Choosing the Right Step-up MFA Mechanisms
When you're choosing authentication factor(s) as part of an MFA system, a "one size fits all" approach just doesn't work. Organizations must balance usability, cost and security in order to provide the right amount of security without impacting the user experience, which could alienate their user base.
But how do you choose the right step-up MFA mechanism for your particular environment? You might want to consider these variables when making your choices:
As an example from the consumer world, Google supports a number of different MFA mechanisms--everything from text messages and phone calls to security keys and verification codes. These mechanisms account for different preferences and constraints of their users, but they also serve as backup when the primary mode is unavailable.
For a consumer mobile app, MFA capabilities should be integrated with any existing native application, rather than requiring the customer to download a separate authentication application. For example, Twitter app users can turn on what's called a "two-step verification" from within the app, and they're prompted to approve certain operations--for example, signing on to their account from a previously unknown machine.
Choosing the right step-up MFA mechanisms can be a daunting task. In our MFA blog series we've outlined the basics of authentication and the top authentication mechanisms, and now we've explored the considerations when choosing step-up MFA.
We've argued that the optimal mix of cost-effectiveness, security and usability for an MFA system is best achieved through a combination of explicit and overt sign-on mechanisms with implicit and passive contextual mechanisms. The decision of when to rely on invisible contextual factors and when to require one or more of the explicit mechanisms should be based on a risk assessment. A risk-based model ensures that the user is confronted with explicit authentication UX only when necessary, with passive contextual authentication becoming more and more the default.
To learn more, read our latest white paper, Best Practices for Step-up Multi-factor Authentication.