Multi-factor authentication is not a silver bullet for all of your security problems. It is an excellent way to tighten access controls and make hacking more difficult. However, the details of your implementation matter! If you take the wrong approach, you will frustrate your end users and end up hurting your security.
The Security Consequences of Ignoring The User Experience
As an IT security professional, you want to reduce risk, protect customers and employees, and avoid the publicity of a security incident. Those are all worthwhile objectives. However, those aims need to be moderated with user experience. If the employee experience factor is neglected in your MFA implementation, you will face more significant security problems and unacceptable productivity losses.
Let’s say you implement multi-factor authentication (MFA) with the sole concern of maximizing security. In that case, you require every user to use hardware tokens. You may require everyone to use biometric authentication as well. At first, you will benefit from increased security protection. Your end users will do what they can to adapt to the change.
However, those new security habits are likely to fall apart under stress. Before long, employees are going to ask for exemptions. They may start to use cloud services and tools outside of the company network solely for ease of use. As exceptions increase and more people look for workarounds for your security controls, you will face increased security risks. The worst part? These kinds of high-risk employee behaviors are challenging to detect.
The Better Way To Implement Multi-Factor Authentication
You can improve security without driving your users crazy. To get started, choose a few guiding principles for your approach to multi-factor authentication. We recommend using the following guidelines:
- Risk-Based Approach. Apply more security controls and resources to systems, data and users that generate higher risk exposure. For example, systems with customer records will generally need the highest level of security protection. In contrast, a system that holds copies of publicly available open-source software will need comparatively less security.
- Employee Experience. Recognize the need for employee productivity in your security. This means being mindful of how many security projects, apps and changes you implement each year. Further, question how new security tools and configurations will impact end-users.
- Training Support. In many organizations, support and training are limited to new projects and new hires. Instead, consider an ongoing training program that offers both formal programs like online training on hot topics like password best practices and informal support. For example, develop a “frequently asked questions” document for your help desk so that they can help users more effectively.
- Ongoing Monitoring. No security practice is perfect, and aiming for perfection is foolish. Instead, recognize that you need to use continuous monitoring to detect gaps and make improvements. For example, you may find out that only 20% of managers have used MFA in the past year. That low adoption rate is worth investigating further. Note that monitoring must be regularly questioned for value. A report that nobody reads adds no value to the company.
Using these principles, assess your IT security program. If the multi-factor authentication implementation is failing to hit the mark on all four guidelines, identify whether the gaps are a problem.
Optimizing An Existing Multi-Factor Authentication
If you already have multi-factor authentication in place, there are still steps you can take to improve your performance. Before diving into the technical details, consider your IT security strategy first. If you have a full list of security projects on the schedule, you may not be able to pursue improvement to MFA at this time. In that situation, you may need to focus on researching improvements and build a business case for MFA improvement for next year.
If your strategy and management support improving access management with MFA, here are a few project ideas to discuss.
- MFA Training. Offer training so that employees know when and how to use MFA. For instance, you may offer a specialized session for your sales department because they may travel regularly.
- MFA Reporting. Without metrics and reports, you have no way of determining if your access management program is working. To inspire you with further ideas, check out our post on access management key performance indicators.
- MFA Enhancement With Hardware. You might pilot the use of hardware authentication tools or leverage smartphones as a second authentication tool.
- MFA Enhancement With Biometrics. While they pose some privacy concerns, biometrics is still an excellent tool to tighten security. If you are new to biometrics, get up to speed on biometric risks first.
- User Experience Optimization. Take a few minutes out of your day and sit down with your end users. Ask them about how they use MFA. If you hear about problems, delays and lost productivity, that tells you that you have scope to improve your MFA system. For example, consider scaling back when and where MFA use is required.
Once you choose an MFA project, you may discover you need more resources. We’ve got you covered! Use our article “Build Your Business Case for Multi-Factor Authentication in 5 Steps” to win support for multi-factor authentication enhancements.
Next Steps To Improve Identity and Access Management.
At a certain stage, you will have a near-perfect MFA implementation. In that situation, you will need to look for other opportunities to optimize access management. Rather than coming up with ideas in a vacuum, review your organization’s current state. Ask yourself if you have completed a full assessment of your applications and systems recently. This review process will almost certainly reveal access gaps.
You might have inactive users on one system. Elsewhere, you may detect excessive users with administrative privileges. Each of these issues represents an opportunity to improve your IT security. It may feel like much work now, but it is well worth the trouble. Remember — all it takes is one gap in the process, people or technology for your IT security to fail.