Choosing an MFA Solution

Choosing an MFA Solution for Dummies 

By now I’m sure you’re all familiar with the terms “MFA (Multi Factor Authentication), 2FA (Two Factor Authentication) or Strong Authentication” over the last few years, for those of you that aren’t these are largely the same thing (there are some technical & semantical differences but for simplicity let’s not get into those) in that they support your traditional Username & Password experience by requiring an additional ‘Factor’ to validate that you are the genuine user. These factors take many forms which I’ve listed below and as we get through this Blog (and at the end) I’ll cover some of the pro’s and con’s: 

• SMS 
• Telephony 
• OTP 
• Hardware Tokens 
• Mobile Tokens 
• Push-based Tokens 
• QR code-based Tokens

OK, so why do I need ‘MFA, 2FA’ or whatever it’s called? 

As we’re all probably bored of seeing in the media by now, our credentials are out there on the dark web (or soon will be), with large companies like FaceBook, Nintendo, EquiFAX, etc all being targets and suffering data breaches which have leaked thousands or millions of users passwords and personal details. 

These passwords, believe it or not have value on the black market as they allow attackers a foot hold to exploit users & businesses with things like Ransomware, gather more personal information to commit identity theft or just general fraud. What makes this issue even worse is that we as people have a tendency to re-use the same password(s) out of convenience, meaning a single leak on one account could allow attackers a foot hold on others. 

MFA helps to stop this by adding that extra Factor which is typically something we need to have physical access to at a given time. 

The purpose of this Blog is to help businesses understand what to look for/consider when choosing an MFA solution. There are numerous ‘Buyers Guides’ out there sponsored by respective vendors but they tend to present things in a very enterprise way; which is understandable as enterprises use to be the only businesses which could afford the infrastructure to support MFA. Now days however MFA is something that every business (and every individual for that matter) needs to have to safeguard themselves. 

The area’s which need to be considered are: 

Ubiquity

Can the MFA solution cover all of my apps and services? Whilst having multiple MFA solutions can be argued as more secure and limits the impact of service failures, it does lead to labour overheads for deployment to existing and new staff as well as create a bit of a laborious experience for staff; having to have multiple Tokens and varying login procedures. 

In an ideal world, like Sauron we need to have one solution ‘to rule them all’ as this will give your staff a single simple experience and make implementation & administration long-term more efficient. 

In terms of Apps & services the vast majority of businesses will have: 

• Devices which they login to  – PC’s, Laptops, Hosted Desktops, etc 
• Webapps – E-mail and CRM’s are a common example 
• VPN/Remote access – plenty of businesses still run systems which reside within the business property and they need a secure way for their staff to access them, VPN’s are perfect for this but they are also a backdoor if not properly secured 

Again in an ideal world you’ll want your MFA solution to cover all of these areas 

Ease of Use

“Will implementing MFA impact the productivity of my staff?” The best MFA solutions are simple, Push-Based is the industry favourite as it’s very secure and only requires users to approve a prompt on their mobile phone after they’ve entered their username & password. Solutions where you need to answer an incoming call, receive a TXT or read & type a code can be frustrating for some and slow down their login. Depending on the solution you use and where it is deployed you may find that staff members need to re-approve MFA each time they return to their desks. Speaking from my own personal experiences as an MSP, we take security very seriously and although this can be frustrating, we are trusted to hold the keys to many kingdoms so it’s absolutely worth the extra effort but be aware that angry/frustrated users can force businesses into bad (and costly) security practices. 

That said, depending on the solution there are options to exclude certain users or locations; if your perimeter network is secure and well managed you can declare your office(s) as safe zones allowing staff to login without MFA whilst they are in the building. 

Off-line use is another consideration if you’re seeking to bolster the login security of your staff’s devices, are those staff going to be in areas of poor or no connectivity (commuting to the office, etc)? If so It’s essential that any MFA you chose can work without an internet connection if required. 

