Highly diverse groups of users, applications, integrations and security requirements make preparing for enterprise-wide software selection and deployment an elaborate task. And as recommendations to deploy multi-factor authentication (MFA) everywhere proliferate, application owners often go through a three-step thought process:
Should I go with an existing legacy MFA solution? No; that could compromise adoption, UX and on-time delivery.
What if we collect corporate MFA requirements and plan/execute an all-company rollout That’s a complicated, intensive endeavor and there must be a better way. How about:
I choose a cloud-delivered MFA solution for my application only.
But while the third option is an attractive choice up front, it can lead to several unintended negative consequences down the road.
For one, the technology selected might not meet your enterprise’s larger security posture. Second, the application owner might not accurately forecast the flexibility required by future users of the application. And finally, this decision doesn’t take into account the potential to widen the technology to cover other use cases or the chance that central IT selects a new enterprise-wide multi-factor authentication solution. All of these scenarios lead to the same unintended consequence: the need for users to (once again) migrate to a new solution.
There’s a better way forward, and it’s found through the five keys to enterprise-grade, cloud-delivered MFA:
1. Comprehensive Use Case Support
Historically, remote workforce access was the primary driver for multi-factor authentication adoption in the enterprise. As such, out-of-the-box integrations with popular VPN solutions remains a common requirement. But many of today’s enterprise resources are hosted outside of the firewall, and the proliferation of stolen credentials as an attack vector is driving CISO-level initiatives to implement MFA everywhere. Everywhere is a broad term, but enterprise considerations should include both common and emerging use cases, and the out-of-the-box integrations that coincide with faster time to value.
But it’s not a great fit for everyone. Large enterprises should consider the range of authentication methods an multi-factor authentication solution supports as well as flexibility for users to change authentication methods on the fly in case their preferred second factor isn’t available.
There are also BYOD, business unit and geographic realities enterprises must contend with. The following isn’t an exhaustive list of user populations and scenarios to consider, but it does shine a light on the diverse range of authentication methods that enterprises should take into account.
Organizations with BYOD policies should note that Blackberry and Windows phone users will require “non-push” authentication methods like SMS, email and voice OTP.
Organizations without BYOD policies who don’t supply all users with corporate mobile devices need support for authentication methods such as YubiKeys and hard tokens.
Organizations who do business in areas with unreliable cellular coverage should provide authentication methods other than voice and SMS OTP’s.
Organizations with employees who wear gloves in certain facilities should provide authentication methods other than fingerprint authentication on their mobile device.
Organizations who disallow the use of mobile devices in the workplace (hospitals, manufacturing facilities, etc.) need authentication methods such as via a desktop application.
3. High Availability To Maintain Productivity
Cloud-delivered multi-factor authentication services provide many benefits over their legacy, on-premises predecessors. In the realm of cost savings, the administrative, support and hardware costs enterprises incur by self-managing these solutions can be quite extensive. A portion of those costs can be attributed to maintaining redundant instances of MFA infrastructure to ensure that SLA’s are met and that the solution is highly available.
MFA everywhere means that a user’s second factor becomes their key to everyday work. Needless to say, the cloud-delivered MFA service itself must be highly available to ensure that productivity isn’t impacted in the case of an outage. However, a far more likely scenario is that the user themselves loses internet connectivity and may not be able to connect to the cloud-delivered multi-factor authentication service. Whether this is due to inclement weather, the use of airplane mode or a lack of available wi-fi, the potential impact to workforce productivity in a new world of “MFA everywhere” shouldn’t be taken lightly.
An emerging use case where this scenario is especially relevant is the extension of MFA to end users logging into their desktops and laptops. The ability to “manually” authenticate in scenarios where internet connectivity is limited becomes crucial to maintaining productivity. See a demonstration of how Ping Identity supports this use case here:
A cloud-hosted multi-factor authentication solution makes the administrative burden of maintaining MFA everywhere a fraction of what it would be with a solution hosted in house. But integrating MFA everywhere is no easy task, especially to your existing portfolio of on-premises applications, network and end user devices—not to mention integrations the MFA solution will need to leverage third-party information when making authentication decisions, or legacy third-party MFA integrations to maintain security (and productivity) during the migration process.
Developing these integrations and maintaining them can require multiple IT administrators and developers, as well as help desk personnel to field calls when these connections break. An enterprise-grade solution should enable business agility with multiple out-of-the-box integrations to:
5. Security Requirements Met without Compromising Usability (Adaptive MFA)
As a large enterprise, it’s likely that some of your multi-factor authentication use cases (but not all) will be integrations with highly sensitive applications and APIs. And while you wouldn’t enforce the need to be on the corporate network to check email, you might enforce a requirement to download your organization’s internal financial statements. To achieve a balance between usability and security, you need an MFA solution with a flexible set of policies, adaptive to user and device context as well as the sensitivity of the resource.
High-trust scenarios should be treated as such. In the case of users accessing low-risk resources while in the office on the corporate network, your MFA solution should only come into play if it is “silently” authenticating the user. That is, it is not interrupting the user with a prompt for authentication but checking the user’s network, device posture or geolocation in the background before granting access.
Low-trust scenarios should also be treated appropriately, as users generally understand the need to verify their identity before enabling a high-risk transaction. This is especially important to note when embedding MFA in consumer-facing mobile applications. Users might not want to authenticate (again) using a fingerprint on their mobile device prior to viewing their account balances. But they might want to require a fingerprint authentication for transactions on their account over a certain dollar amount.
A rich set of policies is the only way to implement MFA everywhere without detracting from the overall user experience. Enterprise policy requirements should include the ability to chain and order policies surrounding:
Users: Group membership, network of access, geolocation...etc.
6. Bonus! Migration and Rollout Services to Minimize Business Disruption
Whether you’re migrating from a legacy two factor authentication solution or implementing MFA everywhere for the first time, you likely understand that changing the daily routines of every user in your organization won’t be easy. Extensive background research is required to ensure that all users will be able to successfully (and securely) register, enroll and use the service without impacting their day-to-day lives. In your search for an enterprise grade multi-factor authentication solution, you should seek a listing of best practices that details the need-to-know information for rolling out MFA everywhere, including information surrounding:
Registration and Enrollment
Avoiding Business Disruption
Supporting Your Helpdesk
As long as basic credentials like usernames and passwords continue to be compromised, the quest to implement MFA everywhere will proliferate in large enterprises. Whether these initiatives are taken at a departmental level or enterprise wide, the five keys to enterprise-grade, cloud-delivered multi-factor authentication can serve as a guideline when searching for the right MFA solution. Many of these requirements (and more!) have been outlined in a recent report published by the Gartner for Technical Professionals organization: Cloud-Based MFA Is Ready For Prime Time.
And for those looking to build their business case for upgrading their legacy on-premises two-factor authentication solution to a cloud-delivered, adaptive MFA solution, download our whitepaper.
Watch this webinar replay to learn the requirements for rapid adoption and implementation of MFA everywhere.