Traditional password-based authentication relies only on a user’slogin credentials (username and password) to provide access to an enterprisesystem. This “single-factor” authentication method is not secureor reliable, since attackers can easily steal or compromise passwords to gainunauthorized access to an authorized user’s account or device. They canthen launch many types of attacks like phishing, credential stuffing, bruteforce, dictionary, keylogger, and Man-in-the-Middle (MitM), etc.
So how can you protect your organization from these attackers?
One of the best alternatives to password-based security is Multi-FactorAuthentication (MFA).
MFA does not rely only on the user’s credentials for authentication.Instead, it asks the user to provide at least one more authentication factorto verify their identity. When the system can verify all the factors, onlythen does it allow the user to access the system. Thus, MFA helps ensure thata user really is who they say they are. It also provides stronger, morereliable security against cyberthreats compared to password-only systems.
But there are many MFA solutions out there. How do you choose the rightsolution for your enterprise?
Use the list below to guide your research and investment.
#1. Authentication Methods
Most modern MFA systems require users to use authentication factors from atleast two of three different categories:
- Something the user “knows” (knowledge)
- Something the user “has” (possession)
- Something the user “is” (inherence)
Your MFA solution should not make it harder for users to access theircorporate solutions. For this, it’s essential that they should be ableto use the factors they’re already familiar with, whether these factorsare knowledge-based, possession-based, or inherence-based.
Here aresome authentication methods you can explore.
Push-based, native, mobile one-time password (OTP) authenticator
A push-based, native, mobile one-timepassword (OTP) authenticator systemsends the user a text message with a numeric code that they must enter beforethey are granted access to the account or application.
PROS
AnOTP is a “one and done” kind of authentication factor. Since itcan only be used once, threat actors cannot reuse it when a user has alreadyused it. This helps increase security and makes it harder for the adversary topenetrate private accounts. Plus, there’s no need to install any specialsoftware and most users are already comfortable with text messaging, making ita convenient and user-friendly authentication mechanism.
CONS
Thedisadvantage of mobile-based OTP is that if the device is stolen, a bad actorcan intercept the OTP password to compromise accounts. The privacy andsecurity of SMS messages is not guaranteed by mobile network operators, sothreat actors can intercept them for malicious purposes. Moreover, they canalso intercept OTP messages by installing malware on a user’s device,especially if the user is accessing the device over an open or unsecurednetwork.
Offline time-based verification codes (TOTP)
Time-based verification codes (TOTP) is a type of OTP authentication inwhich a temporary passcode is generated using the current time of day as anauthentication factor. This passcode expires after a set amount of time andcannot be reused, even if it is intercepted by an unauthorized user.
PROS
TOTPis fairly easy and cost-effective to implement and does not always require newhardware. All users need is an authentication app on their device.
CONS
Ofcourse, the system is not perfect. If the user loses or misplaces theirdevice, or if the device battery dies, they will not be able to receive theTOTP code. Also, the authentication app and the server share a secret key. Ifa bad actor manages to clone this key, they can generate new valid TOTP codesand compromise an authorized user’s account. Some TOTP systems lockusers out if they make too many login attempts, say, because the code expirestoo quickly.
Hardware tokens
A hardware token is a small physical device that enables users to access aspecific account or application. The Yubico YubiKey is one type of hardwaretoken that provides strong authentication security for various apps and onlineservices. This key-shaped fob plugs into the user’s device to completeauthentication after the user has entered their password. Other types ofhardware tokens include USB tokens, Bluetooth tokens, and smart cards.
PROS
Most tokens combine hardware-based authentication with public keycryptography, making them difficult to compromise. To break into a system, anadversary must physically steal the token, which is not always easy to do ifthe user is careful. Many hard tokens work even without an Internetconnection, eliminating the possibility of Internet-based attacks.
