Rolling out Multi-factor Authentication – Recommendations

The need to have Multi-Factor Authentication (MFA) implemented cannot be overemphasized. From leaked and phished accounts etc, there is a super-effective solution for protecting our accounts, therefore MFA is quite simple, and organizations are focusing more than ever on creating a better user experience.

MFA which is often referred to as two-factor authentication (2FA), is a security enhancement that adds a second layer of security which allows you to present two pieces of evidence (your credentials) when logging in to an account.

The goal is to implement the MFA on all IT systems and ensure everyone uses it.

Implementing MFA is most times, not a flawless procedure due to some challenges that you might face technically and otherwise. Here are some reasons to this impedements.

  • Some reasons may be the right MFA solution to choose.
  • Not all users (employee) will welcome this idea, prepare for it! I met a strong resistance when deploying MFA in one of my previous jobs.
  • While some will accept this idea due to security enhancement and protection of the IT Systems, some employees will never agree to have any Authenticator Application running on their personal devices. Prepare for this shock too 😉 The solution to this is to
    – Provide a company phone to these employees and have the Authenticator App installed for them.
    – Or have a desktop version of the Authenticator App installed on their workstation. This works but not seamless as the user will have to be with the device before he can access organisation resources remotely.

Prerequisites to rolling out MFA: Before planning a rollout, these important steps need to be considered.

  • Does the MFA support self-service password reset (SSPR)? This is very vital when a user forgets his/her password.
  • Decide on the technology to employ such as Azure AD because of its advanced functionalities or any other 3rd party MFA system.
  • With this in mind, you can decide if you will be protecting on-premise IT infrastructure alone or both on-premise and cloud (hybrid environment).
  • Also, are you going to have multiple MFA systems in the organization, because some applications have their own inbuilt MFA, in this way, you will have a different account for each application in the authenticator app. Or have an MFA Server deployed to handle all that in a unified manner.
  • Identify the core IT systems that MFA will be implemented on.
  • Identify the potential impact it will have in your environment (if a complaint arises in the future or issues arises from the implementation).
  • Lastly, know rolling out MFA is an organization-wide decision and as such everyone should be involved ranging from the IT security team, Human resources, stakeholders, etc., in this way everyone will be in the loop and if any issue arises in the future, it will be taken likely.
  • Provide documentation and support (guide) on how to set-up their MF-Authenticator app and usage of the app and communicate to them the essence of the setup (to protect their data and account etc).
  • Data of rollout should be communicated upfront via email etc.
  • Investigate applications that are not capable of utilizing MFA (due to its legacy and basic authentication mechanism configured. If this is the case, have them upgraded and updated in order to support modern authentication and MFA. These are the IT systems you want to protect. When this is currently not feasible, set firewall rules or policies to protect these applications and make access possible only via the corporate network or via VPN only.

What MFA options are recommended

  1. It is advisable to deploy MFA with less friction by using biometrics in devices or FIDO2 compliant factors such as Feitan or Yubico security keys. It is preferable (advisable) to use these solutions without overhead than using SMS.
  2. Phone-based authentication apps such as Google and Microsoft Authenticator are very good options to protect user accounts as they do not have to share this device with other users etc.,
  3. Also consider, frequent travelers when implementing MFA in your organization as they may travel to locations without roaming possibilities or connectivity issue. To resolve this issue, select the OATH verification code option.

Note: NIST is no longer recommending Two-factor Authentication using “Out-of-band authentication [SMS or voice] because of its vulnerability risk that SMS messages may be intercepted or redirected, or SIM swapped). This is the reason, Banks are changing from SMS based 2FA. The links below for further information.
https://www.schneier.com/blog/archives/2016/08/nist_is_no_long.html
https://www.theregister.co.uk/2016/12/06/2fa_missed_warning/
https://pages.nist.gov/800-63-3/sp800-63b.html
https://www.theregister.co.uk/2016/12/06/2fa_missed_warning/

Here are some reports on SIM Swap for further reasons why NIST no longer recommends this method of authentication.
https://www.theguardian.com/money/2015/sep/26/sim-swap-fraud-mobile-phone-vodafone-customer
https://www.dos.ny.gov/consumerprotection/scams/att-sim.html

Note: Using SMS as a 2FA is still far better than not using any MFA option. When you don’t use two-factor authentication, someone only needs your password to sign into your account. When you use two-factor authentication with SMS, someone will need to both acquire your password and gain access to your text messages to gain access to your account.

SMS is much more secure than nothing at all. As discussed above, using an Authenticator App such as Microsoft or Google Authenticator App is recommended. But when this is far fetched, and it is the only option left to you, please deploy it as it relatively better than not having a second layer of security at all.

Note: Never allow your application to trust your browser. In this way, when the device is compromised, access to these applications (resources) will not be possible.

Rolling out MFA
It is advisable to start off with the IT departments as proof of concept for the entire organization. (Implement this for some privilege users) as they are the highest-value target.
– Plan a pilot deployment after successfully testing with the IT department, you can continue rolling MFA on a bulk process across the organization without hampering the productivity of your colleagues.

Alternatives to MFA
The biometric option is an alternative to MFA using a fingerprint or facial sign-in option available via Windows Hello for Business. See the following link for more information https://techdirectarchive.com/2020/01/19/preparing-guild-to-deploying-windows-hello-for-business/
– Depending on your MFA solution you are deploying, include the mobile device management (MDM), so devices can be managed via MDM and conditional Access can be defined also as this will add an additional layer of security to your organisation.

It is worthy to note that Azure provides ways to protect your application by using condition access polities and Azure AD Identity Protection and when this triggers an additional two steps verification when risks are detected. When you do not have Azure AD to defines these criteria, kindly make MFA registration mandatory for everyone in the organization and part of the onboarding process for new employees.

Have a Support Plan in Place
In case of failed sign-ins and account lockouts, have a plan for lost devices. (Some MFA solutions have the ability to have these associated phone number changed or the Authenticator added).
– Also, have a messaging (ticketing) platform in place for reporting known MFA issues.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s