With the increasing importance of securing business accounts, multi-factor authentication (MFA) has become a widely adopted standard. Although its effectiveness in preventing unauthorized access is undeniable, implementing MFA solutions can be complicated due to the variety of designs and ideas available. As a result, businesses and employees often find that MFA can be overly cumbersome.
There are several reasons why MFA has not been more widely implemented.
1. The Perception of MFA as a Financial Burden
Implementing MFA for businesses comes with a cost, and the expenses associated with MFA can accumulate over time. Third-party MFA solutions often come with subscription fees, which are typically charged per user. Even built-in options, such as Microsoft 365’s MFA features, can incur additional costs depending on the Microsoft Entra license. Furthermore, there are costs associated with training employees to use MFA and the time spent by IT on enrollment. If MFA leads to an increase in help desk calls, support costs will also rise. While these expenses are significantly less than the cost of a security breach (which was $4.88 million last year), businesses often struggle to recognize this connection.
In addition to these direct costs, the indirect costs of MFA implementation should also be considered. These can include the time and resources required to manage and maintain MFA systems, as well as the potential impact on employee productivity.
2. Persistent Challenges with User Experience
Regardless of the approach taken, MFA inevitably adds extra steps to the authentication process. After entering a password, users must complete an additional verification step, which can create friction. Administrators must carefully consider the type of MFA used, how frequently it is required, and balance these factors with risk. Combining MFA with Single Sign-On (SSO) can help alleviate some of the security burdens by allowing users to authenticate once to access multiple applications, rather than logging in separately to each one. This can reduce friction for users and prevent MFA from interfering with their work. Beyond SSO, it is essential to keep end-users satisfied by opting for an MFA platform with flexible policy settings. For instance, internal workstation access may not require MFA as frequently as remote access via VPN, RDP, or other external connections.
3. Hidden Pitfalls in MFA Implementation
Deploying MFA and training users is a complex task. The first step is to create and manage a system that simplifies the process – from user enrollment to monitoring MFA activity. It is crucial to choose an MFA solution that integrates seamlessly with the organization’s existing identity setup. Securing access to a combination of on-premises Active Directory (AD) and cloud infrastructure can result in managing multiple identities per user, creating management overhead and a hybrid identity security gap.
Scalability is also a critical factor: as the user base grows, can the system keep up? If a third-party MFA service is relied upon, what happens in the event of downtime? Additionally, there is the issue of connectivity. Many MFA solutions assume users are always online, but what if they are offline or on an isolated network with limited connectivity? It is essential to consider how and where users log on and evaluate if the MFA should support local prompts to authenticate users, even when their device is not connected to the internet.
4. The Limitations of MFA
While MFA significantly enhances security, it is not a foolproof solution. Each MFA method has its weaknesses, which attackers can exploit. For example, SMS-based MFA (which is no longer recommended) is vulnerable to SIM-swapping attacks, while push notifications can be susceptible to MFA fatigue, where users are bombarded with repeated login requests by attackers who have already compromised their passwords.
More advanced attackers have tools to steal session cookies, allowing them to bypass MFA entirely in certain situations. SSO, while convenient, can exacerbate the problem – if an attacker breaches one MFA barrier, they may gain access to multiple applications.
A More Effective Approach to MFA
The key takeaway is that MFA should be part of a broader strategy that includes monitoring and logging to provide administrators with visibility into authentication activities. While MFA is a crucial layer in defending against unauthorized access, its deployment will inevitably bring challenges. It is essential to plan for these challenges and understand the costs, consider user experience, and take a proactive approach to mitigating the limitations of MFA.
