Multifactor authentication (MFA) is the standard for securing business accounts. When niche security measures are taken, adoption is rising across the industry. But while it’s definitely effective to keep out bad actors, implementation of an MFA solution can be a tangled mess of competing designs and ideas. For businesses and employees, the reality is that MFA sometimes feels like a good thing.
Here are some reasons why MFA is not implemented more universally.
1. Companies consider MFA to be cost centers
Corporate MFAs are not free and the cost of MFAs will be added over time. Third-party MFA solutions typically come with subscription costs charged per user. Even built-in options such as the MFA feature of Microsoft 365 may be charged additional fees depending on your Microsoft Entra license.
Additionally, there is the cost of training employees to use MFA and the time it takes to register. If MFA increases the number of help desk calls, the support costs will also increase. These costs are far lower than the cost of a security breaches ($4.88 million last year), but businesses don’t always see the connection clearly.
2. User experience is a permanent problem
No matter how you slice it, the MFA also brings additional steps. After entering the password, the user must complete another validation step. This inevitably adds friction. Administrators should balance the risks with the format of MFA used, and the frequency required.
MFA and SSO combine to reduce security burdens by allowing users to authenticate once to access multiple apps rather than logging in to each individually. This reduces user friction, so MFAs don’t get in the way of their work. Beyond SSO, choose an MFA platform with flexible policy settings to satisfy your end users. For example, internal workstation access will not require MFA as often as remote access via VPN, RDP, or other external connections.
3. Implementing MFA brings hidden pitfalls
Deploying MFAs and training users is not a small task. The first step is to create and manage a system that keeps things simple, from registering users to monitoring MFA activities.
Choose an MFA that works well in your organization’s current identity setup. Ensuring access to the on-premises Active Directory (AD) and cloud infrastructure combination means managing multiple identities per user, creating administrative overhead and creating hybrid identity security gaps .
Scalability is also a factor. Can the system be maintained as our user base grows? If you rely on a third-party MFA service, what happens if it goes down?
Next is the connection issue. Many MFA solutions assume that users are always online. But what if they are offline or on an isolated network with limited connections? Consider how and where users log on, and evaluate whether users need to support local prompts to authenticate users, even if the device is not connected to the internet.
4. MFA alone isn’t enough
Certainly, MFA increases security, but the MFA method is not innocent. Each approach has its own weaknesses that attackers can exploit. For example, SMS-based MFA (deprecated) is vulnerable to SIM swap attacks, but push notifications can fall victim to MFA fatigue. Here, the user is attacked with repeated login requests by attackers who have already compromised their passwords.
More advanced attackers have tools to steal session cookies, allowing MFA to be completely bypassed in some situations. SSO is useful, but can make the problem worse. When an attacker breaks through one MFA barrier, multiple applications may be accessible.
MFA doesn’t have to be this difficult
The point is that MFAs need to be part of a broader strategy that involves monitoring and logging to allow management activities. MFA is an important layer in protecting unauthorized access, but deployment poses challenges. Plan for them. To successfully implement MFA, understand costs, consider the user experience, and take a proactive approach to alleviating its limitations.
Source link
