It still is somewhat shocking to me that most businesses still aren’t taking Multi Factor Authentication seriously, and don’t mandate it for the employees and like I mentioned the other day for executives. Yet, I see articles like this one from Yubico that shows that people are making the effort in increasing spending by 75%. This is great, and I think if you work in any kind of business, MFA should be a required part of getting an account.
Yet, I think some people are so quick to jump to MFA/2FA that they don’t do the required amount of thought before rolling out the tool. Before I go any further, these are things you need to consider, and your business maybe willing to accept the risk of these discussion points, or another reason. This discussion should also not make you write off using MFA/2FA, just things that you need to plan for.
1. Text Message MFA is not secure
Microsoft pressed users to move away from text based MFA due to a lack of security among telephone networks. The text messages you get containing the business verification codes aren’t encrypted, so attackers can gain access to them fairly easily. I mention this, because it’s the most popular way to get codes, and there are many businesses that only offer this at the MFA method you can use. I have this for a couple of my accounts, and while it’s better than no MFA, it’s not as inherently secure as we might be lulled into believing. It’s better to use an authenticator like Microsoft or Googles (or any other third parties) or even a token based version.
2. Tokens have high cost to implement and maintain
So I said that text messages shouldn’t be your go to, so obviously tokens have been around forever, so that must be the better choice. So the problem with these for many companies is selling the upfront cost to the company, you’ll need to buy these for every user in your organization, which depending on size can be costly. Then you need to figure out the amount you’ll need to hold onto for when people loose them…and I do this with my own keys for personal accounts (and I later find them…the record was loosing one for 8 months). So in a business you’ll need to have some you can give people when they are lost.
Following on the lost thought process of lost, what are you processes when an employee forgets their token at home? We’ve all gotten half way (or all the way) to the office, and then realized that we forgot something that we needed, how will your MFA plan account for this? This can really hamper a persons productivity and may get your IT or Security unit blamed when a user can’t work.
So I touched on this, but it is something that needs to be called out on it’s own. So I explained earlier I had a security token (YubiKey), which I use for my own personal accounts. I used this key to secure an authenticator (double security…yea it was smart and dumb simultaneously) and then I lost that key for the better part of 8 months. I was locked out of using some of my accounts because I lost my security key. This doesn’t just apply to token based security, there are times where my phone was wiped and then realized that my rolling authenticator codes were on there (I’m forgetful if you don’t see a pattern). In both cases, I lost my MFA ability and needed to get into my accounts, and you need to plan for when a user has the same issues…”tough luck” isn’t going to cut it.
4. Overconfidence in two-factor authentication
There is always a part of information security that is psychological, anyone who has studied social engineering can attest. Users will behave less safely when they believe they are being kept safe by others means. Computer users who run anti-virus software are more likely to install risky software, as that should protect them if there is anything malicious. Yet, we as information technology worker, can tell you that only catches stuff that has been out there a while. Researchers have shown that this applies to the use of two-factor authentication, they observed that users who were required to employ a second factor (they used a fingerprint in their study) chose weaker numeric PINs than those who were not. So take that into account, If you believe that MFA is a fool-proof way to protect your user accounts, they may be more willing to login from an untrusted computer or more likely to risk linking a cloud or software from an unknown or unfamiliar publisher which can steal their data.
5. The more factors the better
One of the best things you can do is allow multiple factors, not a single option. This will give your users the largest chance to give themselves access to their account. For example, at one place I worked, I had the ability to choose how I was to MFA whether it was phone call, text, authenticator push (on multiple devices), token or even a rotating code. Now I had to set all of these up, and we didn’t mandate how many we needed to use, but I encouraged everyone I helped to set up as many as possible, to avoid lock out. Now were all of them the most secure? No! But the system allowed me to make the choice, I had text set up…but I never once needed it, but it was a safety net in-case I did.
6 Lock all other methods out
Once MFA is in place, make sure you use it everywhere and lock out any protocol or legacy system that lets you bypass MFA. This is probably the most difficult from some companies to implement, so you may not be able to shut off those systems that bypass, but figure out some other compensating controls that will allow you to secure your environment., because I’ve seen first hand, when malicious actors see MFA or any other security control, they will switch tactics and look for legacy ways to get in, without MFA.
Like most things, knowing the right areas to look before rolling out your tool and making it simple for the end users is key to make any security work. Too many security methods can be draconian, and people will either not follow them. Also MFA should be part of a well rounded security program and when paired correctly, can be a useful tool.
Anything I missed, let me know in the comments below.