In the constantly changing world of cybersecurity, multi-factor authentication (MFA) is a critical line of defense against unauthorized access to sensitive data. As hackers develop more sophisticated forms of cyberattacks, it becomes more and more essential to implement MFA within your organization. In this blog, we will lay out the best practices for deploying and managing MFA in order to bolster your organization’s cybersecurity posture as best you can.
We assume that you already know what MFA is if you’re searching for MFA best practices, but let’s have a brief refresher course, shall we? MFA is an authentication method that uses two or more factors to validate users’ identities. These factors can be something you know (e.g., password, PIN), something you have (e.g., smartphone, hardware key), and/or something you are (e.g., your fingerprint, your face).
Now that that reminder is out of the way, let’s get into the best practices for implementing MFA.
Phishing-resistant MFA (like Entra CBA and FIDO2) is the absolute best way to improve your security posture; however, depending on your specific use case, it might not be feasible. It’s important to go with an authentication combination that balances security and user experience – for example, you could combine a YubiKey with a biometric factor.
If, for whatever reason, unphishable credentials are not a viable option for your organization to implement, we recommend you use passwordless phone authentication instead. Passwordless phone authentication is inherently more secure than non-passwordless forms of MFA due to the many problems with using passwords, but, alas, it is still not unphishable.
In lay terms, if you get a ton of push notifications that say something such as, “Do you accept?”, followed by a call from what is supposedly your IT helpdesk telling you, “Just click ‘yes’ on the push notifications, we’re running routine maintenance,” you likely just experienced (and maybe fell for) a phishing scheme. Due to the easily hackable nature of phone authentication, we strongly recommend using passwordless phone authentication only if unphishable MFA is not a feasible option – simply put, it’s better than most, but nowhere near the best.
Whatever authentication method you do choose, unphishable MFA or not, do not use SMS authentication! SMS authentication is an incredibly insecure authentication method, yet many organizations still have not moved past it. Why shouldn’t you use SMS authentication? Well, SMS can easily be intercepted or redirected, providing hackers with a wide-open gateway to infiltrate your organization’s network. Simply put, using SMS authentication is asking to be hacked.
While MFA is essential for securing identities, it’s not the sole solution. A robust identity security strategy also involves implementing smart conditional access. This means ensuring that user authentication only occurs from approved devices and locations, and that said approved devices meet specific security standards. Leveraging Intune, Microsoft’s MDM solution, enhances conditional access by verifying that users are accessing from managed devices; moreover, Microsoft’s extensive network allows their AI to identify potential threats more effectively, observing patterns across various clients. This integrated approach of MFA with conditional access policies forms a more comprehensive defense against unauthorized access.
Let’s face it – not every one of your users is going to fully understand how to use the MFA system you implement at first. By providing training and resources to educate your users about the importance of MFA and how to use it effectively, you can alleviate peoples’ nerves about using a new system and ensure that there are as few errors as possible.
MFA is a vital component of a robust security strategy. By following these best practices, your organization can significantly enhance your security posture while simultaneously maintaining a user-friendly experience. Remember, the goal of MFA is not just to add layers of security, but to also implement them in such a way that they work seamlessly in the background, protecting users without causing undue convenience.
If you would like to see how implementing unphishable MFA can help secure your organization, feel free to schedule a FREE consultation with one of our identity experts today! Additionally, be sure to check out EZCMS, the best passwordless onboarding tool for Entra, to see just how simple we make the onboarding process for unphishable credentials.