Hardware tokens can prevent remote attacks, and are suitable if you need ahigh security system that requires network isolation. Some also supportpassword managers for added user convenience. Also, users can unlink the tokenfrom their accounts to prevent unauthorized use.
CONS
One possible drawback is that the token can be lost or stolen, so they needto be replaced. This can increase costs for the organization. Also, if thetoken is used for a breach, the breach itself can be very severe if the useruses the same token to access multiple accounts.
Software tokens
A software token is a digital authentication key. It requires an app orsoftware installed on a physical device, such as a smartphone. It sends aone-time-use authentication code to the device or may accept biometric datalike fingerprint scans or facial recognition for authentication.
PROS
Like hard tokens, soft tokens also increase security and limit thepossibility of unauthorized access. They are also easy to use,low-maintenance, and less expensive than hardware tokens. Many are even freeto use.
CONS
However, a software token also has its disadvantages. For one, it issusceptible to remote cyberattacks since it relies on an Internet connectionand software to work. If the connection is compromised, the token could beexposed as it is being stored or transmitted. But despite these drawbacks,soft tokens are still a big security upgrade over password-only systems.
Before choosing your MFA method, make sure to consider all the features,pros, and cons given above. Ideally, look for a system like OneLoginMFA thatoffers multiple authentication factors for enhanced flexibility, such as:
- OTP
- SMS
- Voice
- WebAuthn for biometrics
- Third-party options like Google Authenticator, Yubico, Duo Security, andRSA SecurID
#2. Enterprise Access
Your MFA solution should work seamlessly with all your network accesssystems. For instance, if you use Virtual Private Networks (VPN) to encryptyour data, and provide remote users with a secure connection over theInternet, the solution should work with the VPN. It should also“harden” the VPN to prevent data breaches, and ensure that onlyauthorized users have access.
Similarly, if you may use SecureSocket Shell (SSH) to access remote Linux systems or Remote Desktop Protocol(RDP) to remotely connect to other computers, you should be able to use theMFA solution with these systems. Further, the solution should be able toprevent account hacking attacks on these systems.
Also check ifyour VPN solution integrates with Remote Authentication Dial-In User Service(RADIUS), and communicates directly with your MFA solution using standardRADIUS protocols.
Does the MFA solution support current (orfuture) network access systems?
- VPN access
- Wi-Fiaccess
- SSH/RDP access
- RADIUS integration
#3. Application Integration
If your organization has a Lightweight Directory Access Protocol (LDAP)directory, the MFA solution should integrate with it, either as a softwareagent installed on your local network, or through LDAP over SSL (LDAPS).Ideally, the solution should also offer tight integrations with other securityproducts and identity solutions to help authenticate users, and simplifynetwork security management.
Also, look for a solution that supports custom integrations withapplications and services, both on-premises and in the cloud. It shouldintegrate with these apps via an API, and without the need to rip and replaceother solutions?
Does the MFA solution work with all business-critical apps?
- Integration with cloud applications
- Integration with on-premises applications
- Integration with Human Resource Management Systems (HRMS)
- Directory integration, such as Active Directory (AD) or LDAP
- Integration with other identity solutions like password managers andendpoint security
#4. Flexible Authentication Policies
Deploy an MFA solution that allows you to configure granular policies atvarious levels: per-user, per-application, per-group, and also globally.
Application and group-level policies are important, because they allow youto configure specific protective policies for sensitive applications, orhigh-risk users. With global policies, you can apply the desired securitythreshold or baseline across the enterprise.
Also check what kind of admin controls are available. The solution shouldhelp admins to better control access to corporate systems, applications, anddata, particularly in a zero-trust security environment.
Does the MFA solution enable flexible and sophisticatedauthentication policies at a granular level?
