DEV Community

Cover image for 9 Best Practices for Multi-factor Authentication (MFA)
Andy Agarwal for MojoAuth

Posted on • Originally published at mojoauth.com

9 Best Practices for Multi-factor Authentication (MFA)

Learn about the most important multi-factor authentication best practices you need to follow and steps to effectively roll out MFA for your users.

Relying alone on passwords for secure authentication is no longer sufficient, in fact, considered among the weak links in cybersecurity. Multi-factor authentication and its best practice solve this problem as it can effectively block more than 90% of account attacks.

Researcher says 80% of data breaches occur due to weak passwords, stolen credentials, or common passwords.

MFA can solve this problem, as it combats attacks like dictionary passwords, brute-force, phishing, etc., using common, stolen, or weak credentials. Organizations using password-based authentication can implement MFA as their first step toward better security, and while implementing it, they should ensure multi-factor authentication(MFA) best practices.

What is Multi-factor Authentication?
Multi-factor authentication (MFA) is a security measure that requires users to provide two or more factors when logging into an application. Thus, MFA adds an extra layer of security to help protect your application from unauthorized access even if password credentials are compromised, attackers cannot fulfill the requirements for the second factor.

The following image demonstrates a two-factor authentication workflow:

2fa flow chart

Two-factor or multi-factor authentication uses a combination of two or more factors from the following list:

  • Something a user knows - a password or PIN
  • Something a user has - a token, smartphone, or device
  • Something a user is - biometric, a fingerprint, or facial recognition

Any combination of these factors can be used for multi-factor authentication:

MFA factors

By requiring users to provide multiple authentication factors, MFA effectively verifies the identity and protects against unauthorized access.

9 Multi-Factor Authentication Best Practices

The following are the best practices for MFA that can help organizations select the best-fit multi-factor authentication solutions and set the right expectations with their users.

  1. Choose an MFA Vendor While implementing MFA for users, the first and foremost decision to make for organizations is to choose the right vendor. Organizations should get answers to these questions:
  • Does the vendor provide built-in compliance adherence?
  • How does the vendor provide support for evolving threat vectors?
  • Can the vendor’s MFA solution scale effectively as your business grows?
  • How secure and reliable is the vendor’s solution?
  • How easy would it be to implement and deploy the MFA solution across your organization?

These are crucial questions to ask before locking an MFA solution. Explore more about features offered by MFA vendor.

  1. Focus on Ease of Use While choosing the right MFA for business by assessing the organization’s needs, considering the type of data that needs to be protected, and complexity of security requirements, don’t forget to consider the level of convenience required for users.

Users may face MFA fatigue or might try to work around it if the MFA solution is difficult to use. One way to ensure ease of use is to provide them with various authentication factors to choose from.

  1. Utilize Variety of Authentication Factors Consider all types of users while locking the authentication factors for your application. For a variety of users, it is not good to only have one authentication factor for all. For example, employees might not have access to mobile phones at work for authentication while dealers can easily access them, in such cases, SMS OTP can be a good authentication factor for dealers, and biometrics or tokens can be a better factor for employees.

In general, the availability of multiple authentication factors gives users the freedom to choose the option that is most convenient for them, hence creating a better user experience.

Here are a few mostly used factors for MFA:

  • Email Link
  • Email OTP
  • SMS OTP
  • Phone Call
  • Biometric
  • Hardware Tokens
  • OTP Applications or Soft Tokens
  • Push Notifications

Using a variety of factors for MFA also helps users configure more than one factor and later use it at their convenience.

Tip: Make sure that password recovery and second-factor authentication medium are not the same. For example, if you offer password recovery via an email link, ensure not to utilize the email link as the second-factor authentication.

Having the same source for both recovery and MFA brings down security to only that one source - email account in this case.

4.** Educate Users on Multi-factor Authentication**
It seems like a simple point, but educating your users is the one of the most important best practices for MFA. Most researchers believe that the weakest link in the security chain is the user. Therefore, no amount of parameters can ensure better security if users are not using it effectively. It is crucial to properly start educating users on the importance of multi-factor authentication during this phase and later (after the MFA rollout) on how to use it properly.

The following can be the parameters to educate users in the initial phase:

  • Why should the user care about adopting MFA?
  • What’s the final goal of adopting an MFA?
  1. Use Multi-factor Authentication Across Organization Organizations must research the available MFA options and create a plan for either in-house development or find out which providers offer the features and benefits they need. Don’t limit multi-factor authentication to specific user roles i.e. all users should be required to use multi-factor authentication for any account access across the organization, regardless of the sensitivity of the information. This ensures that no user account is left unprotected.

Protecting all types of users is an ultimate goal, the rollout phase can cover one type at a time and then gradually cover all user types.

  1. Leverage Adaptive MFA In some scenarios, constantly asking users to complete MFA for authentication can be a frustrating experience. In such cases, adopting adaptive or step-up authentication is a better approach. Adaptive MFA uses contextual information to determine whether to request another factor for user authentication or not.

These contexts can be location, IP, network, device, behavior, or anything completely dependent on organization requirements. This approach is also useful in protecting accounts against brute-force attacks. For example, the context can be - requesting another factor to complete authentication if the wrong password has been entered 3 times consecutively.

  1. Combine MFA with SSO Single sign-on authentication provides a great user experience, and combining multi-factor authentication with SSO can deliver a smooth user experience and strengthen security.

