The goal of Identity and Access Management (IAM) is to ensure the right people have the right access to the right resources, while unauthorized users are denied access. Authentication plays a huge role in IAM to determine users are who they claim to be and is one of the first steps in securing data, networks, and applications. When selecting an authentication method, organizations must consider user experience along with security. Some user authentication types are less secure than others, but too much friction during authentication can lead to poor employee practices.
In this blog, we will cover the best practices and considerations for:
- Multi-factor authentication
- Contextual authentication and user segmentation
- Out-of-band authentication
For a deeper dive, check out the three-part multi-factor authentication webinar series: Ask Me Anything: The Multi-factor Authentication Edition
Best Practices for Successful MFA Deployment
Multi-Factor Authentication (MFA) has become standard practice for preventing unauthorized access and is an essential component for strengthening modern IAM security. According to Osterman Research, two-thirds of organizations are planning to increase their investments in MFA over the next five years. However, the biggest challenge with MFA is the implementation because you risk introducing friction into your user workflows and causing frustration. When implementing MFA in your environment, it is important to keep usability at the center to increase user adoption and prevent security workarounds.
One of the key questions our customers ask us about deploying MFA is how to make it go smoothly. Some organizations have only decided to implement MFA after a breach and rushed the implementation process. They failed to look at all the options available to them. They didn’t analyse their user base. They didn’t lay out a firm plan and launched MFA as soon as their systems were ready. As a result, their technical teams were overwhelmed with help desk calls and support requests, while users struggled to complete everyday tasks with the new process in place.
Before you deploy MFA, you should take a step back and see exactly what needs to be done and when you need to do it. Ideally, you should look at all the options available to you (from authentication methods to configuration settings) and the kinds of users you will be serving MFA to (office workers, field workers, roaming users, etc.), and make a detailed MFA deployment plan.
Here are some key points to ensure a smooth MFA deployment process:
- Know your scope and look at your user base to understand the different needs of each user group.
- Deploy only what you need as all the MFA methods you select will need to be supported.
- Have detailed end-user documentation to provide clear instructions to your users to facilitate adoption and minimize frustration.
For more information, watch the on-demand webinar to learn more about deploying MFA into your organization and how to make it go smoothly.
Contextual Authentication Configuration & User Segmentation
Contextual authentication (aka risk-based or adaptive authentication) is one approach to striking the perfect balance between security and convenience. It enforces the appropriate level of authentication for a specific user under specific circumstances. Because of this personalization, contextual authentication requires significant planning around segmenting users and their access scenarios.
One of the key challenges our customers face when implementing contextual authentication is the configuration. From an implementation standpoint, you should always try to look at the forest before diving into the trees. If you start configuration at the user level, you will have to go back and update the policy when you discover you’re missing certain user groups. On the other hand, if you start configuration at the organization level and tweak it while moving into the different user groups, it ends up being a lot easier to manage and a lot easier to think through. You should also establish a regular review of the requirements and conditions to make sure they still make sense for your users over time.
For more information, watch the on-demand webinar to learn more about setting up a strong rule hierarchy to make contextual authentication work for your organization and the context-based authentication criteria that is defined with PortalGuard.
Choosing Your Out-of-Band Authentication Method
Out-of-band (OOB) authentication is a type of MFA that requires a secondary verification method through a separate communication channel. This practice makes hacking an account more difficult because two separate and unconnected authentication channels would have to be compromised for an attacker to gain access. While many organizations are opting for SMS or phone-based authentication methods to achieve this higher level of security, there are better alternatives to consider.
Biometrics is one option that many organizations tend to overlook yet provides the highest level of security and convenience. BIO-key offers the WEB-key software that centralizes a user’s biometric information and stores it on the WEB-key server, thus out-of-band from the authentication factors for most target applications or devices that users are trying to sign in on. Nonetheless, biometrics is by no means the only true OOB authentication method that you can take advantage of as BIO-key offers many more authentication methods to choose from.
Before deciding on a particular method for OOB authentication, you should always take a good look at the options available from your provider and don't bite off more than you can chew because each method requires varying time and effort to implement, as well as for users to adopt.
Watch the on-demand webinar to learn more about the pros and cons of different authentication methods and how can your organization implement OOB authentication properly?