Flexibility

“What do I do if my staff forget or lose their token?” From time to time we all leave our keys or phone(s) at home or in the office, a good MFA solution should be flexible enough to reduce the frustration(s) of these sorts of mistakes. Some MFA solutions will require your affected staff member to be un-enrolled then re-enrolled; if the device/token is only temporarily unavailable this can be both time consuming for the staff member (and your admin team) to re-enrol once they do get their device back but more importantly can be a big security hole if their account has to be left un-protected for a period of time. A good MFA solution will allow for the issuing of temporary tokens securely via the administrator(s). Similarly should tokens be lost permanently or stolen, you’ll need a solution which can revoke the token and issue a new one/temporary token quickly and easily. 

Security

“How secure is the MFA solution?” This may sound like an odd consideration, especially as you’re bringing MFA in to enhance security but, not all MFA solutions are equal in terms of security. Some MFA solutions like SMS or Telephony can be intercepted with social engineering or malware, some OTP solutions have codes which do not expire until they are used or store their data in an insecure way; opening the possibility for an attacker to use a genuine token without the users knowledge. 

Look out for solutions who’s tokens cannot be cloned to other devices and can enforce some form of device security such as hiding/disabling the token without a PIN or biometrics. 

The audit trail should also be considered, can the MFA solution record where the token request came from, or from what device? These factors can provide an early warning sign that a token has been compromised if requests are coming from an unusual location or from multiple locations/devices too far apart to feasibly be travelled to in the time. This information can also be invaluable when investigating a breach. 

Cost

“How much will it cost to deploy and run?” Being a technical person cost is always one of my last considerations, if something is cheap and just about scrapes the brief; save the money and invest elsewhere. When choosing your MFA solution think about your businesses spending attitudes, some businesses prefer capital expenditure over a 1-5 year period others prefer a rolling opex model. In either case think about what it will cost to setup and run the solution:  

• will you need to buy hardware or licences? 
• when is that hardware/licence expected to be retired? 
• What’s it’s capacity (does it accommodate more users than you currently have to allow for growth and can it be expanded – at what cost)? 
• Will your internal team set this up or will you need to bring in outside consultancy? 
• How much do the tokens cost (if at all)? 
• Can your existing team deal with the day to day admin or will you need to add capacity? 

If I may offer some specific advice on this; look at cloud solutions, they typically do not require any upfront hardware or software costs for the controller element, all the scaling, backup, maintenance and security testing/patching is handled for you and your deployment labour will be less as a consequence. They’re easier for your internal team to administer and they can have an escalation path if required. 

And as for cost? While most cloud services like a recurring monthly income you can often still procure them on a 1-5 year term to give your business that capex feel and keep opex down. 

The Good, The Bad & The Ugly 

As promised here is a rough break down of each token type, what’s good and bad about it. Keep in mind that like anything in security no one solution is perfect or unbreakable, find the solution which has the best balance of security, ease of use and cost (in that order):  

---

SMS

Good old fashioned SMS or TXT messages; these require you to have a mobile phone number associated with your account so a 6 digit code can be SMS’s to you when logging in.

---

Telephony 

Similar to SMS this methodology makes a call to an associated telephone number and the user authorises by answering the call and pressing # 

---

OTP 

OTP or One Time Passcode is similar to SMS in that it’s typically a 6 digit code, the main differentiator is that the code is held/generated either via a hardware device (key fob) or a piece of software (most commonly on a mobile phone); the Google Authenticator is a good example of this – check out the Hardware & Mobile sections below when considering OTP 

---

Hardware 

Hardware tokens come in several forms but in essence can be boiled down to devices which need to be connected to a device such as USB or smart card or a Key fob which displays an OTP code. 

---

Mobile

Mobile tokens are typically applications which utilise the OTP algorithm 

---

Push-Based 

This again uses a mobile phone but utilises a push service; what this means is there is an application on the device which has been registered against the MFA solution and the user will receive a pop-up message for them to approve (or deny) when they login.

---

QR Code Based 

QR based token require a user to scan a QR code then type the OTP code which is generated.

---

---

---

---

Share this post