Deterred by issues such as cost and complexity, these firms are missing out on something that can significantly improve the robustness of their core IT infrastructure. It’s a situation that needs to change quickly.
Why the reluctance?
MFA usage involves the combination of a number of different factors to improve the sign-on or log-in processes used by an organisation’s staff.
Factors include something an individual knows (a password or phrase), something they have (a hardware token or mobile device) and something they are (a fingerprint or face). These are combined in different ways depending on the organisation’s security requirements and acceptance by users.
Reluctance to make use of MFA techniques comes down to two perceived issues: cost and friction.
Many small and mid-sized companies are deterred by the anticipated required investment and believe the money would be better allocated elsewhere.
Often, company managers think they will need to deploy and manage a new on-premise server to operate the MFA infrastructure and then distribute hardware-based tokens to all users. They see these costs continuing to mount as the tokens need to be replaced or reset over time.
From a user perspective, MFA may be viewed as an imposition that increases friction by complicating their log-on procedures. Having to hunt in a bag for a token and then type in strings of numbers to gain access to IT systems appears more trouble than it’s worth.
MFA has evolved
Thankfully, MFA has evolved to the point where these issues have been resolved. Rather than requiring an on-premise server, MFA services can be delivered using a cloud-based platform as a Software-as-a-Service (SaaS) deployment.
This removes the need for investment in on-premise hardware and reduces ongoing management and maintenance. Users can be added, removed and managed quickly and easily.
For users, rather than needing a dedicated hardware token, codes can be delivered via a mobile phone. This removes the need to carry an extra item and can streamline the process.
Push notifications can be sent by the MFA system to a user’s device. Instead of having to enter a six-digit number, the user can simply respond to the notification with one press on their phone’s screen.
Undertaking a deployment
When considering the deployment of an MFA platform, there are a number of points that organisations should consider. These include:
Different forms: Remember that any form of MFA is better than no MFA, however recognise that not all forms are equal. Carefully assess what level of protection each is actually providing.
SMS security: MFA deployments that rely on one-time passwords delivered via SMS are inherently insecure. A man-in-the-middle attack can allow a cybercriminal to access the password and gain unauthorised entry to systems.
SIM swapping: Mobile devices can also be compromised if their SIMs are ported without the user’s knowledge. This could allow a criminal to establish access using another device in a different location.
Use the cloud: Cloud-based MFA platforms offer a cost effective and easily managed option for small and mid-sized organisations. Consider their use rather than an on-premise alternative.
Push: Phone-based, push notifications are the most secure option and allow users to respond with a single click. This removes the need to re-enter numbers generated by a token.
MFA and SSO: Consider combining an MFA deployment with the rollout of Single Sign-on (SSO) capabilities. This will further reduce complexity for users and make it more likely they will support the new practices.
Take time to review the MFA platforms that are available on the market and determine which is the best fit for your organisation. It’s important to find a balance between having the best security and the lowest friction for users. In this way, MFA can provide strong security without being a daily annoyance.
Mark Sinclair, ANZ regional director, WatchGuard Technologies