Cybersecurity In-Depth: Feature articles on security strategy, latest trends, and people to know.

MFA Mistakes: 6 Ways to Screw Up Multifactor Authentication

Fearful of messing up its implementation, many enterprises are still holding out on MFA. Here's what they need to know.

Joan Goodchild, Contributing Writer

August 20, 2020

10 Min Read
Dark Reading logo in a gray background | Dark Reading

Figure 1:(Image: jirsak via Adobe Stock) 
Multifactor authentication (MFA), which requires users to authenticate their identities with at least two factors in order to access an application, appears to be gaining ground in the enterprise. A survey of 47,000 organizations conducted by LastPass late last year found 57% of businesses around the world are currently using MFA, which was up 12% over the previous year. 
Statistics also make a compelling case for MFA's effectiveness. Earlier this year, Microsoft reported that 99.9% of the breached accounts it tracks didn't use MFA.
Still, many businesses are holding out on implementing MFA. Too many, according Joe Diamond, vice president of product marketing at Okta.
'Is MFA well-used? The answer is, not to the extent that it should be,' he says. 
Part of the issue may be that companies still have many challenges with using it and are making implementation mistakes. MFA also can be seen as a hassle, especially for end users. And if it isn't deployed correctly, it can be as ineffective as not having any MFA in place at all.
(Have you read 'Biometrics in the Great Beyond'? A thumbprint may be a good authentication factor for the living, but are you prepared to access mission-critical data and devices after an employee's death?)
'There is a lot of work to be done to increase both the understanding and adoption of MFA,' says Richard Bird, CCIO at Ping Identity.
What are some of the common missteps organizations make when they deploy MFA? Here are a half-dozen to watch out for if you're considering or using MFA for added security.
(Continued on next page)(Image: jirsak via Adobe Stock)

Multifactor authentication (MFA), which requires users to authenticate their identities with at least two factors in order to access an application, appears to be gaining ground in the enterprise. A survey of 47,000 organizations conducted by LastPass late last year found 57% of businesses around the world are currently using MFA, which was up 12% over the previous year. 

Statistics also make a compelling case for MFA's effectiveness. Earlier this year, Microsoft reported that 99.9% of the breached accounts it tracks didn't use MFA.

Still, many businesses are holding out on implementing MFA. Too many, according Joe Diamond, vice president of product marketing at Okta.

"Is MFA well-used? The answer is, not to the extent that it should be," he says. 

Part of the issue may be that companies still have many challenges with using it and are making implementation mistakes. MFA also can be seen as a hassle, especially for end users. And if it isn't deployed correctly, it can be as ineffective as not having any MFA in place at all.

(Have you read "Biometrics in the Great Beyond"A thumbprint may be a good authentication factor for the living, but are you prepared to access mission-critical data and devices after an employee's death?)

"There is a lot of work to be done to increase both the understanding and adoption of MFA," says Richard Bird, CCIO at Ping Identity.

What are some of the common missteps organizations make when they deploy MFA? Here are a half-dozen to watch out for if you're considering or using MFA for added security.

Figure 4:(Image: eyeretina via Adobe Stock) 
3. Implementing MFA Only for Select Users and Apps
Deploying MFA to just some employees who are deemed critical is a common oversight that Okta's Diamond often observes among organizations.
'We see organizations sometimes choose to deploy MFA just to executives because, in theory, executives have access to sensitive information,' he says. 'You also need to consider the other types of employees who have access to information that should not leave the confines of your organization.'
Stephen Banda, senior manager of security solutions at Lookout, says it is also a mistake to secure only some apps, but not all, with MFA.
'We have also seen deployments where MFA is not applied to all apps that an organization uses,' he says. 'Again, MFA should be required for all apps because attackers can spot this vulnerability and seek to gain access with stolen credentials.'
Takeaway: It's best to assume all employees and apps are critical. Enforce MFA for everyone and any app that contains sensitive data.(Image: eyeretina via Adobe Stock)

1. Allowing MFA to Be a Choice

If you're going to implement MFA, it should not be an opt-in process for end users. Ping Identity's Bird says the most common mistake he sees among customers is rolling it out as a choice or an option.

"When users are given choices without a clear, value-based explanation, they will choose either the method that feels the easiest or they will stay with the method they are already comfortable with," he says. "Security is not an option. Presenting it as one is problematic."

Takeaway: If you're going to implement MFA, make sure its use is mandatory.

Figure 5:(Image: kite_rin via Adobe Stock) 
4. Relying on SMS Alone
Using text message to authenticate is better than nothing, but doing so has a number of security issues, says Lookout's Banda.
'There are two common attacks that take advantage of the SMS code authentication: mobile phishing and SIM swapping,' he says.
Takeaway: Instead of relying on sending an authentication code via SMS, use an authenticator app. 
'This will help alleviate the risk associated with the SMS code method,' Banda says.(Image: kite_rin via Adobe Stock)

2. Adding Friction with MFA

Using MFA as simply an extra step in security controls is a mistake, says Joseph Carson, chief security scientist and advisory CISO at Thycotic.

It is important to make authentication easier through MFA, not more difficult, he says. It should be used to reduce cyber fatigue, not add to it. 

"While there will be some level of friction when enforcing MFA, you can minimize this by layering contextual access policies on top of the second factor," Okta's Diamond adds.

