Multifactor authentication (MFA) is a must for enterprises to ensure data security in the face of both new attacks and persistent older ones that are constantly being fine-tuned by cybercriminals. It offers multiple layers of security to your login processes through multiple means of authentication.
- Knowledge (something you know): PIN, username and password, security question
- Possession (something you have): token, USB key, magic link, or card
- Inherence (something you are): biometrics—e.g., fingerprint, voice, palm veins, complex iris/retina patterns, behavior pattern, etc.
- Location (someplace you are): actual physical location determined through GPS tracking.
However, while MFA is intended to thwart cybercriminals attempting to gain access into your system, it can unintentionally do the same to users who should have access to your system, because of the very same features that are supposed to keep your data safe.
The importance of making MFA easy for your IT team and your employees
When introducing any new or modified measure to upgrade your data security, there is one factor above all else that will be a challenge: user habits. You need to ensure your employees change their habits, and that will not happen if they struggle to understand the new measure being implemented.
Furthermore, if they’re having difficulties complying with changes, then they are likely to commit errors or overlook certain steps that may unintentionally give cybercriminals a vulnerable point of attack and your IT team an unnecessary headache.
So how do you make sure everyone in your organization transition into MFA as painlessly as possible?
Deploying MFA into existing identity environments can be a challenge, especially since most environments today include both on-premise and cloud applications. Not only that, users will more likely be mobile.
Facilitate deployment by using flexible options like on-premise or as a service, as well as rich API support, to allow for seamless MFA integration into your existing user login experience. This will also create an easy migration path to MFA and other advanced authentication mechanisms, allowing the use of one solution to access on-premise and cloud applications on multiple mobile platforms.
Admittedly, MFA is a more complex authentication method, meaning it can still pose some issues concerning time and proper use. Prevent resistance by making the method simple and easier to accomplish. A risk-based approach is one option. It enables transparent verification of user identity and automatic requests for additional authentication only when warranted by a given risk.
To illustrate: a user who signs in on the same device and to the same applications from the same location every day has a very low likelihood of not being who they say they are. And that being the case, there’s no reason to have them undergo a more rigorous login process.
On the other hand, if someone is a highly mobile employee, such as someone from sales who’s out in the field most of the day or a buyer who travels to another country and attempts to log in from that location, then it makes sense to reconfirm the user’s identity. But even at this point, any additional authentication step has to be convenient to ensure compliance (e.g., push notifications, biometrics, SMS, etc.).
Since MFA involves multiple factors, convenience can also mean allowing employees to choose the verification options that are easiest for them to perform.
Lastly, use MFA with single sign-on. The latter is a convenient solution and can easily mitigate the complexity of multifactor authentication without weakening security.
Ease of MFA adoption doesn’t stop at user experience. It’s also just as crucial to keep MFA management straightforward. You want to avoid overburdening administrators with management of all the authentications available to users.
Ensure ease and convenience both for users and administrators by allowing for self-enrollment and other secure self-service options. Other capabilities designed for easy MFA management include out-of-the-box access-policy configuration options for an extensive range of applications and a single, centralized view into access management across both on-premises and cloud applications.
Passwordless multifactor authentication
Since passwords are vulnerable, why not just take them out of the equation altogether? Passwordless MFA means no longer saddling employees with the responsibility to come up with strong passwords and passphrases despite their tendency to use easy-to-remember words and combinations that are also easy to crack. It also removes the need for password managers and for IT to perform such tasks as password resets, hashing and salting passwords, etc.
It’s time to embrace a more complex authentication—but in a way that keeps out only the cybercriminals while making life easier for users and administrators alike.
Contact TraitWare today to learn more about how we do passwordless MFA.