Fortified MFA: Five critical questions to ask
Multi-factor Authentication (MFA) is now essential to the security of every organisation. However, in most of the audits and security scans we do at Ekco, we find that MFA is not set up effectively.
Written by Colm Lennon
MFA is an important part of any security strategy. It adds an extra layer of protection to the login process and helps protect data from unauthorised access. But implementing MFA can be complex. There are multiple ways to license, enable, and configure it. You should start by asking these five questions when drafting an MFA policy.
1. Do you have exceptions to using MFA and why are these exceptions necessary?
It’s important to determine which accounts, employees, admins, and cloud services should use MFA. While best practice is to have MFA active for all accounts, there can be exceptions. It is important to determine why these exist and whether they can be avoided. Should the exceptions be necessary, you need to include how you address them in your MFA policy.
2. Do you have ‘Break the Glass’ accounts?
This is an account that allows you to log in if the MFA service doesn’t work. It is for emergencies and should only be available to those who need it. Keep this account in a safe place, use it only when necessary, and set up monitoring and alerts so that you know when these accounts are being used.
3. Are office locations safe? Do they need MFA?
Many organisations believe that MFA isn’t needed when working from the office. However, it’s important to continually evaluate this. Set a schedule to regularly review the security of office locations to ensure they’re protected against unauthorised access. Otherwise, assume the principle of zero trust – never trust, always verify.
4. Can laptops serve as a second factor in authentication to limit the number of MFA requests?
Some organisations allow employees to use laptops as a second factor when logging in. This can help limit the number of MFA requests and make it easier to log in. However, make sure that laptops meet compliance policies.
5. Is legacy authentication disabled everywhere? Legacy authentication is an older form of authentication that does not support MFA. It is important to ensure that all legacy authentication is disabled to avoid bypassing MFA.
Fortified MFA isn’t something that can be achieved ad hoc. It requires careful planning and the right expertise to ensure that your organisation is covered from every angle. Setting up a robust MFA policy beforehand is key in achieving this. In our next MFA blog, we’ll focus on which aspects of an MFA policy you should pay special attention to.
If you know MFA is important, but don’t have the time or expertise to manage it, then give us a call. Our team of specialists would be happy to support you on your journey to better MFA.
Our specialists have the answer