Many different multifactor authentication products are available on the market, and while they all have the potential to improve security, they often do so in subtly different ways -- which can make them easier or harder to deploy, depending on the particular circumstances of a business.
However, companies sometimes spend money on a security product but then fail to install, configure, administer or manage the product in a secure way. On top of this, prices vary widely. The range from the lowest to most expensive platforms per user, per device can span an order of magnitude.
This means enterprises should shop carefully when it comes to buying multifactor authentication tools and know what is included and what will cost extra to support a particular installation. To get the process moving, ask the following questions.
Do I need to give non-employees access to corporate resources?
Conduct an end-user device census if possible. This will help your enterprise understand the total population it needs to protect with these tools. Enterprises should pay close attention to which offices non-employees connect to; whether they are consultants, partners or contract workers; and whether their corporate Active Directory stores already list those users.
Companies with a geographically distributed workforce may be better off using mobile apps or software-based tokens rather than physical ones. Depending on the results of the census, enterprises may find they're better off securing traditional VPNs or terminal servers with additional factors for remote access. If so, companies should look at the vendors that support their VPNs to make integration easier.
How does the multifactor authentication software connect to my Active Directory store?
Some multifactor authentication tools add agents, some make use of web services, some provide two-way synchronization and some go only one way.
Should I purchase a cloud-based multifactor authentication server?
This decision depends on if your organization is a server-hugger and how widely the company has deployed its own assets in the cloud. How many cloud apps does it currently support and what are its plans for the future? The more apps and servers an enterprise has in the cloud, the more the organization will want to deploy multifactor tools to make use of its own cloud-based services rather than on-premises servers.
Some vendors offer both versions but with different functionality. Others charge differently for cloud-based services.
The cloud-based multifactor authentication benefits include eliminating the need to install and maintain on-premises platforms and the associated local infrastructure. Because cloud-based multifactor products can be easier to set up, they can be especially appealing to smaller organizations, as well as with those that already have a significant collection of cloud servers in their own IT infrastructures. Cloud-based platforms can also help companies increase flexibility, as well as save on management and help desk costs compared to on-premises platforms.
Which servers or applications are most at risk?
Before buying any multifactor authentication tool, look closely at the apps the tool supports and how the tool supports those apps.
Start by implementing multifactor authentication for the most at-risk applications and those that contain the most sensitive data. Then, work down the list to those apps that are less sensitive or critical to determine whether the cost of the deployment -- and the risks multifactor authentication can mitigate -- provides enough ROI.
Some organizations start by deploying multiple factors to protect remote access, and then move onto more mission-critical enterprise applications. Others do the reverse. Either way, admins must carefully look at the documentation available to configure and debug the installation of each supported app.
Why? Because the debugging phase requires a lot of time and companies will need all the help they can get. It's important to take this into consideration when purchasing a multifactor authentication tool, as some servers are more at risk than others.
Will users need multiple types of tokens and access methods?
Some multifactor authentication devices are better at handling multiple tokens and access methods than others. Some vendors set up pricing to make it easier or harder to handle multiple token types.
Meanwhile, some let customers set up multiple token types for each user for authentication. This allows a user to choose whichever token is most convenient at login time.
What is the process to bypass or revoke access for a particular token?
Be sure to examine what happens when a user needs to bypass a token. Users might need to contact the help desk to bypass the system as a last resort because they can't log into their accounts after repeatedly entering their usernames/passwords and two-factor authentication, and then taking all the other steps necessary to gain access to those accounts. What would the process be from the perspective of the enterprise support desk?
The flip side of this is how access is set up for hundreds of users and understanding the workflows involved. Look at how each product creates and modifies its security policies and whether it provides a consistent set of policies across the entire user base or if the policy collections differ depending on the token types or mobile OSes.
How much business do end users conduct on mobile devices?
Ensure any multifactor authentication tool supports the current inventory and versions of mobile devices. This means organizations must optimize the identity authentication experience around mobile use cases.
Part of the product evaluation should be to determine if the products support a particular mobile operating system, how the product supports it, as well as the difficulty of the sign-on process. This evaluation is worth it once the tool is implemented and users begin seeing the multifactor authentication benefits.
Do I need Fast ID Online Alliance support?
Fast ID Online (FIDO) is a set of technology-agnostic security specifications for strong authentication.
Developed by the FIDO Alliance, a nonprofit organization that seeks to standardize authentication at the client and protocol layers, FIDO specifications support multifactor authentication and public key cryptography. If enterprises are serious about deploying multifactor tools, they'll want to give this more weight. Organizations should also consider including future support as part of their multifactor requirements or requests for proposals.
At least 465 devices support the FIDO Alliance's authentication standards as of 2018.
How are authentication reports scheduled and exported?
Each multifactor authentication product provides a variety of reports -- most designed for technical staff, while others are more suitable for management. Some products have many export options, as well.
Reporting data is crucial, so enterprises need to look at how a multifactor authentication tool generates and distributes those reports.
How many multifactor authentication elements need to be installed?
Some vendors have multiple server software components or multiple identity agents. Others are less complex. The decision to purchase multifactor authentication tools should depend on an organization's needs, as well as the resources available to implement and support the software.
Should I purchase a single sign-on product with multifactor authentication included?
Single sign-on (SSO) is great if an organization already has a lot of uniformly used SaaS and web apps across the enterprise and wants to provide end-user sign-on portal pages to access all of them. SSO falls down, however, if users' app portfolios vary widely or if they don't support the collection of multifactor methods.
Linda Rosencrance contributed to this report.