Some common best practices in step-up MFA, include: risk analysis, choice of authentication factors, privacy, lock-out, registration, which we will discuss today. Other best practices also include: user opt-in, suspension and bypass, self-service, native applications, initial authentication and multiple touch points/channels.
A risk-based authentication model presumes that the risk associated with different application resources and operations has been determined.
The risk from an authentication error is a function of two factors:
1. Potential harm or impact
2. The likelihood of such harm or impact
Categories of harm and impact include:
• Inconvenience, distress, or damage to standing or reputation
• Financial loss or agency liability
• Harm to agency programs or public interests
• Unauthorised release of sensitive information
• Personal safety
• Civil or criminal violations
The risk assessment should be performed by the marketing, security and compliance teams collaborating on the level of risk they’re willing to accept.
Choice of Authentication Factors
The “one size fits all” approach doesn’t work when choosing the appropriate authentication factors. A small user base that accesses highly sensitive resources may not require the same authentication factors as a large user base that accesses resources with less risk. Organisations must balance usability, cost and security in order to enhance the user experience without alienating their user base. Different authentication factors can vary significantly in their user experience—from invasive to completely unobtrusive. A risk-based model ensures that the user is confronted with an explicit authentication UX only when necessary, with passive contextual authentication becoming the default. A flexible MFA solution allows for easy switching between supported modes. For example, if a mobile phone is offline or if the user is roaming, the fallback is to a generated OTP. User adoption, particularly among customers, is enhanced if you provide multiple options for step-up mechanisms. Some users may not have phones for mobile-based mechanisms. Users with disabilities may rule out other mechanisms. And some users are simply resistant to new technologies.
Different authentication mechanisms demand different amounts of potentially sensitive user information to be collected. For instance, an SMS OTP model requires users to provide their phone number. If personally identifiable information is to be collected, its intended use should be explained to the user. Device identification solutions effectively create a fingerprint of a device. Used inappropriately, this fingerprint might allow a single customer to be tracked across multiple applications. Privacy laws in Europe restrict information that can be collected on users. Consequently, in some regions, companies are required to allow customers to opt out of device identification applications. Protecting user privacy depends on providing opt-in MFA models and multiple options for the MFA mechanism. Giving users flexibility and control over their personal information is critical in the consumer space; it’s also relevant at the enterprise level. Accustomed to heightened consumer privacy controls, employees no longer passively consent to outdated IT security policies.
Locking out a user from application access inevitably creates a negative impression. It may have a negative financial impact, such as when a customer can’t complete a purchase. It may also decrease productivity; when an employee is locked out of their work applications, he/she can’t perform job duties for some time. Lockout should be a last resort. There are better options. For example, if a user repeatedly enters an incorrect password, judicious use of MFA can guide the user through a password reset process instead of locking the user out of the application altogether. Additionally, the continuous authentication model makes the need to consider lockout less likely. The more authentication signals collected and analysed, the less critical an atypical value might be (that may warrant a lockout on its own) for any one of them.
An authentication mechanism is only as strong as the registration process that issued the credentials. A thorough registration process that strongly binds credentials to an individual user is mandatory. For mobile app-based systems, displaying a QR code is a powerful and useful mechanism for the authentication server that’s already authenticated the user with the first factor (e.g., password). The user uses the previously downloaded and installed application (either purpose-built for authentication or integrated with an existing application) to scan the QR code. Because the QR code references the customer identity, the application becomes bound to that account.