Also, this way, users don’t need to enter a password at the first step of authentication, as SSO uses an existing user account for that. At the same time, the second step of authentication remains the same as in case of password authentication i.e. second factor like OTP, email link, token, biometric, etc.

  1. Attack Resistance Factor
    Although MFA can provide additional security, it can also be vulnerable to attacks if not implemented correctly. As a general MFA best practice, organizations need to ensure that their MFA solution is configured securely and that users are aware of how to use it effectively. Also, organizations can deploy different authentication factors based on roles so that high attack resistance factors can be deployed for privileged accounts, while good-enough factors can be deployed for less privileged user roles.

  2. Periodically Re-evaluate MFA
    Security threats are always evolving; thus, organizations should periodically re-evaluate MFA to ensure that implemented MFA meets both users’ and organizations’ needs and, at the same time, fulfilling the refined security requirements too.

How to Effectively Rollout MFA solution?

Now when the best fit MFA options are shortlisted by following the MFA best practices explained above, let’s see what should be the MFA implementation best practices steps to implement and deploy the chosen MFA options.

The following are actionable best practices for implementing MFA in any organization.

  1. Start Rolling MFA with Privileged Accounts: Although MFA should be applicable to all users, in the rollout phase, organizations can take a gradual process and first release it for all admin accounts that have the most privileges. This can also help organizations to understand the challenges and take action before releasing MFA to all application users.

  2. Train Users: Organizations should treat MFA rollout as a product release and convince their employees and users to start using multi-factor authentication. Also, to provide necessary support on how to use MFA, organizations must plan training sessions for employees and release videos and support documentation for both employees and external users of the application.

Also, educate users to configure more than one MFA option or connect more than one device for MFA, this will be helpful in cases when they lose access to any device or option.

  1. Gradually do Wider Deployment: After successfully rolling out MFA to all users of one application, organizations can start looking for their other applications or instances that would benefit from multi-factor authentication and take up the same approach in finalizing and implementing the MFA options.

  2. Keep Help Plan: In addition to the general adoption training and support, organizations should also have a help plan in place, considering that in process of utilizing the new MFA process, users might get locked out of accounts and face other issues. Help and processes to sort out such ad-hoc issues should be in place for optimal user experience.

  3. Assess, Observe and Improve: After the MFA rollout, periodically check data on related help desk issues or stats on users’ productivity or account lockouts. This helps organizations identify problems and resolve them effectively. Also, keep a close eye on security metrics like blocked login attempts in case of brute-force, phishing, etc. These data can be useful in evaluating the impact of MFA inclusion.

MFA solutions must be regularly maintained and updated to ensure that they are secure and up to date. Organizations need to be aware of the ongoing maintenance and support requirements associated with an MFA solution. Based on user and security data, keep on improving multi-factor authentication for both users and application security.

What are Challenges to Rollout MFA?

Organizations might face a few challenges while rolling out MFA, it is important to have a prior note of these challenges and take effective actions to mitigate them well in time. Best practices for an effective MFA strategy helps in facing below challanges:

  1. User Acceptance: MFA may seem inconvenient to users, as it requires them to use multiple credentials to authenticate rather than just a single password. To ensure a successful rollout, organizations need to ensure that users are aware of the benefits of MFA, as well as the risks of not using it and that they have a good user experience during the rollout.

  2. Cost: Implementing MFA can require additional hardware and software costs, as well as costs associated with training and support. When considering an MFA solution, organizations need to be aware of the total cost of ownership. For example, in the case of choosing hardware tokens for MFA, make sure to include all device-related cost into consideration.

  3. Compatibility: Organizations need to ensure that their chosen MFA options and solution are compatible with all of their existing infrastructure, including applications, network devices, and authentication systems.

Does MFA Solve Authentication Security Problems?
Multi-factor authentication surely improves the security of password-based authentication by making stolen credentials useless for attackers and combating dictionary, brute-force, and keylogger attacks. However, MFA cannot guarantee security against all cybersecurity attacks. Read more about password-based attacks.

Certainly, MFA solves security concerns to an extent, but it also impacts the user experience because users must move through at least two factors to complete the authentication process.

What to do when MFA is not enough?

When MFA is not enough, organizations can look into other security measures to protect their applications, networks, and data. This includes implementing identity and access management tools that are able to detect suspicious patterns and block malicious accounts.

To provide a better user experience along with security, organizations can also shift their approach towards authentication by eliminating passwords as the next step. There are many alternatives to password-based authentication available, in fact, most of the MFA options that we discussed at the beginning of this blog can be utilized as stand-alone authentication options. Reiterating the most commonly used passwordless methods here:

For high-security applications, organizations can opt for the passwordless option with MFA, as it takes the security posture of the application to the next level.

The following illustrates the security risk level in all three cases:

  • Using passwords
  • Using passwords with MFA
  • Using passwordless with MFA

passwordless with mfa

Time to Apply these MFA Best Practices

These multi-factor authentication best practices are designed to enhance security without compromising user experience and reduce risk from compromised passwords.

Multi-Factor Authentication is a must-have with password-based authentication as it can block more than 90% of attacks on users’ accounts. While deciding on which MFA options are best for your application, do consider the above-explained Multi-Factor Authentication (MFA) best practices.

As the next step toward better security after implementing MFA, organizations should look into eliminating passwords and using password-free authentication methods for their applications.

To find out how MojoAuth can help you with an MFA solution or password-free transition, create an account here, reach out to our experts and get answers to all your questions.

Top comments (0)