If you’re asking what multi-factor authentication (MFA) is, you have come to the right place. You’re about to learn the definition of this IT security concept, but that’s not all. You will also learn how to bring this critical idea to life in your organization.
What Is Multi-Factor Authentication: A Practical Definition
The simplest way to define multi-factor authentication is through contrast. The traditional approach to authentication — single factor authentication — relied on a single piece of authentication information. For example, a user would be prompted to enter a password. Sure, they would have to enter a user name as well. However, the user name is usually public or semi-public information (e.g., the user name for Jane Smith might be JSmith, a fact that could be easily guessed). Therefore, it doesn’t make sense to put much emphasis on user names as an authentication factor.
By contrast, multi-factor authentication uses two or more factors to authenticate a user. From the user’s point of view, multi-factor authentication may take the following form. Jane Smith, the finance manager, wants to log into the enterprise resource planning (ERP) application to build a financial forecast. First, she is prompted to log in by entering a user name and password. Next, Jane will be asked to authenticate again by receiving a unique, one-time-use code to her phone. She then enters that one-time code and gains access to the system.
Beyond Sending One Time Passcodes: Multi-Factor Authentication Options
Sending a text message to a user’s phone is a popular way to implement multi-factor authentication. There are other methods to use as well. For instance, some of your users may not own a smartphone, or they may have forgotten their phone somewhere. In those situations, it is smart to give users other options to authenticate themselves. In such a situation, you might ask users to answer additional security questions. That approach means a user has to enter several types of information in order to prove they should have access.
There is a risk involved in relying exclusively on answers to security questions in multi-factor authentication. In essence, a resourceful hacker has a greater chance of guessing or otherwise obtaining the information. That’s why you may also want to provide biometric authentication. Biometrics involves using some kind of unique biological information specific to a person. Avatier supports three types of biometric authentication: facial recognition biometric, voice Identification and fingerprint scanning.
Resource: Did you know that biometric authentication technology has been used for decades? Find out more in our article: How Biometric Authentication Works.
Biometric Authentication Technology: A Powerful Option That Requires Thoughtful Oversight
Before you mandate multi-factor authentication for all users, there are some trade-offs to consider. First, you may have to obtain more hardware like fingerprint readers or equip everyone in the organization with smartphones. Second, biometric data is highly personal and requires highly robust IT security safeguards. Finally, some employees may be uncomfortable in providing biometric data to their employers. Given these concerns, we suggest using biometric authentication as a secondary authentication factor for exceptionally high-risk situations like creating a privileged user account or senior executive access.
Five Ways To Make Your Multi-Factor Authentication Program Effective
Merely knowing the answer to what multi-factor authentication is isn’t enough to keep your organization’s information secure. You need to know specific techniques. That’s what you will learn in this section.
1. Multi-Factor Authentication: What Is Your System Coverage?
Every company takes a different approach to implement multi-factor authentication. If you have dozens or hundreds of systems, the prospect of implementing it across the board may feel overwhelming. Therefore, it is reasonable to focus your implementation on high-risk systems first. After your initial multi-factor authentication is complete, create a reminder to revisit your system coverage in six months. You may find there are new systems that have become mission-critical to your users. In that case, you will need to adjust your implementation to protect those users.
2. Multi-Factor Authentication: What Is Your User Coverage?
Similar to the point above, review what percentage of your users are protected through MFA. In most cases, it is advisable to set a goal of protecting 100% of user accounts through MFA processes.
3. Multi-Factor Authentication: Are You Using Risk Triggers?
Since MFA safeguards act as a speed bump for users, requiring them in every login attempt does not always make sense. Therefore, you may want to use risk triggers. For instance, if all of your employees are based in the United States, you may automatically trigger MFA whenever a user attempts to log in from a non-U.S. location. Also, you may set a rule to apply MFA safeguards to weekend login activity. In both of these scenarios, you are applying MFA protection in situations where access requests deserve greater scrutiny.
4. Reviewing Multi-Factor Authentication User Training Materials
Have you recently made a substantial change to your multi-factor authentication program? For example, you may have added voice biometric authentication. Whenever you add or change capabilities, it makes sense to provide training to your users. At a minimum, provide a one-page training guide explaining how to use the new features and provide contact details for the help desk.
5. Monitoring Multi-Factor Authentication Through Reports and Metrics
In larger organizations, it is not feasible to directly ask each user about their experience with multi-factor authentication. Instead, use reports and metrics to evaluate your multi-factor authentication effectiveness. Measuring MFA effectiveness metrics and measures should be part of a broader monitoring process. For more guidance on monitoring, check out our article: Find Out if Your Access Management Program Is Successful with KPIs.
What’s Next After Your Multi-Factor Authentication Program Is A Success?Now that your MFA program is working well, you may have additional capacity to take on different projects. We recommend looking into a single sign-on software solution next. In contrast to MFA, which does add some burden to users, single sign-on software saves users time.