Skip to page content
Client Hub Tel 01892 830111

Choosing an MFA Solution

By Russell Gower-Leech, Technical Solutions Architect | Published 15 Jun 2020

Choosing an MFA Solution for Dummies 

By now I’m sure you’re all familiar with the terms “MFA (Multi Factor Authentication), 2FA (Two Factor Authentication) or Strong Authentication” over the last few years, for those of you that aren’t these are largely the same thing (there are some technical & semantical differences but for simplicity let’s not get into those) in that they support your traditional Username & Password experience by requiring an additional ‘Factor’ to validate that you are the genuine user. These factors take many forms which I’ve listed below and as we get through this Blog (and at the end) I’ll cover some of the pro’s and con’s: 

Find out with Russell how you can implement MFA to your accounts.

  • SMS 
  • Telephony 
  • OTP 
  • Hardware Tokens 
  • Mobile Tokens 
  • Push-based Tokens 
  • QR code-based Tokens

OK, so why do I need ‘MFA, 2FA’ or whatever it’s called? 

As we’re all probably bored of seeing in the media by now, our credentials are out there on the dark web (or soon will be), with large companies like FaceBook, Nintendo, EquiFAX, etc all being targets and suffering data breaches which have leaked thousands or millions of users passwords and personal details. 

These passwords, believe it or not have value on the black market as they allow attackers a foot hold to exploit users & businesses with things like Ransomware, gather more personal information to commit identity theft or just general fraud. What makes this issue even worse is that we as people have a tendency to re-use the same password(s) out of convenience, meaning a single leak on one account could allow attackers a foot hold on others. 

MFA helps to stop this by adding that extra Factor which is typically something we need to have physical access to at a given time. 

The purpose of this Blog is to help businesses understand what to look for/consider when choosing an MFA solution. There are numerous ‘Buyers Guides’ out there sponsored by respective vendors but they tend to present things in a very enterprise way; which is understandable as enterprises use to be the only businesses which could afford the infrastructure to support MFA. Now days however MFA is something that every business (and every individual for that matter) needs to have to safeguard themselves. 

The area’s which need to be considered are: 

Ubiquity

Can the MFA solution cover all of my apps and services? Whilst having multiple MFA solutions can be argued as more secure and limits the impact of service failures, it does lead to labour overheads for deployment to existing and new staff as well as create a bit of a laborious experience for staff; having to have multiple Tokens and varying login procedures. 

In an ideal world, like Sauron we need to have one solution ‘to rule them all’ as this will give your staff a single simple experience and make implementation & administration long-term more efficient. 

In terms of Apps & services the vast majority of businesses will have: 

  • Devices which they login to  – PC’s, Laptops, Hosted Desktops, etc 
  • Webapps – E-mail and CRM’s are a common example 
  • VPN/Remote access – plenty of businesses still run systems which reside within the business property and they need a secure way for their staff to access them, VPN’s are perfect for this but they are also a backdoor if not properly secured 

Again in an ideal world you’ll want your MFA solution to cover all of these areas 

Ease of Use

“Will implementing MFA impact the productivity of my staff?” The best MFA solutions are simple, Push-Based is the industry favourite as it’s very secure and only requires users to approve a prompt on their mobile phone after they’ve entered their username & password. Solutions where you need to answer an incoming call, receive a TXT or read & type a code can be frustrating for some and slow down their login. Depending on the solution you use and where it is deployed you may find that staff members need to re-approve MFA each time they return to their desks. Speaking from my own personal experiences as an MSP, we take security very seriously and although this can be frustrating, we are trusted to hold the keys to many kingdoms so it’s absolutely worth the extra effort but be aware that angry/frustrated users can force businesses into bad (and costly) security practices. 

That said, depending on the solution there are options to exclude certain users or locations; if your perimeter network is secure and well managed you can declare your office(s) as safe zones allowing staff to login without MFA whilst they are in the building. 

Off-line use is another consideration if you’re seeking to bolster the login security of your staff’s devices, are those staff going to be in areas of poor or no connectivity (commuting to the office, etc)? If so It’s essential that any MFA you chose can work without an internet connection if required. 

Flexibility

“What do I do if my staff forget or lose their token?” From time to time we all leave our keys or phone(s) at home or in the office, a good MFA solution should be flexible enough to reduce the frustration(s) of these sorts of mistakes. Some MFA solutions will require your affected staff member to be un-enrolled then re-enrolled; if the device/token is only temporarily unavailable this can be both time consuming for the staff member (and your admin team) to re-enrol once they do get their device back but more importantly can be a big security hole if their account has to be left un-protected for a period of time. A good MFA solution will allow for the issuing of temporary tokens securely via the administrator(s). Similarly should tokens be lost permanently or stolen, you’ll need a solution which can revoke the token and issue a new one/temporary token quickly and easily. 

