So Your Customer Requests Multi-Factor Authentication—Now What?
If you work for an IT company like a managed service provider (MSP) and your client has requested multi factor authentication, you may be unsure of what to offer them, or even what exactly they’re looking for. I’ve spoken with many IT professionals who are extremely knowledgeable about data and password security, but are still unsure of what they should be looking for when choosing a multi-factor authentication system for their client.
What is Multi-Factor Authentication (MFA)?
If you work in the field of IT security, you probably already know this. But here’s a quick refresher:
In any multi factor authentication system, there can be up to three factors used to verify someone’s identity, and these factors have become standard in security guidelines. The three factors are:
- Knowledge—something you know
- Possession —something you have
- Inherence —something you are
Many businesses today still use single-factor authentication (users are only required to enter their password—something they know—in order to gain access to applications and systems). But multi-factor authentication, in which two or more factors are required to complete the authentication process, is becoming more popular and may soon become standard in the business world.
Options for multi-factor authentication
Knowledge factor- what you know
Passwords are an obvious choice for the knowledge factor, as they are the most commonly used. However, they’re also the most neglected by businesses and employers and the most easily “hacked” in phishing and security attacks. When using passwords as your knowledge factor, it’s important to stress to your client that password management best practices should be carefully followed, even when multi-factor authentication is being used. These best practices include creating strong passwords that include capitalized letters, numbers, and symbols, and changing passwords regularly. Other knowledge factor options include personal identification numbers (PINs) and patterns, in which users have to “swipe” a series of cells in a pre-determined order for authentication.
Possession factor- what you have
The possession factor is perhaps the biggest “question mark” for those considering the best multi-factor authentication system for their business. Business owners want a secure option, but also one that is convenient for their employees and contractors. Smart cards and magnetic stripe cards are an option for some businesses (some laptops have smart card readers built in) but for others, the accessibility issue with such cards is a drawback—not all equipment is compatible, and the cards may become damaged in heat or sunlight. Portable tokens, on which a one-time use passcode will be displayed, are another popular option. Many are so small and light they can be carried on a keychain. Smartphones have also come into play for providing an easy and effective possession factor into authentication. After downloading a secure mobile app, users can quickly acquire a one-time access code on their phones. This is becoming a leading choice among companies who are looking for a cost-effective multifactor authentication option.
Inherence factor- what you are
The inherence factor is ever evolving with technology, but currently relies on biometrics—fingerprints, iris recognition, and voice recognition—to confirm the identity of the user prior to access being granted. The initial costs can turn off many businesses to using this factor as part of their authentication process.
Questions to ask a potential multi-factor authentication vendor
When it comes to choosing multi factor authentication software for your client, there’s a lot to consider. Do you want a full password management software solution? Or, do you simply want a multi factor authentication solution? Asking the right questions on your client’s behalf will prove to them that you’re a true professional that’s looking out for their best interests. Before signing up with a vendor, ask about:
- Self-service portals: Are users able to easily manage their passwords and tokens? Is the application user-friendly? Businesses don’t want their employees constantly wasting time trying to navigate through a complicated token system or asking your IT team for help.
- Emergency overrides: Nothing says “nightmare” like an employee being locked out of the system when they need it the most. In the event of a token or password failure, would a high-ranking business admin be able to provide access if needed?
- Important integration: Can the multi-factor authorization system be integrated with Active Directory in order to easily manage new users? Can it be integrated and managed through platforms like System Center and Kaseya?
- Token costs: What are the fees involved for the “possession” factor? Is there token hardware (like a key fob display) that needs to be purchased? Does it expire? Can the expenses be planned into budget or are the costs inconsistent?
- What’s being protected: Which endpoints are protected by the multi-factor authentication? Are programs like Salesforce included? If the company has proprietary applications or programs, will those be protected?