Multi-Factor Authentication

Multi-factor authentication also referred to as two-factor authentication, bolsters the security of the sign-in process by requiring the user to provide an additional form of identification. This could be something like a PIN or passcode, a device in their possession like a phone or hardware key, or even biometrics like a fingerprint scan.

IAM becomes more secure with the implementation of MFA. This is because the “second factor” is usually something that only the end user either knows or has. Studies by both Google and Microsoft have shown that the right type of the second factor can increase security for login to very near 100%, dramatically reducing the risk of a compromise.

MFA solutions have lived separately from these other IAM categories as an added solution and step for end users. Most of cloud directory platforms are nowadays integrating the effectiveness as a standard mechanism for securing an identity.

The Role of Multi-Factor Authentication in Protecting Identity Access Management:

Despite its apparent simplicity, MFA plays a crucial role in protecting IAM. In an IAM environment without MFA, anyone with valid user credentials can gain access to the resources they are assigned to. These credentials could be stolen, but when checked against the database they will be verified as true and access is granted. This is one of the most prevalent attack vectors, as 61% of data breaches involve compromised credentials.

An IAM environment with MFA is significantly more secure. Even if the credentials are verified against the database, access is not granted until the MFA challenge is cleared. It could be something the end user is supposed to know or have in their possession. In both scenarios, the chances for a remote attacker to break through are drastically reduced.

MFA protects IAM by ensuring that an IT resource is not compromised simply because the username and password combination was leaked. Passwords are notoriously unreliable when used as the only authentication factor. It’s a much more unlikely scenario that an attacker will have stolen a set of valid credentials and also have the answer to the MFA challenge.

What Are the Challenges of MFA in IAM?

MFA is sometimes an unappealing prospect for decision-makers and end users with a lack of understanding of security best practices. The time needed to log in and verify identity through either a device or token can be seen as inconvenient, especially if the second factor is a time-based numerical code. Push notification MFA can be a great, user-friendly alternative for IT admins to implement as a way to minimize pushback. However, the onus is still ultimately on IT to educate users and get them on board for MFA.

It’s also worth noting that MFA doesn’t account for the other aspects of IAM even though it may seem like the perfect fit for web apps. MFA’s implementation across the entire organization can prove to be difficult if there is no centralized way to manage user identities and MFA, or if an additional vendor needs to be added to the IT environment to facilitate this connection. If MFA is left up to the users to implement, some may choose to not do it, which would leave an attack vector vulnerable to exploitation.

How to Best Leverage MFA to Protect Identity Access Management?

There are several MFA implementation best practices that all organizations should follow to protect IAM. For starters, multi-factor authentication should be compulsory for all instances in which an identity requests access to an IT resource that could end up compromising itself or the business if the access is unauthorized. All mission-critical IT resources, from cloud apps to on-premises apps to VPN and wireless networks and more, should be protected with MFA.

Users devices should absolutely be secured using multi-factor authentication. Take a system admin’s laptop for example. Unauthorized access to that machine not only compromises the local data but also has the potential to provide access to the organization’s critical IT resources. Since devices act as a conduit to all other resources, they must themselves be secured through MFA. A great MFA solution will be able to secure Linux, Mac, and Windows devices under a common approach.

When paired with conditional access policies, MFA can be even more powerful. In that case, IT admins can customize the MFA prompt to either be generated or not generated if certain conditions are met. This allows MFA to be less cumbersome for end users while still meeting security requirements. For example, admins can disable MFA prompts for employees working on a whitelisted IP, or for C-level executives working from a trusted device.

The ideal MFA solution that effectively supports an organization’s IAM approach has the following characteristics:

· It is not just a point solution; instead, it is tied directly to the core identity provider.

· It does not require the purchase of an additional vendor contract.

· It can extend across virtually all IT resources, not just cloud apps.

· It is system-agnostic, and can fully protect heterogeneous IT environments.

· It allows for customizable conditional access policies.

· It provides a frictionless authentication experience for end users.