Seven Best Practices for an Effective MFA Strategy

Attacks on authentication processes that aim to steal passwords and privileged credentials have increased significantly in volume and success over the last few years. Security researchers estimate that phishing attacks grew by over 600% during the height of the pandemic, while the annual Verizon Data Breach Investigations Report found that 61% of data breaches have a connection to compromised credentials.

This has led to widespread calls for stronger authentication. As a result, a White House Executive Order and subsequent guidance from the Office of Management and Budget (OMB) directs all federal agencies and contractors serving them to implement phishing-resistant multi-factor authentication (MFA) best practices as standard. 

7 MFA Best Practices for Secure Deployments

To overcome these significant challenges while ensuring the highest level of authentication security and user buy-in, it is important to follow MFA best practices. These are some of the most important MFA best practices to consider ahead of your deployment.

1. Avoid Vulnerable MFA Factors

The first and foremost objective of MFA is to implement a solution that actually makes your authentication more secure. Systems that leverage SMS OTPs, magic links in emails, push notifications or voice calls, among others, can be breached by multiple techniques and hackers develop new ones regularly. For years, the National Infrastructure and Security Agency (NIST) has recommended the use of MFA that is impermeable to phishing and other credential stealing attacks. This has now become MFA best practice for all and includes removing passwords completely as a factor when possible. Phishing-resistant MFA is based on public/private key cryptography and removes the vulnerabilities that undermine traditional MFA.

2. Educate and Support

Buy-in from users is key for a successful MFA rollout, and getting that buy-in starts even before the system is used. Keep your users updated on what the new MFA processes will be, why you are implementing them, the timing of rollout phases and what they entail. Users’ experience is key to gaining adoption, so make sure their first impressions are positive by organizing proper introductory education sessions and deploying extra resources, if necessary. 

3. Comply With Regulations

Data safety legislation, the government directives mentioned above, industry regulations  and multiple other requirements, like those set by cyber liability insurers, all demand the implementation of authentication security and MFA best practices. This includes following standards outlined in the NIST Cybersecurity Framework or the Fast-Identity Online (FIDO) standards, the “gold standard” of phishing-resistant MFA. Violating regulations can result in significant fines and reputation damage, meaning that a weak authentication system introduces considerable risk to your organization.

4. Separating Your MFA Processes from Identity Providers

Often organizations use multiple identity providers (IdPs), for example they may use Okta for certain applications and Azure AD for other systems. Many IdPs offer their own MFA but it may not meet the security standards of phishing-resistant authentication. It also means that users will have to learn multiple login methods, possibly with multiple authenticator apps. Decoupling authentication from your identity provider allows you more control over your MFA processes and provides a unified experience for your users.

5. Don’t Neglect The Desktop

Organizations often focus on hardening the authentication process into systems and apps but leave desktop, workstation and server login protected with just a password. From the desktop, an attacker can often find sensitive data, valuable resources and gain access to directly connected apps and services. MFA best practices dictate that authentication security begins with the very first login to the endpoint. The analyst firm Kuppinger Cole wrote an interesting white paper on the topic. You can download a copy here.

6. Provide Secure Offline Authentication

The new remote and hybrid work reality means that many users will need to authenticate themselves in situations where they have poor or non-existent internet. Your security is only as strong as your weakest so it’s important that offline access doesn’t default to a shared secret model. Decentralized device-stored PINs, for example, can let users to securely identify themselves offline to gain access to the systems they need.

7. Provide for Varying Access Requirements and Preferences

Different users may require varying levels of access or security oversight, or may have limitations that preclude certain types of authentication methods. When you consider the difference between how contractors, executives, remote employees or even those employees not permitted to carry phones can log in to your networks and the varying degrees of risk if one of their accounts is compromised, it is certainly an MFA best practice to build in provisions to meet varying security and accessibility needs.

Challenges to MFA Rollout

Unfortunately, many organizations are slow to introduce change, despite the risk involved. Microsoft found that 99.9% of the 1.2 million Microsoft accounts compromised in early 2020 hadn’t deployed MFA. Here are a few key challenges: 

Weak MFA: Not all MFA is created equal, and some is much easier to crack than others. Any system that requires shared secrets as an authentication factor — a password, one-time password (OTP), centrally stored biometric authenticator, a push notification —  can be circumvented.  SIM-swapping, man-in-the-middle attacks and MFA prompt bombing (push attacks) are all common techniques to bypass MFA controls. Experts estimate that 80–90% of MFA currently in use is phishable.

Poor Buy-in: If the MFA process creates a poor user experience, the people you need to use it will get frustrated. This means they’ll opt out (if allowed) or seek workarounds and shortcuts, such as sharing factors or not locking a computer, so they don’t have to log back in when they return. These lead to reduced security standards and defeat the purpose of MFA. 

Disrupting Productivity: Rolling out MFA can increase login times compared to the standard username and password systems. The informing and training stage for the new process can also require significant hours across your organization. If you have multiple IdPs, employees may need to authenticate multiple times using different authenticators and methods. Additionally, depending on your MFA system, if users can’t log in, they may have to wait for IT or a help desk to guide them through the login or account recovery process.

Strain on Resources: From the initial planning and implementation stages to ongoing user support, an MFA system can be heavy on your security and IT teams’ resources. Again, multiple IdPs complicate matters even further from deployment through to monitoring and enforcement. Moreover, the more user-unfriendly the system, the more people will need help navigating it, which drains help desk resources.

HYPR Phishing-Resistant Passwordless MFA

Attacks focusing on authentication processes are increasing and causing significant damage to organizations of all sizes. On top of that, data safety and cybersecurity regulations threaten fines and reputational damage for companies who suffer from attacks. The obvious solution is to replace outdated password-based logins with secure MFA. However, MFA deployment still faces considerable challenges and has been met with general inertia incongruent with the risks posed.

To overcome these challenges and implement a system that will keep your company more protected, MFA best practices should be followed during any rollout. These can range from improving your support and providing offline verification to providing varying options and removing passwords from the system. 

To find out how HYPR’s Passwordless MFA solution can help you to meet all MFA best practices while also ensuring a smooth rollout and improved security, speak to one of our authentication security experts.