Example of person using multi-factor authentication

How we implemented Multi-Factor authentication (MFA) to our systems

Mark Hall - 23 May 2019

For any organisation, the protection of their data and online assets is increasingly important and implementing effective deterrents is essential. Too often organisations only increase their security measures after they have been the victim of a data breach, which could have potentially prevented it from occurring in the first place. As organisations are increasingly using a mixture of systems which can include those which they host themselves, plus other online Cloud based services, finding a single method to protect all of these can be a challenge.

What is Multi-Factor or Two-Factor authentication (MFA / 2FA)?

For many years most online systems were protected using a straightforward combination of usernames and passwords. As hackers became increasingly skilled at cracking weak passwords, organisations required their users to implement increasingly complex ones, perhaps adding some additional security questions. Unfortunately, this meant that users could no longer remember their passwords so they needed to store them securely somewhere.

As organisations offer remote or homeworking to their teams then it is essential to have a robust method to enable them to connect securely. If remote workers are able to connect to your secure network over the Internet then relying purely on a username and password combination is no longer sufficient. Multi-Factor or Two-Factor authentication provides an additional layer of security to organisations. Many of the larger online providers such as Google and Microsoft have implemented Multi-Factor authentication to their online systems. Fundamentally any Multi or Two-Factor authentication solution requires the user to receive or generate a code which has to be used in conjunction with a username and password in order to gain access. SMS (Text) messages were and still are a popular way for organisations to send a one-off code to a user which they then use to gain access. SMS is no longer regarded as a sufficiently secure way of implementing Multi-Factor authentication as detailed in this article by Kaspersky.

Finding a user friendly Multi-Factor authentication solution

The challenge we faced when we were looking to implement a Multi-Factor authentication solution across our organisation was finding one which would cover both our internally and externally hosted resources. We wanted to avoid having a range of Multi-Factor authentication solutions where users had to remember or use a different method based on the service they were trying to access. We also needed to find a solution which worked easily across a range of devices from laptops to tablets and smartphones, without the need for specific software or certificates to be installed on each one.

We encourage our team to work flexibly so we also needed a solution which could work well from both remote office locations to mobile data connections.

How we chose the solution we implemented

The solution which we ultimately decided to implement was in some ways influenced by the infrastructure which we already have in place. Our primary aim for implementing Multi-Factor authentication was to secure all external access points to our network. The solution which was offered by our perimeter firewall provider was therefore attractive as it allowed us to implement the changes without installing additional hardware. It was also essential that the experience for our users when connecting to our network was straightforward and reliable.

The potential drawback of implementing a Multi-Factor authentication solution from a hardware provider is that it works well on the perimeter but cannot be easily integrated with other internal and externally hosted Cloud based systems. We wanted to avoid our team having to use different authentication solutions to access different applications. The solution we have put in place provides this flexibility and allows us to manage user access to both our own and Cloud based systems all in one place.

If you are looking to implement a Multi-Factor authentication solution to your systems then I would initially recommend looking at what your existing hardware provider has available and whether this can also be integrated with other Cloud based applications.

Avoid adding any back doors

When you implement a Multi-Factor authentication solution it might be temping to add some form of back door which administrators can use in case of a problem. The moment you have a way in to your systems which circumvents the Multi-Factor authentication then you have simply reduced the level of security which you were trying to put in place. It is important to fully test your implementation so that you are completely confident with it and therefore you have no need for any back doors.

Implementing Multi-Factor authentication to other online systems

If you are not yet at a point of implementing Multi-Factor authentication across your organisation then I would strongly recommend ensuring that you have it enabled for other online systems which you may already use.

PCMag have provided a good guide detailing how to implement Multi-Factor authentication across most popular online services.