Passwords are hard and you are busy, so putting additional layers of security between you and your business systems can feel really annoying, particularly when you are late for that video call and you can’t find your phone to retrieve the pin to access the conferencing system.
But if you or your company has experienced the pain, lost business, reputational and financial damage caused by a significant data breach, or even the emotional and personal impact of identity theft, then you will understand that implementing MFA is really a no-brainer.
Luckily, a lot of systems make it very easy and for your personal use a quick search of the settings will reveal how to switch on MFA.
The reality however is that from a business perspective implementing MFA needs careful thought and planning to ensure that it gains popular support and does not end up unravelling for you.
There are plenty of companies out there who will be delighted to help you work through a Single Sign On (SSO) programme from a strategy, planning, implementation and technology perspective, but the purpose of this article is to help think through some of the issues from a DIY perspective.
Humans are tricky animals and the people aspects are generally where you need to start. The vision may be to enable MFA for all your users on all your systems all the time, but it may have to start as a gradual process on core and critical systems.
To successfully roll out MFA, you are going to need to:
- be clear about what you want to protect,
- decide what MFA technology you’re going to use, and
- understand what the impact on employees is going to be.
Fundamentally it is a job for the entire organisation, from the security team to business stakeholders to IT departments to HR and to corporate communications and beyond, because it is going to need to support all the business applications, systems, networks and processes without affecting workflow. Here are some tips about how to make it work:
Sell the programme and over communicate
In reality MFA is not a burden that is being imposed on people – it is there to help them and protect their accounts and data. They may not see it entirely like that when the idea is first communicated but involving HR and Internal marketing in the planning stages can make all the difference in finding effective messages and ways of communicating them – doing some detailed work up front may make the overall implementation much easier from a human perspective.
The key is focusing on awareness: focus on informing your users, explaining why you’re making this change—making it very clear what they will need to do and where they can find instructions, documentation, and support. It is important to be able to explain why the added inconvenience that you are causing them is worth then taking seriously.
Focus initially on the right users rather than everyone
This really means starting with your admin accounts. These are your highest value targets but the are also useful as examples and ambassadors for wider adoption. This is also a great opportunity to review access privileges that will undoubtedly have suffered from “mission creep” since the last review....
It is also a good idea to look at privileged users, key business roles whose access to data can have an asymmetric impact on security risk if compromised. Your CEO, CFO, and other senior leaders need to move to MFA to protect business communications but privileged access to data does not necessarily correspond to seniority.
Take a systems-based approach
Just as different users will have a disproportionate security impact, so will different systems and prioritisation will be important. As well as an inventory of applications and networks (including remote access options), look at processes like employee onboarding and approval of new applications. Test how applications work with MFA, even when you expect the impact to be minimal. Concentrate on finding any networks or systems where deploying MFA will take more work
Think about your users’ time
There are ways of making MFA easier, like using biometrics in devices or FIDO2 compliant factors such as Feitan or Yubico security keys. If possible, offer a choice of alternative factors so people can pick the one that best suits them. Biometrics are extremely convenient, but some employees may be uncomfortable using their fingerprint or face for corporate sign-ins and may prefer receiving an automated voice call.
Have a support plan
One of the biggest reasons for MFA rollouts failing is because users lose heart when things go wrong. It is a good idea to plan a robust process for failed sign-ups and account lockouts. Similarly, have a plan for lost devices and security keys. A blame free culture is particularly important here to encourage users to notify loss and reduce the risk as soon as possible. Also having flexible ways to get them connected while the problem is being sorted out is equally important, as the business cannot afford to wait.
This may seem like a lot of work overall, but implementing MFA is one of the key steps that has the greatest impact on security and so surely it is worth the effort?