practice that many organizations are guilty of.
While your executives certainly have access to most, if not all, sensitive, operation-critical information, don’t overlook the fact that some of your employees do also get to access some of this information within certain contexts, depending on the nature of their tasks and how fluid their responsibilities can get, whether some of their tasks will require them to access certain critical data at some point.
MFA implementation is limited not only to certain employees but also to certain apps. This selective implementation can give attackers vulnerable points to exploit to eventually get their hands on your sensitive data.
To optimize MFA, treat every employee and app as critical and opt for wholesale implementation.
3. Treating MFA as simply an extra security step
Deploying MFA as an additional step in your security controls will only serve to add friction to where user experience is concerned. Authentication is supposed to be made more convenient with MFA, so rather than just throw MFA into the pile, evaluate your security controls and do away with all poor security practices so they don’t end up complicating things and likely increasing the risk to your company.
4. Authenticating with SMS Alone
Authentication via SMS code can cause several security issues. In particular, your data will be vulnerable to attacks like mobile phishing (SMishing) and SIM swapping.
To mitigate the risk that comes with SMS codes, use an authenticator app.
5. Adopting a point-solution approach
Just as MFA should not be limited only to employees and apps that are deemed critical to your operations, it should also not be deployed to address a single problem (e.g., the exploited area after a breach). It may plug a specific security gap, but only for the short term, and soon your data will be exposed to the same threat as before.
6. Underestimating the impact of MFA on your business
Lack of understanding of how MFA works is a major contributing factor to this mistake. Before deploying MFA, you should already have a full grasp of the significant changes as well as the benefits for users (both your employees and your customers).
Be sure to account for the following:
- Outright resistance to the change
- Behavior-influenced inability to quickly adapt to the change
- The need for an effective communication strategy to ensure that everyone understands what the change entails and how it will affect them individually
Taking MFA to the Next Level
Whether you have already implemented MFA or are just about to, make sure that you are getting multilayered security instead of putting your efforts and investment to waste.
Reinforce MFA security by pairing MFA with single sign-on (SSO) and going passwordless. By taking out the most vulnerable and inconvenient component in your authentication process, you make it that much harder for cybercriminals to get past the hurdles you’ve set in place.
Contact TraitWare to learn more about our enterprise-class passwordless MFA solution.