The importance of Multi-Factor Authentication (MFA)

Overview

Multi-Factor Authentication (MFA) has become a standard in security as it adds an additional layer of defence against attacks targeting user’s passwords. With increasing computation power, it becomes more important to not only have strong passwords but also have additional authentication methods to add resilience in case such passwords are compromised.

Types of MFA

The three types of MFA:

• Something you know: This includes passwords, PINs, or security questions.
• Something you have: This involves physical devices like smartphones, security tokens, or smart cards.
• Something you are: This refers to biometric verification methods such as fingerprints, facial recognition, or iris scans.

MFA Fatigue

Despite the enhancements to security provided by implementing MFA, it can often create fatigue among users which can discourage adoption by businesses. Likewise, users that are frustrated with MFA notifications are more likely to click on malicious requests by attackers.

Additionally, businesses with large established infrastructure may face implementation difficulties when rolling out MFA across the whole domain. These may require additional monetary costs or workforce effort.

Therefore, MFA is not always adopted or takes time to adopt. However, the benefits of adopting MFA often outweighs the drawbacks.

Benefits of MFA

Whilst MFA is not a replacement for password complexity or other defence mechanisms, such as rate-limiting or temporary lockouts, it is still a beneficial addition to such defences.

The main benefit is that if all other defences fail and a password is compromised, then an attacker would still require the other authentication methods to gain access. Additionally, in such instances a user’s MFA method would notify them of an attempted login, thus making it easier to identify a password compromise.

Regarding implementation, it is often better to use established providers that can facilitate secure development and deployment of MFA. Whilst it is possible to develop a MFA implementation from scratch at a cheaper costs, the majority of MFA bypasses found in assessments were on custom implementation. This does not mean that established MFA providers are not prone to vulnerabilities, yet they tend to have been tested periodically leading to a stronger foundation.

Implementation considerations

The following points may be considered when implementing MFA:

• Assess security/business needs: Evaluate the specific security requirements and risks of your organization to determine the appropriate MFA methods. For example, it may be considered that MFA for standard users is optional to avoid customer dissatisfaction due to MFA fatigue, whilst administrative users are enforced with 2FA, and for very sensitive access data accounts could even require 3-factor authentication (3FA).
• Choose the right MFA solution: Select an MFA solution that integrates well with your existing systems and meets your security needs.
• User education and training: Educate employees about the importance of MFA and provide training on how to use it effectively. Additionally, consider how MFA tends to be used in phishing attacks.
• Pilot testing: Conduct a pilot test with a small group of users to identify potential issues and gather feedback.
• Gradual rollout: Implement MFA in phases, starting with high-risk areas or departments, and gradually expanding to the entire organization.
• User support: Provide robust support channels to assist users with any issues or questions during the rollout.
• Monitor and adjust: Continuously monitor the implementation process and make adjustments based on user feedback and security needs.
• Policy and compliance: Ensure that MFA policies align with regulatory requirements and industry standards.
• Backup and Recovery: Establish procedures for backup authentication methods in case users lose access to their primary MFA devices.
• Communication plan: Develop a clear communication plan to inform all stakeholders about the rollout process, timelines, and benefits.

Conclusion

Implementing MFA is a great addition to the security of any sized organisation. The benefits tend to outweigh the challenges of implementing MFA and for this reason has become a cyber security standard.