Buyer's Handbook:

Multifactor authentication methods, use cases and products

Nmedia - Fotolia

Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

Purchasing multifactor authentication tools: What to consider

Find out what you need to know before investing in a multifactor authentication tool, including the drawbacks and the benefits.

Many different multifactor authentication products are available on the market, and while they all have the potential to improve security, they often do so in subtly different ways -- which can make them easier or harder to deploy, depending on the particular circumstances of a business.

However, companies sometimes spend money on a security product but then fail to install, configure, administer or manage the product in a secure way. On top of this, prices vary widely. The range from the lowest to most expensive platforms per user, per device can span an order of magnitude.

This means enterprises should shop carefully when it comes to buying multifactor authentication tools and know what is included and what will cost extra to support a particular installation. To get the process moving, ask the following questions.

Do I need to give non-employees access to corporate resources?

Conduct an end-user device census if possible. This will help your enterprise understand the total population it needs to protect with these tools. Enterprises should pay close attention to which offices non-employees connect to; whether they are consultants, partners or contract workers; and whether their corporate Active Directory stores already list those users.

Companies with a geographically distributed workforce may be better off using mobile apps or software-based tokens rather than physical ones. Depending on the results of the census, enterprises may find they're better off securing traditional VPNs or terminal servers with additional factors for remote access. If so, companies should look at the vendors that support their VPNs to make integration easier.

How does the multifactor authentication software connect to my Active Directory store?

Some multifactor authentication tools add agents, some make use of web services, some provide two-way synchronization and some go only one way.

Should I purchase a cloud-based multifactor authentication server?

This decision depends on if your organization is a server-hugger and how widely the company has deployed its own assets in the cloud. How many cloud apps does it currently support and what are its plans for the future? The more apps and servers an enterprise has in the cloud, the more the organization will want to deploy multifactor tools to make use of its own cloud-based services rather than on-premises servers.

Some vendors offer both versions but with different functionality. Others charge differently for cloud-based services.

The cloud-based multifactor authentication benefits include eliminating the need to install and maintain on-premises platforms and the associated local infrastructure. Because cloud-based multifactor products can be easier to set up, they can be especially appealing to smaller organizations, as well as with those that already have a significant collection of cloud servers in their own IT infrastructures. Cloud-based platforms can also help companies increase flexibility, as well as save on management and help desk costs compared to on-premises platforms.

Which servers or applications are most at risk?

Before buying any multifactor authentication tool, look closely at the apps the tool supports and how the tool supports those apps.

Start by implementing multifactor authentication for the most at-risk applications and those that contain the most sensitive data. Then, work down the list to those apps that are less sensitive or critical to determine whether the cost of the deployment -- and the risks multifactor authentication can mitigate -- provides enough ROI.

Some organizations start by deploying multiple factors to protect remote access, and then move onto more mission-critical enterprise applications. Others do the reverse. Either way, admins must carefully look at the documentation available to configure and debug the installation of each supported app.

Why? Because the debugging phase requires a lot of time and companies will need all the help they can get. It's important to take this into consideration when purchasing a multifactor authentication tool, as some servers are more at risk than others.

Will users need multiple types of tokens and access methods?

Some multifactor authentication devices are better at handling multiple tokens and access methods than others. Some vendors set up pricing to make it easier or harder to handle multiple token types.

Meanwhile, some let customers set up multiple token types for each user for authentication. This allows a user to choose whichever token is most convenient at login time.

What is the process to bypass or revoke access for a particular token?

Be sure to examine what happens when a user needs to bypass a token. Users might need to contact the help desk to bypass the system as a last resort because they can't log into their accounts after repeatedly entering their usernames/passwords and two-factor authentication, and then taking all the other steps necessary to gain access to those accounts. What would the process be from the perspective of the enterprise support desk?

The flip side of this is how access is set up for hundreds of users and understanding the workflows involved. Look at how each product creates and modifies its security policies and whether it provides a consistent set of policies across the entire user base or if the policy collections differ depending on the token types or mobile OSes.

How much business do end users conduct on mobile devices?

Ensure any multifactor authentication tool supports the current inventory and versions of mobile devices. This means organizations must optimize the identity authentication experience around mobile use cases.

Part of the product evaluation should be to determine if the products support a particular mobile operating system, how the product supports it, as well as the difficulty of the sign-on process. This evaluation is worth it once the tool is implemented and users begin seeing the multifactor authentication benefits.

Do I need Fast ID Online Alliance support?

Fast ID Online (FIDO) is a set of technology-agnostic security specifications for strong authentication.

Developed by the FIDO Alliance, a nonprofit organization that seeks to standardize authentication at the client and protocol layers, FIDO specifications support multifactor authentication and public key cryptography. If enterprises are serious about deploying multifactor tools, they'll want to give this more weight. Organizations should also consider including future support as part of their multifactor requirements or requests for proposals.

At least 465 devices support the FIDO Alliance's authentication standards as of 2018.

How are authentication reports scheduled and exported?

Each multifactor authentication product provides a variety of reports -- most designed for technical staff, while others are more suitable for management. Some products have many export options, as well.

Reporting data is crucial, so enterprises need to look at how a multifactor authentication tool generates and distributes those reports.

How many multifactor authentication elements need to be installed?

Some vendors have multiple server software components or multiple identity agents. Others are less complex. The decision to purchase multifactor authentication tools should depend on an organization's needs, as well as the resources available to implement and support the software.

Should I purchase a single sign-on product with multifactor authentication included?

Single sign-on (SSO) is great if an organization already has a lot of uniformly used SaaS and web apps across the enterprise and wants to provide end-user sign-on portal pages to access all of them. SSO falls down, however, if users' app portfolios vary widely or if they don't support the collection of multifactor methods.

Linda Rosencrance contributed to this report.

This was last published in January 2019

Dig Deeper on Two-factor and multifactor authentication strategies

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

What challenges have you faced when deploying multifactor authentication tools?
The two-factor authentication, though not a silver bullet, could be reliable when it comes with a reliable password. 2 is larger than 1 on paper, but two weak boys in the real world may well be far weaker than a toughened guy. Physical tokens and phones are easily lost, stolen and abused. Then the password would be the last resort. It should be strongly emphasized that a truly reliable 2-factor solution requires the use of the most reliable password. At the root of the password headache is the cognitive phenomena called “interference of memory”, by which we cannot firmly remember more than 5 text passwords on average. What worries us is not the password, but the textual password. The textual memory is only a small part of what we remember. We could think of making use of the larger part of our memory that is less subject to interference of memory. More attention could be paid to the efforts of expanding the password system to include images, particularly KNOWN images, as well as conventional texts.
You pose an interesting idea. I've never thought of using images or sounds for anything other than loose "biometrics." Another really fascinating concept is eliminating passwords altogether and using the MFA already available on phones and computers. Yes, it still relies on a "lose-able or steal-able" phone, but the security is theoretically still stronger and more efficient. Here's the article where I first discovered this idea (if you're interested): Hope it helps!
Good idea, hitoshianatomi - my banks use some form of image authentication, and I find it easier to remember that in conjunction with a password.