Multi-Factor Authentication as a Best Practice

Author: Jaime Garispe

What is it?

Even if you’ve never heard the term Multi-Factor Authentication (MFA) before, it’s very likely that you’ve experienced it. Have you ever tried to login to your bank info from your work computer or cell phone and been prompted to enter a one time password sent to you through text or email? That’s Multi-Factor Authentication-MFA.

Multi-Factor authentication means that a user will have to provide more than one method of authentication to verify their user identity to login or complete a transaction. Its goal is to create another layer of defense against hacking attacks and to make it more difficult for an unauthorized person to access the network.

Why use it?

Stolen passwords are the number one cause of data breaches according to Verizon’s 2015 Data Breach Investigations Report.  Hackers sell stolen passwords on the Dark Web and once hackers have gained access to a network, they can use programs like Pass-the-Hash and Mimikatz to compromise privileged accounts and passwords. Multi-Factor Authentication prevents many of these attacks because it requires the hacker to have more than just the stolen password.

Best Practices for Implementing MFA:

  1. Implement it Across the Board: MFA is most effective when it is applied everywhere- meaning cloud applications, on-premise applications, resources, servers, commands, etc.
  2. Use Analytics to Implement: While security is important, so too is the user experience. Prompting users for MFA on every login attempt is not likely to make you popular at the office. But, you can leverage data and analytics to determine when a user should be prompted for MFA. For example, every user has a pattern of behavior like logging in from their office computer in Costa Mesa, CA from 9 am- 5 pm and then perhaps accessing the network remotely from home in Anaheim, CA after 8 pm. You can then use MFA to challenge the user when a login request is received from Houston, Texas at 11 am because it is outside of their normal pattern of activity.
  3. Utilize Single Sign-On in Addition to MFA: You can up your security game by implementing single sign-on alongside MFA because it will eliminate the need for multiple passwords.
  4. Monitor: Periodically check-in on your MFA policy to make sure that it is adapting to the changing needs of your organization.

See how Microsoft is managing user identity with its Enterprise Mobility Suite.