Looking for Okta Logos?

You can find all the media assets you need as part of our press room.

Download Media Assets

Understanding MFA Factors: You’re Not Using the Right Ones

joe diamond
Joe Diamond
Sr. Director, Product Marketing

With the rise in both the number and sophistication of today’s security threats, the benefits of multi-factor authentication (MFA) have become widely recognized, leading to increased adoption across enterprise and consumer apps . From a security standpoint, this is all good news. We know that passwords alone are not enough to secure your data, and that having at least a second factor is critical. In our annual Businesses at Work survey, we found that nearly 70% of Okta customers offer three or more factor options to their users today (compared to 62% last year). However, we also found there is still some room for progress when choosing the right factors to protect company applications and data.

An effective MFA solution balances usability, cost-effectiveness, and security. Some factors are relatively easy to use, but can come at the expense of security. It helps to imagine factors on a scale of assurance, meaning that if a user inputs that factor, how likely is it that they are who they say they are? Factors range from low assurance (security questions and passwords) to high assurance (biometrics and physical tokens), with a range in between (push notifications, one-time passwords).

Our data shows that many of our customers still relying on low assurance factors like SMS and security questions. In fact, the security question is the most popular factor our customers deploy and adopt, and it’s on the rise: 38% of MFA users are using security questions today, compared to 30% last year. One challenge here is that answers to security questions can often be found in public records (someone’s mother’s last name, for example; here’s Google’s research on the topic). Using SMS as a sole second factor also comes with risk. In fact, for companies complying with regulations like DFARS, NIST guidelines no longer allow SMS-based two-factor authentication because of the risk of codes being intercepted.

That’s not to say that these factors are inadvisable in an MFA solution — it’s that the right factors should be paired with the right level of risk.

See how Okta is redefining security by putting identity first.

How Do You Know Which Factor to Choose?

In the past, security and usability was a zero-sum game: the more stringent security regulations, the more burdensome it was for teams. This resulted in users taking shortcuts whenever possible (and inadvertently putting the company at risk). When it comes to protecting critical company data while enabling a frictionless experience for teams, adaptive MFA aligns the right factors with the risk level associated with a request. It analyzes a user’s access request — the network, location, device they’re using, and information they’re looking for — in order to determine which additional factors are required.

For example, an employee accessing a file-sharing app while working from the office may not require as strict a second factor (especially if it was accessed on a managed device), while that same employee requesting that same access from a remote location would require a step-up. If that app contained more sensitive information, such as that accessed by privileged system users, a request from the wrong place or at the wrong time would require a much higher assurance second factor, or may not be allowed at all.

See it in practice: Read how one of our customers, Funding Circle, secures important financial information.

The Next Step: Develop Policies for More Sophisticated MFA

While implementing an adaptive MFA solution solves many of the challenges posed by the risks of low-assurance factors, setting the right policies for your organization will help ensure successful adoption. As a starting point, require end-users select only the most secure MFA factors and remove security questions and SMS as factor  options for high-risk access requests. Establish device management and BYOD policies with your IT team to carefully monitor whether access requests require a step-up if they’re coming from unmanaged devices. And always require MFA when a user attempts to mask his or her IP address using a proxy.

Finally, make factors with greater security, such as one-time passwords, soft or physical tokens, or even biometrics a standard practice. With the right set of adaptive MFA policies security and usability is no longer a zero-sum game.

Looking for more information on Adaptive Multi-Factor Authentication?

joe diamond
Joe Diamond
Sr. Director, Product Marketing

Joe Diamond, Sr. Director, Product Marketing at Okta, has more than a decade of engineering, product management, product marketing and software leadership expertise in both the consumer and enterprise markets. He is responsible for defining and implementing the strategy for Okta’s rapidly growing security business. Previously, he led product marketing for Proofpoint’s line of advanced threat and response products, where he helped nearly quadruple revenue over a three-year period. He also led product management and marketing for RiskIQ, led enterprise product management for Symantec’s emerging products and technologies and served in product management and marketing roles for its hosted email archiving vendor, LiveOffice, which was acquired by Symantec.