Multi-factor authentication will stop all hackers and attackers in their tracks! That is the hype behind this security method. Let’s be clear. There is no security silver bullet. No single method or technique is enough on its own. That said, multi-factor authentication is a significant advance over more straightforward approaches to authentication.
Whether you are considering multi-factor authentication or implementing it, make sure you are not making these mistakes. After all, you will only get the benefits of multi-factor authentication if you apply it properly.
Mistake 1: Ignoring multi-factor authentication completely
Failure starts with ignoring the security benefits of multi-factor authentication. With this mistake, you assume that traditional password management is enough to protect your organization. You might focus on best practices for passwords such as requiring password changes and insisting on complex passwords. These are all helpful techniques, but they are not enough.
How do you solve this mistake?
Start by educating yourself about the power of multi-factor authentication and how it works. At its most basic level, multi-factor authentication uses two or more forms of authentication. For example, we know of a government facility that uses the following multi-factor authentication method:
- Factor 1: A physical security card, specific to the user, must be inserted in the side of the laptop before you can do anything else.
- Factor 2: After the user starts the laptop, the user is prompted by the smart card reader to enter the first password.
- Factor 3: Finally, the user is prompted to enter a Windows password.
That example shows how software and hardware components come together to secure an asset. For this all to work, your staff need to know what to do and why it matters. If you do not provide training and promotion for multi-factor authentication, you can expect disappointing results.
Mistake 2: Failing to mandate and promote multi-factor authentication for critical systems
“Build it, and they will come” might work with baseball, but not in multi-factor authentication. In fact, Google recently found that only 10% of their account holders had multi-factor authentication turned on. Of course, you probably don’t have millions and millions of accounts to manage like Google. Take the time to develop a program to mandate and promote multi-factor authentication.
If your organization is implementing multi-factor authentication for the first time, use these tips to make sure the implementation goes well:
- The tone from the top. If MFA is perceived as “an IT issue,” it will be difficult to get traction. Instead, make sure that you have support from senior management on why MFA is needed.
- Training sessions. If your implementation includes something novel like biometrics, training your staff is crucial. For example, your staff may have questions about how you will protect data like fingerprint patterns.
- Monitor implementation results. MFA is not a “set it and forget it” way to improve security. Set yourself a reminder to monitor the system on a monthly basis.
We are just getting started with the ways multi-factor authentication can go wrong. Keep reading to learn about two more mistakes.
Mistake 3: Falling behind industry requirements for multi-factor authentication
In some industries, there are specific expectations to meet in multi-factor authentication. It is not enough to come up with an approach that seems reasonable to you. For example, let’s consider PCI Data Security Standard. If your business accepts credit cards, you need to know these requirements.
Specific expectations as per PCI:
- Recognize that remote access arrangements are higher risk and require multi-factor authentication (MFA) to be implemented in those situations.
- Avoid providing “hints” to users in multi-factor authentication. If you have three authentication factors, the whole process is pass or fail. Do not tell the user they passed factor 1 and 3 and failed 2. Providing hints for users also makes it easier for hackers to gain unauthorized access.
- Use two of three authentication factors: information you know (i.e., a password), an object you possess (i.e., an access card or token) or something in your body (i.e., fingerprint scan)
What if your organization does not need to follow the PCI Data Security Standard? We suggest using these principles to inform your protection of sensitive information. That just leaves one major mistake left.
Mistake 4: Choosing the wrong technology to manage multi-factor authentication
Managing multi-factor authentication successfully is no easy task. The process does become easier if you have the right software in place. With the wrong software, users will experience slow authentication and other problems. Implementing multi-factor authentication is best seen as part of a broader effort to improve password management and control. Look for the following capabilities in potential solutions:
- Biometric Options. Early efforts at biometrics had a critical flaw: there was only one option. The best multi-factor authentication solutions will give you several options, such as voice, facial recognition, and fingerprint. That means users can still authenticate even if they have a cold.
- Easy integration into Windows. When you raise the bar on password management, you can expect to face more questions and support needs from your users. To address these issues, look for a solution that provides password reset using the Windows Ctrl-Alt-Del screen.
- Mobile Device Support. In the past, multi-factor authentication usually required users to have a dedicated token. It is easy to lose those or forget them at home. Make sure the password management solution you choose includes support for mobile devices.
The above capabilities are only a starting point. Your company probably has additional requirements to address before making a purchase. Read our tips on how to work with procurement as you develop your strategy.
Avoiding Mistakes or Pursuing Success?
As a starting point, avoiding these multi-factor authentication mistakes makes sense. However, it is not enough to improve your overall cybersecurity arrangement. Consider adding single sign-on software to the mix to make life easier for your users. Alternatively, read our identity management glossary so you can get up to speed on that technology. Each quarter and each year, continue investing in improving your cybersecurity so that you do not fall behind.