Industry Insights with Alexandre Cagnoni

Multi-factor & Risk-based Authentication , Security Operations

MFA Trials Can Be a Burden or a Breeze

Use These Five Tips to Quickly Spot Differences When Evaluating MFA Solutions
MFA Trials Can Be a Burden or a Breeze

If you are like most IT leaders evaluating multi-factor authentication solutions, you want to test it all and feel certain that you are selecting a solution that best meets the needs of your organization. Then, you consider your immediate challenges - including staffing and skills shortages along with a growing pile of IT tasks - and thoughts quickly turn to testing efficiency. What are the few areas to spend your time looking at that will most clearly illustrate the differences in MFA platforms?

Let's face reality, you know you're living on borrowed time without an MFA solution. You're following the news on the latest breaches, you've talked to cyber-insurance companies, and you've engaged with leaders in regulatory compliance initiatives...everyone is pointing to MFA as a critical security addition for companies of all sizes, and so you need something soon.

Let's face reality, you know you're living on borrowed time without an MFA solution... 

If you have the time, please engage in a few trials and test everything that you can get your hands on across a variety of solutions. However, if you're on the fast-track evaluation plan, then we suggest that you focus on these five areas that will help you to understand differences between the solutions offered on the market today.

Set Up Groups and Users. This is basic functionality that any MFA solution needs to do to function correctly, but you want to consider the workflow and granularity of control. In particular, make sure that you can:

  • Group users based on which resources they can access.
  • Manually create users, at least for testing purposes, and then you should be able to synchronize with AD or LDAP.

Define Your Single Sign-On Portal. A popular feature of some MFA platforms is to provide an Identity Portal (IdP) or web SSO portal. This allows users to login just once to have access to their work applications for optimal productivity. There are differences in where the IdP is hosted that can lead to significant variations in costs and value between different solutions. To experience these differences, test to make sure that you can:

  • See that users authenticate once with MFA and get SSO access to all permitted Cloud applications supporting SAML. Expect to set up the IdP all in the Cloud, with no need for installing and securing web servers or creating digital certificates - or anything else that creates added costs.
  • Get your own URL - you should not need to compromise your branding and it should be clear to your employees that this is their legitimate portal.

Activate Your Token. Activating and deactivating a token is a common administrative task, and so you want to ensure that it's intuitive even for non-technical employees, and that it provides frictionless workflows for IT administrators. Be sure to:

  • Download the app to your mobile phone. Better yet, have an employee outside of the IT department do it and watch to see that they can easily follow the instructions.
  • Experience the activation process for ease of use and highest security.
    • Token activation should be unique, with credentials created dynamically so that secrets are never provided inside the activation QR code. A simple test is to see if you can use the same QR code more than once. If you can, so can an attacker, and so this is not a highly secure solution.
    • A cloned token/phone should never work. Watch this video to see how to test this!
    • Migrate a token to a new phone - the employee should be able to do this self-service, with no mandatory IT admin steps.

Test Online and Offline Authentication. MFA solutions are typically very good when devices are connected to the Internet and/or corporate networks, but it also needs to offer a well-thought-out and reliable authentication process for when employees are working offline. Test for the most secure approach when you:

  • Execute a push-based authentication and look for context information on the push message, such as which resource is being accessed, where is this coming from, etc. There needs to be enough information for the employee to confidently accept or reject the request.
  • Next, try an offline authentication and look for a secure challenge/response QR code. You should be able to choose the authentication options for each scenario when configuring the service, and the challenge/response approach is most secure for offline use since it's not susceptible to social engineering.
  • If allowing for one-time password (OTP) authentication, then perform an authentication with it and make sure it is time-based (look for the count-down clock where the OTP changes upon expiration). Some MFA solutions offer only event-based OTPs, which are less secure since they can be copied or written down and used later.

Protect a Computer login. Employees are increasingly performing work using corporate laptops in public spaces. You need to ensure that a stolen laptop doesn't risk exposing your data and networks, and so adding MFA protection at login is a great way to enhance security. See how it works when you:

  • Set up a Windows machine to require MFA protection. It should be easy to do with a standard Microsoft software distribution tool to install the AuthPoint agent silently on your device with the config file embedded.
  • Experience online and offline authentication at login. The last thing you want to get is a call from an employee complaining that they couldn't access their computer over a long flight and was therefore unable to complete their work. That offline scenario is important to test.
  • Make sure Remote Desktop Protocol (RDP) works without the need to reauthenticate. This can be important if you are using RDP to provide technical support for users and/or customers.

In performing these five tasks during your MFA trials, you should see some significant differences in products that can help you more quickly decide which one(s) will work for your organization.

About the Author

Alexandre Cagnoni

Alexandre Cagnoni

Director of Authentication, WatchGuard

Alexandre Cagnoni has 24 years of experience working in the cybersecurity and authentication market. Alex helped to plan and deploy MFA projects for banks and enterprises, from small corporate security, to multi-million users deployments. He was the co-founder, CTO and CEO of Datablink, a 10 years old company acquired by WatchGuard in 2017. He is currently the Director of Authentication for WatchGuard, responsible for AuthPoint, an awarded Cloud-Based Multi-Factor Authentication solution.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.