You’ve heard about the benefits of multi-factor authentication (MFA), and you’ve joined the party. Your organization has MFA in place. Is that implementation effective? That’s an important question to ask. Without an assessment, you’ll have no idea whether the program is delivering the results you expect or need.
Why You Need to Build the Discipline of Self-assessing IT Projects
As an individual, you need to cultivate self-awareness to avoid painful mistakes such as ignoring your weaknesses. Likewise, as a leader in an organization, self-assessment is valuable. Without it, it’ll be tough to determine whether you’re making progress in implementing your strategy. It’ll also be difficult to provide feedback to your managers and front-line employees. Finally, IT project self-assessment will help to discover problems before external auditors and consultants find them. It’s always preferable to know your department’s strengths and weaknesses in detail before somebody else points them out.
The Five-step Self-assessment Process for MFA Implementation
To collect the most useful data, we recommend completing this assessment less than six months after the MFA implementation. Wait any longer than that, and you’re likely to receive less valuable feedback from employees.
1. Review the MFA Business Case
Ask your staff to find the original business case you used to approve MFA implementation. With this document in hand, you can easily determine the benefits and costs you expected going into the project. It’s also helpful to review any limitations or assumptions you had in mind for the implementation. For example, you may have set the expectation that 25% of executives will use biometric authentication within 12 months of launching MFA.
2. Gather Feedback from MFA Users
Your next step is to get out of your office and talk to users. Find out how many of them have used MFA in the past month. If your organization decided to make MFA mandatory for users, you’ll need to gather feedback in a different way. You can use these discussion questions to spark conversations.
- How long does it take you to use MFA on your smartphone?
- Has MFA helped you to work during travel?
- Have you needed to contact the help desk for assistance with MFA?
You’re not looking for perfectly accurate data with these questions. Instead, you’re looking to broadly assess usage and determine whether your users are making use of MFA.
3. Review Reports from IT Security
To balance the views of your end users, you also need to check with the IT department responsible for managing identity and access management. Specifically, we recommend reviewing any reports that IT produces. Start with asking for information on the following topics:
- MFA system coverage: Discover what percentage of your systems are currently covered by MFA. For those companies with many different systems, you might set targets to gradually cover more systems each year.
- MFA user coverage: Similar to the measure above, ask how many of your users are covered by multi-factor authentication. In particular, you might want to ask about coverage for super users, managers, and executives.
- MFA help desk requests: Inquire about how often your IT help desk receives requests related to MFA, login problems, and related problems.
Besides reviewing the above data, meet with the IT managers to ask for their views. You want to hear the good, the bad, and the ugly. If they tell you that users are complaining about how to use MFA hardware, take note. You can address that part of the employee experience by using a FIDO2 MFA solution.
4. Measure MFA Usage and Gaps
No MFA implementation project is perfect or comprehensive at first. Given that reality, you need to assess those usage gaps. Here are some of the self-assessment questions to consider:
What are the most common complaints?
As you assess the MFA program, you’ll need to assess complaints. Keep in mind that some people will grumble and complain at any change because they don’t like disruption to their routines. On the other hand, complaints about specific technical problems (e.g., multiple login attempts are required before the login is accepted) are worth investigating.
Does the program impact workplace flexibility?
Many companies offer flexible work arrangements so that employees can work remotely as needed. With the right approach, MFA can play a role in supporting these programs by increasing the security protection of remote work. Unfortunately, some MFA implementations make remote login too difficult to be useful.
Have there been any security incidents related to authentication?
If your systems are being hacked despite MFA implementation, that’s a warning sign to consider. You may have protected 90% of your systems, but the remaining 10% represents a significant risk exposure.
5. Produce Recommendations for MFA Improvement
At this stage of the process, you’ll need to come up with a few recommendations on how to make the MFA implementation more effective. For instance, you might recommend setting a goal to protect 100% of executive level user accounts within six months. Alternatively, you might retire the use of specialized MFA hardware in favor of FIDO2 style MFA where employees can use their smartphones instead.
How Do You Keep Improving IT Security After Optimizing Your MFA Implementation?
Optimizing your IT security program is a never-ending process. We suggest viewing your overall program through the lens of people, process, and technology. Once you have MFA technology in place, you may want to turn to a single sign-on technology to improve user convenience. On the process front, you may need to refresh your employee password training. Finally, you may need to look at your people. Is your IT department keeping up with the new security threats? If not, you may need to start hiring and offering more extensive professional development programs.