Successful Multi Factor Authentication (MFA) Implementation

Transcript

I’m Glen Willis, Director of Cyber Technology with Kalles Group.

Most implementation efforts should involve collaboration with your users. It’s important to make them feel that the way the implementation impacts them is critical.

MFA today, in my view, should be treated as non-negotiable. I would write that into your policy and say, “MFA will be used for systems X, Y, and Z,” and position it as a requirement.

Now, implementation can be adjusted a bit. We’re seeing more and more cases where, instead of just opening an authenticator app and clicking “yes” or “allow,” users now have to capture a code and enter it elsewhere, or click on the correct code.

We get asked all the time, “Is delivering codes via SMS okay?” My sense is that whatever gets you to adoption is the right path for your organization. If you have a lot of users who aren’t very tech-savvy and don’t use technology as their primary tool, people who aren’t sitting at a laptop all day like I do, then choose a solution that meets them where they are.

Everyone knows how to check a text message, get a code, and type it in. Some will say that’s not the most secure method, and there’s some validity to that. It’s probably a five- or ten-minute conversation we could have. But I would say: make MFA non-negotiable, require it.

Then, from an implementation standpoint, think about your users. Choose the solution that will get you the adoption rate you need. If you’re using SMS-based delivery of codes, maybe that’s your approach for a year or two. Then consider switching to something more secure as your users become more comfortable.

That’s my feedback there.