Security

“How secure is the MFA solution?” This may sound like an odd consideration, especially as you’re bringing MFA in to enhance security but, not all MFA solutions are equal in terms of security. Some MFA solutions like SMS or Telephony can be intercepted with social engineering or malware, some OTP solutions have codes which do not expire until they are used or store their data in an insecure way; opening the possibility for an attacker to use a genuine token without the users knowledge. 

Look out for solutions who’s tokens cannot be cloned to other devices and can enforce some form of device security such as hiding/disabling the token without a PIN or biometrics. 

The audit trail should also be considered, can the MFA solution record where the token request came from, or from what device? These factors can provide an early warning sign that a token has been compromised if requests are coming from an unusual location or from multiple locations/devices too far apart to feasibly be travelled to in the time. This information can also be invaluable when investigating a breach. 

Cost

“How much will it cost to deploy and run?” Being a technical person cost is always one of my last considerations, if something is cheap and just about scrapes the brief; save the money and invest elsewhere. When choosing your MFA solution think about your businesses spending attitudes, some businesses prefer capital expenditure over a 1-5 year period others prefer a rolling opex model. In either case think about what it will cost to setup and run the solution:  

  • will you need to buy hardware or licences? 
  • when is that hardware/licence expected to be retired? 
  • What’s it’s capacity (does it accommodate more users than you currently have to allow for growth and can it be expanded – at what cost)? 
  • Will your internal team set this up or will you need to bring in outside consultancy? 
  • How much do the tokens cost (if at all)? 
  • Can your existing team deal with the day to day admin or will you need to add capacity? 

If I may offer some specific advice on this; look at cloud solutions, they typically do not require any upfront hardware or software costs for the controller element, all the scaling, backup, maintenance and security testing/patching is handled for you and your deployment labour will be less as a consequence. They’re easier for your internal team to administer and they can have an escalation path if required. 

And as for cost? While most cloud services like a recurring monthly income you can often still procure them on a 1-5 year term to give your business that capex feel and keep opex down. 

The Good, The Bad & The Ugly 

As promised here is a rough break down of each token type, what’s good and bad about it. Keep in mind that like anything in security no one solution is perfect or unbreakable, find the solution which has the best balance of security, ease of use and cost (in that order):  


SMS

Good old fashioned SMS or TXT messages; these require you to have a mobile phone number associated with your account so a 6 digit code can be SMS’s to you when logging in.

Pro’s

  • No additional physical token to carry around 
  • No mobile token software to install 
  • Works on ANY phone (even a Nokia 3210) 

Con’s

  • Weak security; SMS messages are clear text so any app on your phone which has access to messages (and there an alarming amount) can read these and transmit them to an attacker if compromised
    • Typically people like the convenience of seeing messages or part of messages on their lock screen or wearable, leaving the code exposed to should surfing 
  • In some cases the code doesn’t expire until they have been used 
  • Open to social engineering attacks; there has been a growing trend of SIM jacking, this is where an attacker contacts your mobile vendor to request a new SIM card and port the victims number so they can receive the SMS code 
  • Won’t work without a mobile phone signal
    • Depending on your carrier this may create complications & cost when abroad 
  • No centralised control from the business/IT 
  • May require disclosure of staff’s personal mobile phone numbers (if they are not issued with business devices) which adds to the point above as well as present considerations around personal privacy 
  • No temporary token option; if users forget their phone they either need to be re-enrolled on another device (which can be time consuming or less secure as it may be a desk phone) or their account is left temporarily un-protected before re-enrolling their old token 
  • Most security organisations & large enterprises plan to decommission SMS mid to long term due to the weak security and on-going high profile breaches associated to it. As such this methodology may be short lived for a business and require further investment to replace

Telephony 

Similar to SMS this methodology makes a call to an associated telephone number and the user authorises by answering the call and pressing # 

Pro’s

  • No additional physical token to carry around 
  • No mobile token software to install 
  • Works on ANY phone (even a Nokia 3210) 
  • Good for situations where a shared account is used; the DDI of a particular department can be used to answer the call and approve the MFA request 

