Adaptive Multi-factor Authentication is a powerful feature that adds flexibility to Multi-Factor Authentication (MFA). Depending on your login context – for example, I'm accessing the system from a country I never did before – the MFA authentication is required. In simple words: with Adaptive MFA, depending on your context, the MFA shows up (or not):
Adaptive MFA: Sometimes MFA shows up, sometimes it doesn't.
If used the right way, Adaptive MFA improves your security and your end-user login experience. If misconfigured , Adaptive MFA may create confusion and not deliver better security.
In this article, I'll walk you through my top 5 tips for using Adaptive MFA the right way. These tips are applicable to any system that supports the Adaptive MFA capabilities I'm describing here, including Okta.
1 - Start with a policy baseline and go one direction
Preferably, start with "MFA always on" as the baseline.
If this article was named "Top 1 tip for using adaptive authentication right", this tip would be the chosen one. I strongly believe that anybody, independent of adoption level or maturity, should start with a baseline. Preferably: "MFA always on except when <adaptive comes up here>".
Having a baseline simplifies everything around Adaptive MFA. It makes it easier for you to define configurations as well as for end-users, helpdesk, and security/compliance personnel to understand the security controls in place.
The baseline sets a default behavior that's clear even when odd questions come up. As an example, if you start your configuration with: "Always require MFA from everybody except when employees initiate access from known places/devices we trust", it's clear that contractors are MFA enforced no matter what. If a contractor asks "why I'm always MFA enforced?", you don't need to dig into your Adaptive controls to explain why.
You can also start with MFA off and use adaptive policies to require MFA in specific situations. This is a common baseline in B2C apps when you don't want to slow down end-users. In these situations, You can use Adaptive MFA along with progressive profiling and authorization to request multi-factor only in specific parts of the session (do Adaptive MFA prior to checkout).
2 - Turn on the no-brainers
Why not turn no-brainers features like impossible travel and network anonymizers on?
Good Adaptive MFA solutions come up with features that improve your security without hassle. I like to call them no-brainers. Features like impossible travel – detects logins from geographically distant locations – and network anonymizers – detects if access is coming from a suspicious VPN or a Tor exit node – can be enabled with a couple of clicks and improve your security on day 1.
3 - Configure in a way a human can understand
You should be able to reasonably explain your Adaptive MFA policies to a human. if you cannot, you should review your policies.
Something very important you'll learn about Adaptive MFA as soon as you turn it on is that it affects people's life. In particular, four people:
End-users logging into your systems with MFA: As soon as you enable Adaptive MFA, users will start asking you why sometimes MFA is/isn't required. Bad or non-consistent answers for this question create frustration.
Helpdesk: Even though good MFA solutions like Okta implement solutions such as backup factors to reduce your helpdesk calls, the helpdesk personnel may still be called in extreme cases to bypass, temporarily disable, or reset MFA. The helpdesk must be able to distinguish legitimate asks from attackers. Having a comprehensive gist of the Adaptive MFA policies in place helps with detecting some attacking patterns.
System Administrators: Adaptive MFA policies are subject to change. As your business evolves, your population behavior evolve. System Admins must understand the Adaptive policy configuration in order to change them when needed.
Security and Compliance personnel: The people in charge of defining, improving, and reporting the company overall security must understand the adaptive policies in place. The "human-understandable" requirement is essential to report security compliance properly.
4 - Be a location ninja
Know when to pick state, region, city, and radius. Combine the best location techniques for your geography.
Most companies today support user access from different locations, including access from home, while commuting, and while traveling. The location behavioral policies can be tricky depending on how you set them. Especially when coupled with users accessing from roaming/mobile network scenarios.
Here's a hypothetical example: Company X is based in Washington, DC. Some of their employees live nearby in Bethesda, Maryland and work from home using mobile connections. Because of this, sometimes their internet connection will be served by antennas located in Washington, DC, sometimes in Bethesda, Maryland:
User location radius in grey. Mobile antennas in green.
If Company X sets Adaptive MFA behavioral policies based on states/districts, they may detect false positives for a user that's standing still. However, if they apply a geographic radius (in miles or kms) from the user access, they will avoid false positives.
Although you don't necessarily have users in Washington or Bethesda, I just used the example above to show you that State, City, Country, and Radius are all great options and a good system administrator will know when to pick each of them.
5 - Be creative and think about combos
The best Adaptive MFA policies combine multiple signals without being hard to explain (it doesn't conflict with tip #3).
The most elegant Adaptive MFA configurations leverage multiple signals while it can be reasonably explained to a human.
As an example, leveraging contextual access management signals such as location, network, and device makes it harder to circumvent MFA. However, if you just turn everything – without reason and balance, you are at risk of not being able to describe your Adaptive MFA policies consistently in a way that it makes sense.
You lose your users trust, makes it harder to check compliance boxes, and also may increase your helpdesk exposure to social engineering attacks.
Here's an example of an Adaptive MFA policy that's easy to explain and convey well to your audience:
Even though the MFA policy above may be using almost 10 signals for MFA - Workday departments, device management on desktop and mobile, predefined locations, user behavioral locations, predefined VPN networks, user location launching VPNs, plus the no-brainers – the policy for the end-user lists three human-friendly statements.
With identity being a critical control point in preventing credential-related security risks, Okta Adaptive Multi-factor Authentication (AMFA) provides secure authentication for your entire business, is simple to use for both administrators and end-users, and uses intelligent policies to enable contextual access management. With AMFA, organizations can close a large security gap without much heavy lifting or impact to employee productivity.
To learn more about Okta Adaptive MFA, click here.