We recently held a webinar on best practices to streamline security with multi-factor authentication (MFA). Our host, Todd Peterson, Principal Product Marketing Manager, was joined by speakers Eric Avigdor, Sr. Director of Product Management, and Dave Madrid, Sr. Technical Product Manager.
Does anyone love passwords?
The device and account owners who have to remember them? The help desk team who resets them all day long? Or the hackers sifting through stolen ones like an all-you-can-eat buffet?
The answer is a resounding “no” from everyone (except the hackers, of course). Passwords are a significant pain point for users and IT alike. They are hard to remember, easy to lose, obnoxious to reset, and a major security risk.
Is it any wonder an estimated 81% of hacking-related breaches are connected to stolen or weak passwords? With tactics such as keylogging, credential stuffing, phishing/smishing, password spray attacks, dumpster diving, and cyber extortion, it’s easy to see why hackers would prefer you continue to rely on passwords to keep you, well, unsafe.
In this article, we’ll recap JumpClouds’ resident experts’ — Todd Peterson, Principal Product Marketing Manager, and Dave Madrid, Senior Technical Product Manager — most useful tips for succeeding with multi-factor authentication (MFA).
A Better Way to MFA – Best Practices to Streamline Security
Multi-factor authentication, or MFA, is a security measure that requires more than one form of authentication to verify the user’s identity.
This could include:
- Something you know, such as a password
- Something you have, such as a security token, or
- Something you are, such as a fingerprint.
According to one Microsoft study, having MFA in place makes your resources 99.9% less likely to be breached by an external attacker. Those are pretty good odds!
MFA to the Rescue: But Which One?
Undoubtedly, MFA makes us safer, but the question remains: How can we deploy MFA in a manner that is both convenient and secure?
“This question is relevant both for folks who are yet to deploy MFA, and those that have, but that are returning to some of these dilemmas,” Eric said. “If we were to plot a graph depicting the security level and convenience of each authentication method, one would find that passwords are neither convenient nor secure. SMS/Email authentication, on the other hand, may be more convenient, but, as argued by NIST, have high-security risks.”
One-time passwords (OTPs) are relatively secure but inconvenient for users. Alternatively, push authentication is convenient and secure because it uses private cryptography. While on the subject of security versus convenience, it’s not uncommon for users of Windows Hello to confuse their login options with MFA.
“The challenge with Windows Hello starts with the definition of MFA,” Eric said. “MFA means that you’re authenticating your identity with multiple factors. Windows Hello, on the other hand, allows users to access devices by using information stored on the device itself.”
As mentioned earlier, MFA requires users to prove their identities via something they have (i.e., a token, phone, or smart card); something they know (i.e., a password or PIN); and possibly something they are (i.e., fingerprints, iris scans, or facial recognition).
While Windows Hello delivers a solid user experience, it doesn’t meet MFA criteria, either from a separation of security factors perspective or a compliance perspective. With that said, admins can deploy Windows Hello as part of an overarching MFA strategy by combining it with additional software.
Common Challenges with MFA
MFA can be difficult to deploy because there isn’t a one-size-fits-all solution. Different organizations have different needs that can be sorted into four categories:
1. Security Needs
An admin might not know which MFA is appropriate for the level of security their organization wants to achieve for a given resource. A user might respond by asking, “Can’t we just get the most secure factor for everything?”
The reality, however, is that different resources have different factors that are most relevant to protecting them, and the IT team of that organization needs to tailor the security level of an authentication form factor to the sensitivity of the resource being accessed.
2. User Experience Considerations
The second challenge is that of user experience. When companies want to deploy MFA, they must consider how they onboard their users (staff) and make it easy for them to use it throughout their tenure. This could be considerations pertaining to:
- How many factors the application can support
- Which factors the application can support
- How many different kinds of resources can it overlay MFA over
- What options exist to remove MFA requirements through conditional access policies
At the end of the day, you want to make MFA an easy, repeatable process. Without that, adoption remains low and end users will find ways around the burdens they perceive.