Con’s

  • Weak security; this token relies on physical security of the phone(s) or phone system but does mean anyone with physical access to the phones or phone system can intercept the prompt 
  • Open to social engineering attacks; fake diversion or changes to hunt groups can be made to the person(s) who administer the telephony system 
  • Won’t work if the phone line or phone system are down 
  • Can complicate the administration and audit trail as the IT/security team may not be responsible for the telephone system (or may have to learn this additional set of skills) creating admin delays 
  • Most security organisations & large enterprises plan to decommission this token type mid to long term due to the weak security and on-going high profile breaches associated to it. As such this methodology may be short lived for a business and require further investment to replace 
  • Sharing of administration accounts and associated MFA is terrible practice from a compliance point of view as its harder to ensure authorised access and audit access requests and investigate incidents 

OTP 

OTP or One Time Passcode is similar to SMS in that it’s typically a 6 digit code, the main differentiator is that the code is held/generated either via a hardware device (key fob) or a piece of software (most commonly on a mobile phone); the Google Authenticator is a good example of this – check out the Hardware & Mobile sections below when considering OTP 

Pro’s

  • Simple to use 
  • Most OTP’s expire within 30-60 seconds giving potential attackers a very small window of opportunity 
  • Can be used off-line

Con’s

  • In some cases tokens do not expire until they are used 
  • Often these solutions do not have a central management console, users imply enrol with a given token which can lead to overheads if tokens need to retired or reissued 
  • Can be laborious to type codes in for some users 
  • Some solutions do not offer a temporary token option if users forget their token, meaning they either need to be re-enrolled (which can be time consuming) or their account is left temporarily un-protected before re-enrolling their old token 
  • OTP is susceptible to shoulder surfing 

Hardware 

Hardware tokens come in several forms but in essence can be boiled down to devices which need to be connected to a device such as USB or smart card or a Key fob which displays an OTP code. 

Pro’s

  • Simple to use 
  • Physical access to the fob or card is required 
  • Code algorithm is difficult to crack 
  • Hardware tokens can be difficult to clone

Con’s

  • Hardware tokens can be lost more easily due to their size 
  • Hardware tokens require a battery replacement/full on replacement periodically 

Mobile

Mobile tokens are typically applications which utilise the OTP algorithm 

Pro’s

  • More convenient as users only need their mobile phone with them 
  • Software based OTP’s can be backed up making device swapping easier for the user(s) 
  • Services like Google Authenticator are free and widely used 

Con’s

  • Some applications offer weak security allowing a compromised device to copy the OTP code and send it to an attacker via the clipboard or screen shot
    • Some applications can also be cloned or have their backup mechanism exploited to ‘recover’ the MFA token to another device 
  • Some OTP applications offer no in-app security so a poorly secured phone can be physically accessed and tokens obtained 

Push-Based 

This again uses a mobile phone but utilises a push service; what this means is there is an application on the device which has been registered against the MFA solution and the user will receive a pop-up message for them to approve (or deny) when they login.

Pro’s

  • Considered the most secure option within the industry 
  • Quicker & simpler than OTP 
  • Harder to crack or intercept on the device 
  • Can act as an early warning if users receive a prompt when not logging in 
  • Convenient as users only need their mobile phone with them 
  • Typically offer in-app protection; securing access to the app even if the phone is unlocked 
  • Can be backed up/migrated to a new device 
  • Token has a short life span reducing the window of opportunity for an attacker 
  • Most often compatible with wearables for convenience and added security if users device is unlocked & out of sight 

Con’s

  • Requires connectivity to the MFA solution/internet 
  • Some push-based apps can be quicker to exploit than OTP if the users device is unlocked and a prompt comes in 
  • Some solutions have no temporary token option; if users forget their phone they either need to be re-enrolled on another device (which can be time consuming or not possible) or their account is left temporarily un-protected before re-enrolling their old token 

QR Code Based 

QR based token require a user to scan a QR code then type the OTP code which is generated.

Pro’s

  • Works off-line 
  • Convenient as users only need their mobile phone with them 
  • Difficult to intercept or crack 
  • Token has a short life span reducing the window of opportunity for an attacker 

Con’s

  • Can be a slow login experience which may frustrate some users. This in turn can hamper productivity, especially if the users need to re-authenticate multiple times due to locking their screen, etc 
  • Some solutions have no temporary token option; if users forget their phone they either need to be re-enrolled on another device (which can be time consuming or not possible) or their account is left temporarily un-protected before re-enrolling their old token 
  • Camera issues can affect the performance of QR based solutions 
  • Use of camera’s within an office/area may be undesirable for other security & compliance reasons 

Download an easy to read break down of each token type.


Contact Us