- Granular policies for different identities, apps, devices, browsers,communities, and contexts
- Allows definition of which factors can be used to verify identities
- Customizable authentication flow
- Intuitive, user-friendly admin console
- Risk-based flow
- Includes documentation around policy configurations
#5. Open Standards Support
The MFA solution must support modern open standards for authorization andauthentication. For instance, Security Assertion Markup Language (SAML) allowsusers to access multiple web applications using one set of login credentials.It can also be used to configure MFA between different devices. Choose asolution that works with SAML to provide an additional authentication measurefor authorized users.
Similarly, the OAuth 2.0 (Open Authorization) standard provides anauthorization process, so users can seamlessly move between services. It alsoprotects the user’s login credentials. However, it regulates only userauthorization, not authentication, so password only-based systems are stillvulnerable to cyberattacks. MFA adds one or more authentication factors toverify the user’s identity before granting access, and minimize thethreat of attacks.
Does the MFA solution support popular, modern standards for secureconnections to web applications?
- SAML
- OpenID Connect
- OAuth 2.0
#6. Developer Support
If your organization needs to closely integrate existing apps with MFA, thesolution must provide the necessary developer tools, including ApplicationProgramming Interfaces (APIs) and Software Development Kits (SDKs).
Does the MFA solution provide developer tools to customize it, andintegrate it with custom applications and third-party systems?
- APIs for MFA registration and lifecycle management
- SDKs for all major platforms and programming languages
- Command line to enroll in MFA and process push notifications
- Client libraries to customize the look-and-feel of the MFA page
- Sandbox environment to safely test MFA in a non-production environment
- Documentation, e.g., developer guides
#7. User Community Support
The MFA solution should be easy to use by all authorized users with minimalfriction in their day-to-day work. This includes both internal users likeemployees (in-office and remote), and external users like third-party vendors,freelancers, suppliers, etc.
The solution should work well even if users have limitations, such asdisabilities, lack of smart devices, or poor cellphone networks. They shouldbe able to self-enroll to the system, and choose their preferredauthentication options. Finally, it should be easy to onboard users withminimal resistance.
Does the MFA solution support all authorized users that access yoursystems and data?
- Employees
- IT administrators
- Third-party vendors
- PartnersCustomers
Also,does it support all devices these users may be using?
- Desktops
- Laptops
- Mobile devices
- Onsite and remote devices
- Bring Your Own Device (BYOD)
#8. Reporting
It’s crucial to look for an MFA solution with robust reporting andanalytics capabilities. Reports will provide an oversight of your securityposture, and help you identify gaps and take steps to improve. Reports arealso important for auditing, and to demonstrate compliance.
Does the MFA solution provide reports that enable you to enhanceyour security based on threat data and also meet compliance requirements?
- Externalize authorization events to third-party SIEM solutions
- Easily accessible from the admin console
- Easy to schedule, generate, and export
- Out-of-the-box and customizable reports
- Detailed authentication logs and audit trails
- Ability to effect system change based on authorization events
- Real-time information about failed/malicious login attempts, securityevents,unsecured or compromised devices, etc.
#9. Advanced Requirements
Your MFA solution should satisfy all the basic requirements highlightedabove. However, many solutions have all these features. To choose the bestsolution among them, it’s best to compare them based on the advancedrequirements given below.
Behavioral Analytics
Does the MFA solution use behavioral analytics to intelligentlyadapt, and does it require different authentication factors?
- Familiarity signals
- Attack signals
- Anomalies (user behavior and context signals)
- Continuous authentication
Device Trust
Does the solution consider the authentication device being used?
- Devicehealth, including version, tampered, lock, encryption, browserplug-in, and more
- Device reputation
- X.509-based certificates
- Integration with mobile device management (MDM)
General Considerations
Select a solution that can scale to support your future needs, and make sureit is highly available. Also, when comparing prices, don’t be swayed bythe low cost of initial setup or onboarding to finalize your choice. Instead,consider the total cost of ownership (TCO), which will change depending oncustom integrations, admin controls, use cases, support costs, etc. Look for asolution that can help you minimize admin/overhead costs, and comes with aclear pricing model.
