Cyber threats are becoming more frequent and sophisticated. Protecting our digital assets isn’t just a priority — it’s a necessity. And, while we are observing Cybersecurity Awareness Month, the Cybersecurity and Infrastructure Security Agency (CISA) noted companies need to “turn on multifactor authentication (MFA).” However, there needs to be a more calculated approach to doing so. MFA is a powerful tool in our cybersecurity arsenal that adds extra layers of security beyond just passwords. But, let's be honest: implementing MFA can be tricky, especially with new regulations from bodies like CISA, the National Institute of Standards and Technology (NIST) and the White House Office of Management and Budget (OMB).
Many organizations are deploying ”good enough” MFA solutions to about 80% of their operations. What is “good enough”? It means doing enough to comply with regulations and mandates, or to say “Yes, we’re doing MFA.” While this might seem sufficient, these versions of MFA often can’t address all the use cases the organization needs, leaving critical gaps in security. This partial implementation creates a false sense of security and is one reason why phishing attacks continue to rise at record numbers.
Best practices for effective MFA implementation
To avoid “good enough” MFA, here are eight practical steps you can take to implement it that will make a real difference:
Align with regulatory requirements
First things first: make sure your MFA setup ticks all the regulatory boxes. Follow the NIST guidelines to implement phishing-resistant methods like CBA and FIDO2 passkeys. You want to steer clear of SMS and OTP-based MFA since they're not as secure. In addition, it’s important to adhere to CISA Directives and implement strong MFA across all systems to protect against phishing and other attacks. If you’re handling Controlled Unclassified Information, use methods like Certificate-Based Authentication (CBA) to stay compliant with the Cybersecurity Maturity Model Certification (CMMC) requirements. In addition, move toward zero trust architecture and adopt phishing-resistant MFA technologies by the set deadlines of the OMB.
Avoid the trap of “good enough” MFA
Don't settle for MFA solutions that only provide a minimal level of security or cover only a portion of your organization. You’ll want to:
- Assess all use cases: Identify all the areas within your organization that require secure authentication, including remote access, privileged accounts and legacy systems.
- Eliminate security gaps: Ensure that your MFA solution addresses all these use cases, leaving no part of your organization vulnerable.
- Upgrade to stronger methods: Invest in technologies like CBA and FIDO2 passkeys (more to come on these authentication methods below) that offer robust protection against phishing and other attacks.
- Regularly review security posture: Stay updated with the latest threats and adjust your MFA strategies accordingly.
Embrace certificate-based authentication
The best security measures won’t help if people don’t use them, so aiming for methods that are secure but also convenient, like CBA, are critical. CBA might sound technical, but it’s a game-changer because it uses cryptographic keys that are tough to crack, and it works online and offline. It is also phishing resistant since it doesn’t rely on user-entered credentials, so phishing attempts are much less like to succeed. CBA doesn’t just verify users either — it can authenticate devices too, adding another layer of security. In addition, CBA is compatible with old and new systems because it is widely adopted and integrates with both legacy and modern systems, saving companies from costly overhauls and making it very accessible to users.
Implement FIDO2 passkeys
Hardware bound FIDO 2 passkeys offer a smooth user experience. Hardware bound FIDO2 Passkeys take passwordless authentication to the next level because they are highly secure, using public key cryptography to ensure authentication is bound to legitimate sites, which makes phishing nearly impossible. It’s also user-friendly. You can say goodbye to passwords forever and users can log in with biometrics or security keys. This saves time and cost for both the user and the company regarding password resets. And lastly, it’s flexible and accessible to users.
Educate and engage your users
People are at the heart of your security, so it’s imperative that you train them on how to use new authentication methods in an engaging and effective way. You must also continuously educate them about phishing risks and why these new methods are important. Providing the right support and resources to help them adjust and address any concerns will ensure a smooth transition.
Use adaptive or risk-based MFA
Not every login attempt is the same so companies must assess risks and look at factors like location and device to gauge risk. Companies must also adjust accordingly and require extra verification only when needed. And finally, it’s important to make sure your adaptive strategies align with all necessary regulations that apply to your company.
Plan for backup and recovery
Bad things can happen! Devices get lost and systems fail, so companies should have alternative backup methods that are also secure. Additionally, it’s important to set up recovery procedures to ensure users can regain access without compromising security.
Integrate seamlessly with your systems
Make the transition as smooth as possible by leveraging compatibility with methods such as CBA that work with your existing systems. You can also use Single Sign-On (SSO) to streamline the login process. And, when appropriate, collaborate with experts and partner with providers who know how to integrate these technologies effectively.
Remember, settling for “good enough” MFA isn’t good enough. Deploying such solutions to only 80% of your organization leaves critical gaps, making your organization susceptible to phishing and other cybersecurity attacks. It can’t address all the unique use cases your organization might have, which means some areas remain vulnerable.
Implementing phishing-resistant MFA doesn't have to be a daunting task. By focusing on authentication methods like CBA and hardware bound FIDO2 passkeys, you can meet regulatory mandates and enhance your security posture — all while making the process smoother for your users.