3. Work Environments
Organizations must ensure the factor they choose fits with their unique work environment. Admins must manage change so that users adopt MFA in a secure and healthy way.
“It would be great if users could use a corporate phone to use push authentication MFA and gain access to any IT resources,” Eric said. “But then, what happens when the users work in an environment where it is either unsafe or prohibited to use a phone, such as an oil rig, or a lab, or a call center. In that scenario, it’s best to consider a factor that does not involve a phone.”
4. Multiple Resources
Finally, even those familiar with setting up MFA run into roadblocks when implementing MFA across multiple resources. Suppose an organization had used an MFA service to secure access to its VPN and subsequently wants to implement it across other resources such as Microsoft 365, Salesforce, Wi-Fi, or even company devices.
Should they resort to having a long list of vendors that provideMFA for different resources? Or should they go for a solution which allows them to implement MFA for these resources from a single pane of glass?
The latter is obviously the most practical choice, and this is where JumpCloud’s open directory platform comes into play. Open platforms like JumpCloud allow admins to manage both identity lifecycle and access management without tool sprawl.
How Open Directories Streamline MFA
With JumpCloud, admins know their users, their roles, and where they are before allowing them to access sensitive data. This information helps admins determine which authentication factor to pair with a given resource.
Eric also highlighted that you should choose a platform that allows you to deploy different form factors for different users who always have separate needs. These authentication form factors could be OTPs, PINs, biometric or facial recognitions, mobile apps, certificates, etc.
When deploying MFA, prioritize solutions that balance user experience and security. Going through MFA 20 times a day to get the resources you need is pretty crummy. Eric recommended utilizing conditional access (CA) alongside MFA.
For example, admins can target general or specific devices, applications, user groups, or RADIUS and enable MFA to require access to/for them.
“It’s best to use other CA policies to control access to resources; this includes device posture conditions such as FDE, OS/browser Version. Other CA policies include targeting whether the user is trying to access the resource from a managed device or trusted network, the user’s risk score, or even their geo-velocity,” Dave said. “For example, have they logged in from San Francisco earlier today and then tried to access a resource from Singapore 10 minutes later.”
Recommendations For Implementing MFA
Here are a few nuggets shared by Eric and Dave on what to consider when deploying MFA:
Prioritize Key Resources and High-Risk Applications
Identify your crown jewels and critical resources. Look at your high-risk apps, both from a compliance and audit standpoint. That includes those that, if breached, may cause severe loss to the company in terms of intellectual property rights or competitive advantage.
Choose the Appropriate Authenticators for Each User
Give users options on which authentication factor they’d like to use. Take an inventory of your users, what type of users they are, and what factors secure your resource the most.
Complement MFA with Single Sign-On (SSO)
“When MFA is deployed correctly, it is an entry point into proving who a user is; and from that point on, access should be seamless and users should be signed on to many applications,” Eric said. “So the first entry level into that combination is really deploying multi-factor for many SaaS applications and allowing SSO in that single browser session between different SaaS applications. This will allow you to balance UX and still have security when you need it.”
With that said, SSO should never be used in place of MFA. Using SSO without MFA could even be dangerous because if a hacker gets a user account details and gets into the company network, SSO without MFA would only give them free rein until they need to log in again.
Balance User Experience and Security Requirements with Conditional Access
Dave suggested that admins could potentially use CA to relax MFA requirements (if the request comes from a trusted device or a trusted network, and the resource is less risk-prone). Or conversely, you could step up MFA based on the device and resource risk posture.
Centrally Manage MFA Across Users And Resources
Put the aforementioned tips into action behind a single pane-of-glass platform like JumpCloud. This makes management more straightforward and provides better insight into where you might have gaps in your MFA deployment.
Learn More About MFA Best Practices
MFA is an important security measure, and it doesn’t hurt to learn as much as you can about it. If you’re interested in learning more, you can also watch the recording of our webinar, A Better Way to MFA – Best Practices to Streamline Security, to get more tips on how to deploy MFA successfully.