Multi-factor authentication (MFA) is an excellent balance between security and convenience when it comes to protecting your users’ accounts and data. Implementing an effective MFA system helps your business maintain compliance with data protection regulations and reduce your legal liability if a user’s account is compromised.

No security measure is foolproof, however, and making MFA work across your organization can involve some challenges that you will need to overcome.

What Is Multi-Factor Authentication (MFA)?

MFA requires users to provide two or more different categories of evidence proving their identity before allowing them to log in. Authentication factors are typically categorized into:

• Something you know (such as a password or PIN)

• Something you have (such as your mobile device or an authentication key token)

• Something you are (such as facial recognition, fingerprints, and other biometrics)

Most MFA systems ask for something you know and something you have. In other words, to gain unauthorized access to an account secured with MFA, an attacker would need to have access to a user’s mobile device and know their username and password.

Low Adoption Rates

One of the first challenges an organization can face when implementing multi-factor authentication is getting people to use it in the first place. 68% of people do not use MFA everywhere that it is available. Unfortunately, many users see the added security step as an inconvenience that they will avoid if possible. This is especially true if they are not aware of the added security it offers them. Multi-factor authentication can protect businesses from attacks that can result in huge data breaches. Just ask Uber. Back in 2016, hackers stole the personal data of 57 million people by gaining unauthorized access to Uber’s network, and it was not a sophisticated attack. Rather, an Uber software developer had inadvertently left their user credentials exposed in code they shared on GitHub. Anyone with access to their GitHub repository could then log into their Uber developer account and access sensitive data. Any form of multi-factor authentication would have prevented this method of attack.

As a result, the best way to mitigate this challenge is to make MFA as convenient as possible by enabling people to authenticate with methods they already use, such as texting or an authentication app. This means that your MFA system does not add to the many different authentication and login systems that users have to manage and remember across their many accounts.

Automated Phishing Attempts

Increasing the amount of information or access that an unauthorized user needs to login makes it more difficult for attackers to get everything they need through phishing. It is not impossible however, and by phishing for the right information an attacker can intercept authentication messages sent to a personal device, or impersonate a user’s device in order to log in.

The most sophisticated multi-factor authentication systems are being made increasingly resistant to this method of attack. Unless you educate your users about how to spot automated phishing attempts and how to respond to them, even a phishing-resistant MFA system won’t stop every attack.

Personal Devices

Personal devices like phones and laptops are often used as part of multi-factor authentication processes, such as sending authentication codes via SMS or email or by using an app to generate an authentication key.

Personal devices like these are often one of the weakest links in user account security besides users themselves. There are numerous ways malicious users can intercept data intended for a personal device or pretend to be connecting from a legitimate user’s device. And, of course, they can simply be stolen or controlled remotely, giving an attacker access to any saved logins or unprotected data on the device.

Using personal devices in multi-factor authentication is often a necessary compromise despite these challenges. It is the easiest MFA method for most users. It also helps increase the number of people who choose to use your multi-factor authentication system. The potential risks of personal devices can be mitigated by following best practices for using devices at home and work. For added security, businesses can encourage customers and employers to use hardware-based authentication methods such as key generators. According to Google, Google Accounts which were secured by hardware-based authentication were immune to almost all automated and bulk phishing attacks.

Reporting of Potential Security Breaches

On average, it takes almost 200 days for a security breach to be identified. It is vital to educate your users about the importance of immediately reporting potential security breaches, giving you time to restrict access to their accounts before further damage is done. This is particularly relevant when using MFA systems requiring additional accounts or using a personal device such as a phone.

Unless you make it clear to them, users may not immediately realize that something could compromise their account security. For example, suppose a user’s phone is stolen, or their email account is hacked. They used that phone or email to authenticate with your system. In that case, the thief may already have access or the details they need to access other accounts.

Suppose users do not understand that this may compromise an account they have with your company. In that case, you might not find out about the possible security breach until it is too late to act. Therefore, it is also essential to help users understand how to spot the signs that an account has been compromised so that they can report the issue faster.

Common signs of a compromised online account include:

• The password has been changed.

• The user has received emails about a password or account information change they did not request.

• The user has received phishing emails, which can easily be done with any of the popular email marketing platforms, that contain personal data associated with an account.

• The user has received notifications about login attempts from unfamiliar locations or IP addresses.

Conclusion

Multi-factor authentication, like any other security system, is not infallible. It does make life significantly harder for a potential attacker, making your organization and your users a less attractive target for fraud and data theft. It is vital to implement multi-factor authentication in a convenient way for your users, however, as it cannot protect their accounts if they do not want to use it.