![\"2D](\"\/wp-content\/uploads\/2016\/11\/MFA-illustration.jpg\")
<\/figure><\/div>\n\n\nMulti-Factor Authentication (MFA) is also referred to as two-factor authentication (2FA)<\/a>. It adds an additional layer of security to the sign-in process. The user is required to provide an additional form of identification to gain access.<\/p>\n\n\n\n
MFA requires two or more of the following methods for successful authentication:<\/p>\n\n\n\n
- \n
- Something you know<\/strong> – Password or passcode<\/li>\n\n\n\n
- Something you have<\/strong> – A device in your possession, like a phone or hardware key<\/a><\/li>\n\n\n\n
- Something you are<\/strong> – Biometrics<\/a> like a face or fingerprint scan<\/li>\n<\/ul>\n\n\n\n
What usually happens is the MFA requirement surfaces once a user logs in with their password. The system may send a code to their registered cell phone, require a code generated by an app like Google Authenticator, or from a Universal 2nd Factor key<\/a>. It may also require the user to scan their fingerprint or face should the device compatibility exist.<\/p>\n\n\n\n
What is Device-based MFA?<\/span><\/h2>\n\n\n\n
Device-based MFA requires the user to clear the secondary authentication requirement when logging into their device, either when it boots up or when the login occurs. In order to access the device, the user will need their login credentials in addition to the MFA code. <\/p>\n\n\n\n
This significantly reduces the risk of unauthorized access to the device, while adding a secondary, downstream impact on preventing unauthorized use to the IT resources an employee\u2019s device can access. Coupled with full disk encryption<\/a>, this process can dramatically step-up security on a device.<\/p>\n\n\n\n
Through modern, cloud-based solutions, device-based MFA is becoming much more straightforward; IT admins can implement MFA for Mac<\/a> and Windows devices, while some can even support MFA for Linux-based devices as well.<\/p>\n\n\n\n
What is Application-level MFA? <\/span><\/h2>\n\n\n\n
![\"application](\"\/wp-content\/uploads\/2016\/11\/Application-Level-MFA.jpg\")
<\/figure>\n\n\n\nApplication-level MFA is a more granular approach whereby the user is required to clear secondary authentication when seeking access to individual apps. While the underlying principle is the same as device-based MFA, it\u2019s a more frequent occurrence as users may have to go through the process every single time they login.<\/p>\n\n\n\n
This MFA method is great for a platform or device-agnostic environment, or ones that support BYOD policies<\/a> that allow employees to access IT resources via their personal devices. It\u2019s also a core method for conditional access capabilities<\/a>. <\/p>\n\n\n\n
What factors are the best for each MFA method?<\/span><\/h2>\n\n\n\n
Time-based One-Time Passwords (TOTPs) sent on the registered email or cell phone number work well as a secondary authentication factor for application-level or device-level MFA. When a login is detected, the system sends a TOTP MFA code<\/a> to the registered method and only grants access once the correct TOTP is entered by the user.<\/p>\n\n\n\n
Additionally, if push notifications are implemented via a mobile app like JumpCloud Protect<\/a>, another layer of security exists naturally thanks to the biometrics inherent in today\u2019s mobile phones (e.g. facial recognition login or fingerprint authentication).<\/p>\n\n\n\n
Things to keep in mind when deploying MFA for Devices and Applications<\/strong><\/h2>\n\n\n\n
1. Use MFA methods that work across Devices and Applications<\/h3>\n\n\n\n
It\u2019s important to be mindful of the end user\u2019s capabilities when deploying MFA for both Devices and Applications. A complex solution involving physical keys might be easily adaptable for the IT administrators in your organization but not for those in a customer support role, for example. MFA accessibility<\/a> is critical.<\/p>\n\n\n\n
2. Convenience for the end user is very important<\/h3>\n\n\n\n
It is very important to consider ease and convenience for the end user when deploying MFA. The biometric factor is a good choice as it\u2019s not only incredibly secure, but can be very easy to use. <\/p>\n\n\n\n
The end user simply has to place their finger on the scanner or use the device\u2019s camera to scan their face. Not only is the biometric hardware in devices more secure and faster than ever before, but this factor does not rely on any kind of digital communication (such as an email or SMS verification code). This means the possibility of it being compromised is even further reduced. <\/p>\n\n\n\n
Push notifications are increasingly becoming the MFA method of choice for applications as they have a number of inherent benefits to both security and ease of use. They\u2019re incredibly easy for the end user who only has to tap once on a notification from their smartphone (which they are rarely far from) to authenticate. <\/p>\n\n\n\n
Not only that, but often the user also has to enter their PIN or authenticate via fingerprint or facial recognition to complete the action (or they used that method to gain access to the smartphone), adding in an additional factor seamlessly to increase security. Because this method requires the user to be in possession of the device on which the notification is sent, it is virtually impossible for remote attackers to gain access.<\/p>\n\n\n\n
3. Take a more structured approach to your MFA deployment<\/h2>\n\n\n\n
Organizations that realize the benefits of MFA often rush to deploy it in one fell swoop. That can end up being counterproductive. The initial step before implementation must include user education to avoid pushback, confusion, or a painful rollback. <\/p>\n\n\n\n
\n\n![\"JumpCloud\"](\"https:\/\/jumpcloud.com\/wp-content\/uploads\/2021\/06\/Hyper-Secure-with-SSO-MFA-aspect-ratio-160-110.png\")
\n <\/div>\n \n\n The Fine Art of Making MFA Palatable <\/p>\n
\n In this webinar recording, learn tips & tricks for maximizing IT security while minimizing user pushback with DoorDash's System Administrator <\/p>\n <\/div>\n
\n Watch Now<\/a>\n <\/div>\n<\/div>\n\n\n\n\nFocus on deploying MFA on devices first as they’re the single most important access point to all of the organization’s IT resources, and users can become used to using a second factor with minimal disruption to their workflows. Overall security can be significantly improved by simply enabling MFA on devices. <\/p>\n\n\n\n
Applications that have the most sensitive data come next. Ensure enhanced protection by deploying MFA methods that are both highly secure and convenient for end users, such as push notifications Thereafter, any other app that may require an additional layer of security can be brought into the fold as well.<\/p>\n\n\n\n
A Comprehensive MFA Platform with JumpCloud<\/h2>\n\n\n\n
While IT admins generally recognize the fundamental benefits of multi-factor authentication, it can still be challenging to roll it out across the organization. The JumpCloud Directory Platform<\/a> reduces the friction typically associated with MFA rollouts and continued use, and enables admins to distribute access to all IT resources through a single, secure identity and layer MFA across devices, applications and more. Learn more about MFA benefits<\/a> and how JumpCloud makes multi-factor authentication a reality.<\/p>\n","protected":false},"excerpt":{"rendered":"