What you need to know when choosing your Multi-Factor Authentication (MFA) solution:
1. Be clear on where your security data is kept — can you be confident others can’t access it? A single vulnerability or misconfiguration can lead to a compromise across an entire provider’s cloud. When it comes to keeping your business information and applications secure, you need to be confident that your choice of software is fit for purpose now and will still be so in the future.
2. Consider your business ecosystem — suppliers can be weaknesses too. Attacks via web apps (ie. through third party software and portals) — often involving planting of key loggers — were responsible for 40% of breaches. But just 13% of businesses set standards for their suppliers.
3. Keep it simple. If your users don’t like something, they’ll try to work around it. Multiple logins are no fun for anyone. 63% of confirmed data breaches involved weak, default or stolen passwords. Static, single authentication is a weakness that is used in spades by attackers. Improve this with a second factor such as a software token or mobile app.
4. Don’t add to admin — if staying compliant is complicated, you won’t stay compliant. Features like auto-enrolment make your IT admin’s life easier and your data more secure. 9 out of 10 IT teams said that their incident response effectiveness and efficiency was limited by the burden of manual processes. All users are not created in the same mould — some will prefer SMS, some will prefer a smart phone app. Flexible solutions are the ones most likely to be better adopted by users.
5. Be clear what really matters to you — gimmicks don’t make you more secure. One major regulator recognises Geolocation as a valid factor in authentication.
6. Don’t ignore the risk. Everyone’s a target. 65% of large UK businesses have detected threats in the last year, with the average cost of successful attacks at £36,000. If you are securing a web application, don’t base the integrity of authentication on the assumption that your users won’t get owned with keylogging malware. They do and will.
7. Plan for the future. Bring Your Own Device (BYOD), NFC, new platforms and devices mean more opportunities for data loss and misuse. Your security needs to keep pace with the devices on your network. 56% of companies expressed concerns over data access via BYOD.
8. Give your users choice — the more options a user has to login the more chance they’ll use on that works for them. 41% of users, when questioned why they did not use 2FA, cited inconvenience.
9. Know your vendor’s roadmap. Many providers piggy-back on Google’s Authenticator platform. Others prefer to be able to be in charge of their own destinies and make critical updates when they need to, rather than wait for a third party to do it for them.
10. Support everything. Your business is ever more reliant on web-based applications, remote devices and APIs. The best MFA solutions will support and protect everything within, and at the edge of your network.