Now that we’ve built a base knowledge of multi-factor authentication (MFA) and discussed the reasons why your organization might need and benefit from it, it’s time to talk about what to take into consideration when selecting and implementing an MFA solution.
Below, we’ve outlined six key guiding principles that will help you select a multi-factor authentication solution that meets your organization’s needs and helps you fully realize the benefits of MFA.
Recommendations & Guiding Principles for Selecting an MFA Solution
1. Understand Your Requirements
Ensure that you understand the technical and business needs of your organizations and its users. For example, do you need multi-factor authentication for cloud apps, local apps, local devices, or some hybrid deployment? Solutions for local apps and devices typically look different than solutions for cloud-based environments. So it’s important to consider how you will be using MFA and make sure your solution will be able to accommodate your requirements.
2. Plan for Current and Future Needs
Don’t be too short-sighted when selecting a multi-factor authentication solution. Do your best to account for future growth. The MFA solution you select should not only be able to support your current needs, but should also include factors that will support your future needs.
3. Less is more
You should deploy more than one MFA factor type, but don’t go overboard. For most situations, anything more than 2-3 factors is going to be too much to support and manage, while one factor would not provide enough flexibility. Additionally, if each application uses its own MFA method, then this can negatively impact usability, as you will run into many of the same challenges as with traditional passwords.
4. Choose Highly Available MFA Solutions
It is important that the MFA solution you choose is highly available, and this should be part of your buying criteria. Most organizations put significant resources into ensuring identity providers (IdPs) and core directory systems are highly available, but has your organization put the same amount of resources behind your MFA solution? After all, if your MFA solution goes down, it would have the same impact as if your IdP or Directory went down.
5. Investigate Alternatives to Phone-Based MFA Solutions
Many MFA deployments rely heavily on Phone-based authentication methods, such as SMS, push authentication, or time-based one time password (TOTP). However, what would happen if a user doesn’t have his or her phone? It’s important to research alternatives to phone-based MFA solutions or to provide a backup authentication process, so your users aren’t dead in the water if they don’t have phone access.
6. Multi-Factor Authentication vs. IAM Solution with MFA
In addition to the guiding principles outlined above, your organization also needs to decide whether a stand-alone multi-factor authentication solution will meet your requirements or if greater identity and access management (IAM) capabilities are needed.
Most MFA solutions are bolt-on solutions to an application or existing IAM system. However, this can create significant usability challenges, as well as increased support and management requirements because the bolt-on solution introduces a new management interface for users and support staff. Typically, users have to manage their regular account in one place and then go to another place to manage the MFA functions (which usually requires an additional password or PIN). The more factors you add, the more complex this gets, which increases support calls across the organization.
Ideally, you want an IAM solution that has great MFA capabilities built-in, so all the components are tightly integrated with a single user and management interface and no (or minimal) additional passwords/PINs.
Whether you are looking to add multi-factor authentication to an application, as a bolt-on to an existing IAM solution, or as part of a complete IAM implementation, it’s crucial that you take the time to understand the benefits and challenges associated with MFA, as well as your organization’s unique requirements.
Additionally, NIST Special Publication 800-63-3 Digital Identity Guidelines and the guidebook Assigning Risk Levels and Choosing Authentication Policies are both excellent resources in your quest to learn more about multi-factor authentication and choosing solutions that fit your needs.
By knowing your organization’s needs and following the guidelines and recommendations outlined above, your organization will be on the right track to selecting and successfully implementing the right solution.