Takeaway: Part of implementing MFA should be making authentication easier by removing existing poor practices.

"MFA is a combination of two out of the three categories: something you know, something you have, and something you are," Diamond says. "There are many different combinations of factors and context to think through, but ultimately the goal should be to pair the appropriate factor with the appropriate level of risk."

Figure 6:(Image: alexskopje via Adobe Stock) 
5. Deploying a Point Solution for MFA
Okta's Diamond says he often sees businesses scramble to implement MFA after a breach or an audit to address issues with authentication in one certain area, but the tools they choose meet a very narrow use case.
'In the short term, these solutions seem great,' he says. 'However, it's eventually 'out of sight, out of mind,' and we see that the MFA solution is not properly maintained, ultimately leading to a decline in usage and once again exposing the business to the same breaches that the solution was once implemented to protect against.'
Takeaway: MFA implement is a holistic strategy and process. Implement MFA across the organization, and not in just one place.(Image: alexskopje via Adobe Stock)

3. Implementing MFA Only for Select Users and Apps

Deploying MFA to just some employees who are deemed critical is a common oversight that Okta's Diamond often observes among organizations.

"We see organizations sometimes choose to deploy MFA just to executives because, in theory, executives have access to sensitive information," he says. "You also need to consider the other types of employees who have access to information that should not leave the confines of your organization."

Stephen Banda, senior manager of security solutions at Lookout, says it is also a mistake to secure only some apps, but not all, with MFA.

"We have also seen deployments where MFA is not applied to all apps that an organization uses," he says. "Again, MFA should be required for all apps because attackers can spot this vulnerability and seek to gain access with stolen credentials."

Takeaway: It's best to assume all employees and apps are critical. Enforce MFA for everyone and any app that contains sensitive data.

Figure 8:(Image: lacrimastella via Adobe Stock)(Image: lacrimastella via Adobe Stock)

4. Relying on SMS Alone

Using text message to authenticate is better than nothing, but doing so has a number of security issues, says Lookout's Banda.

"There are two common attacks that take advantage of the SMS code authentication: mobile phishing and SIM swapping," he says.

Takeaway: Instead of relying on sending an authentication code via SMS, use an authenticator app. 

"This will help alleviate the risk associated with the SMS code method," Banda says.

Figure 7:(Image: yoshitaka via Adobe Stock) 
6. Underestimating MFA's Impact on Business
Ping Identity's Bird says another common mistake is underestimating the impact of MFA to long-standing business processes and workflows. By nature, MFA means there will be significant changes that will impact users. These must be accounted for early in the planning process.
'Changes to process flows and new demands for changes in behavior will definitely lead to resistance to adoption,' he says.
Takeaway: Consider how introducing MFA will change processes for each person and each team or division, and communicate those changes to users as early as possible, Okta's Diamond says. Fewer surprises will be appreciated.
'Utilize your IT teams to communicate MFA deployment so that users know what to expect -- and when they need to enroll into MFA,' he adds.
 (Image: yoshitaka via Adobe Stock)

5. Deploying a Point Solution for MFA

Okta's Diamond says he often sees businesses scramble to implement MFA after a breach or an audit to address issues with authentication in one certain area, but the tools they choose meet a very narrow use case.

"In the short term, these solutions seem great," he says. "However, it's eventually 'out of sight, out of mind,' and we see that the MFA solution is not properly maintained, ultimately leading to a decline in usage and once again exposing the business to the same breaches that the solution was once implemented to protect against."

Takeaway: MFA implement is a holistic strategy and process. Implement MFA across the organization, and not in just one place.

Figure 3:(Image: trekandphoto via Adobe Stock) 
2. Adding Friction with MFA
Using MFA as simply an extra step in security controls is a mistake, says Joseph Carson, chief security scientist and advisory CISO at Thycotic.
It is important to make authentication easier through MFA, not more difficult, he says. It should be used to reduce cyber fatigue, not add to it. 
'While there will be some level of friction when enforcing MFA, you can minimize this by layering contextual access policies on top of the second factor,' Okta's Diamond adds.
Takeaway: Part of implementing MFA should be making authentication easier by removing existing poor practices.
'MFA is a combination of two out of the three categories: something you know, something you have, and something you are,' Diamond says. 'There are many different combinations of factors and context to think through, but ultimately the goal should be to pair the appropriate factor with the appropriate level of risk.'(Image: trekandphoto via Adobe Stock)

6. Underestimating MFA's Impact on Business

Ping Identity's Bird says another common mistake is underestimating the impact of MFA to long-standing business processes and workflows. By nature, MFA means there will be significant changes that will impact users. These must be accounted for early in the planning process.

"Changes to process flows and new demands for changes in behavior will definitely lead to resistance to adoption," he says.

Takeaway: Consider how introducing MFA will change processes for each person and each team or division, and communicate those changes to users as early as possible, Okta's Diamond says. Fewer surprises will be appreciated.

"Utilize your IT teams to communicate MFA deployment so that users know what to expect -- and when they need to enroll into MFA," he adds.

 

About the Author

Joan Goodchild

Contributing Writer, Dark Reading

Joan Goodchild is a veteran journalist, editor, and writer who has been covering security for more than a decade. She has written for several publications and previously served as editor-in-chief for CSO Online.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights