3 min

3 Important Considerations for Using Multifactor Authentication

MFA won’t play a star role, but it can be an important part of your cybersecurity strategy.

Multifactor authentication has become a mainstream security solution for many organizations in recent years. In fact, a 2021 report from Security magazine stated that 79 percent of organizations used MFA in 2021, a massive jump from the 28 percent that used the technology in 2017.  

But MFA is far from a stand-alone cybersecurity solution. I like to compare it to the chorus in a stage musical: It’s not the star of the show, but it plays an important role as a supporting cast member, and its absence would reduce the overall impact of the performance. Ultimately, MFA can be combined with other cybersecurity solutions (such as single sign-on tools) and services to create an effective overall security strategy.

As organizations look to incorporate MFA into their broader security strategies, three important considerations that can help them improve its effectiveness are adaptive MFA, usability and user experience, and privileged identity management.

Adaptive MFA Looks at Other Factors to Improve Security

On its own, MFA has limitations, but solutions that offer adaptive MFA capabilities can improve an organization’s security posture. Adaptive MFA uses contextual information such as a user’s location or the device a user is logging in with to help authenticate the user’s identity and grant access based on that identity. 

For example, adaptive MFA can deny access and alert security personnel if a user who logs in to a system from the U.S. also logs in from China soon after. The context of the situation indicates that one of the users isn’t actually authentic and may be participating in a man-in-the-middle attack. 

Adaptive MFA enables security personnel to set policies and responses that incorporate this kind of contextual information in an automated fashion and make decisions based on them.

Usability and User Experience Are Essential for Success

Organizations should carefully consider usability and the user experience as they plan for the deployment of solutions such as MFA. Not long ago, I spoke with a CISO who explained that his organization had not adopted MFA or single sign-on, and required users to log in to systems multiple times each day. The situation led to frustrated users who were less productive than they wanted to be. 

Organizations that find themselves in this situation face even more dire consequences when frustrated employees start leaving for other companies, which can lead to lost revenue. To address these issues, organizational leaders need to think of security as an enabler of business. Assessments and upfront planning can help organizations identify where users are becoming frustrated and develop plans to improve their experience. 

CDW has extensive experience with organizations across a variety of industries and can help IT leaders address their security needs while still delivering a positive, productive experience for users.

Privileged Identity Management Reduces Risk

As they consider MFA in their security strategies, organizations should pay close attention to users with privileged roles, such as systems administrators. Cybercriminals target these accounts, because compromising them can enable them to access and control data and systems that are inaccessible to other users. 

Privileged identity management (PIM) capabilities let organizations manage and monitor access to these high-value resources by requiring special conditions for access. For example, PIM can require users to receive approval to activate a privileged role, such as a sysadmin, and notify security personnel when a privileged role is activated. 

Ultimately, PIM can reduce the risk of unauthorized access to high-value resources. In fact, some cybersecurity insurance providers make deployment of PIM a condition for offering coverage.

Story by Ian Cumming

Ian Cumming

CDW Expert
Ian Cumming is a senior principal adviser for identity and access management at Focal Point Data Risk, a CDW company.