Understanding MFA Factors: You’re Not Using the Right Ones

With the rise in both the number and sophistication of today’s security threats, the benefits of multi-factor authentication (MFA) have become widely recognized, leading to increased adoption across enterprise and consumer apps. From a security standpoint, this is all good news. We know that passwords alone are not enough to secure your data, and that having at least a second factor is critical. In our annual Businesses at Work survey, we found that nearly 70% of Okta customers offer three or more factor options to their users today (compared to 62% last year). However, we also found there is still some room for progress when choosing the right factors to protect company applications and data.

An effective MFA solution balances usability, cost-effectiveness, and security. Some factors are relatively easy to use, but can come at the expense of security. It helps to imagine factors on a scale of assurance, meaning that if a user inputs that factor, how likely is it that they are who they say they are? Factors range from low assurance (security questions and passwords) to high assurance (biometrics and physical tokens), with a range in between (push notifications, one-time passwords).

Our data shows that many of our customers still relying on low assurance factors like SMS and security questions. In fact, the security question is the most popular factor our customers deploy and adopt, and it’s on the rise: 38% of MFA users are using security questions today, compared to 30% last year. One challenge here is that answers to security questions can often be found in public records (someone’s mother’s last name, for example; here’s Google’s research on the topic). Using SMS as a sole second factor also comes with risk. In fact, for companies complying with regulations like DFARS, NIST guidelines no longer allow SMS-based two-factor authentication because of the risk of codes being intercepted.

That’s not to say that these factors are inadvisable in an MFA solution — it’s that the right factors should be paired with the right level of risk.

See how Okta is redefining security by putting identity first.

How Do You Know Which Factor to Choose?

In the past, security and usability was a zero-sum game: the more stringent security regulations, the more burdensome it was for teams. This resulted in users taking shortcuts whenever possible (and inadvertently putting the company at risk). When it comes to protecting critical company data while enabling a frictionless experience for teams, adaptive MFA aligns the right factors with the risk level associated with a request. It analyzes a user’s access request — the network, location, device they’re using, and information they’re looking for — in order to determine which additional factors are required.

For example, an employee accessing a file-sharing app while working from the office may not require as strict a second factor (especially if it was accessed on a managed device), while that same employee requesting that same access from a remote location would require a step-up. If that app contained more sensitive information, such as that accessed by privileged system users, a request from the wrong place or at the wrong time would require a much higher assurance second factor, or may not be allowed at all.

See it in practice: Read how one of our customers, Funding Circle, secures important financial information

The Next Step: Develop Policies for More Sophisticated MFA

While implementing an adaptive MFA solution solves many of the challenges posed by the risks of low-assurance factors, setting the right policies for your organisation will help ensure successful adoption. As a starting point, require end-users select only the most secure MFA factors and remove security questions and SMS as factor options for high-risk access requests. Establish device management and BYOD policies with your IT team to carefully monitor whether access requests require a step-up if they’re coming from unmanaged devices. And always require MFA when a user attempts to mask his or her IP address using a proxy.

Finally, make factors with greater security, such as one-time passwords, soft or physical tokens, or even biometrics a standard practice. With the right set of adaptive MFA policies security and usability is no longer a zero-sum game.

Looking for more information on Adaptive Multi-Factor Authentication?