There are no barriers to implementing MFA, no matter what your requirements are. Your Challenge Information security officers deal with compromised tools/stolen passwords through phishing and/or employee negligence or face regulatory requirements for secure employee access to internal systems, e.g. remote access to PCI data. There are also operations managers struggling with password fatigue (e.g. dealing with multiple different passwords for different systems/identities, which leads to substandard practices such as use of weak passwords). They also deal with a higher than optimal number of calls to the help desk for password resets which results in increased costs. Our Advice Critical Insight MFA can apply to all organizations. There is no barrier to MFA – large and small organizations can find affordable solutions that are secure and easy-to-use. It’s costing your organization more not to implement MFA. Think about how many password reset help desk tickets come in a day. This is an easy place to cut costs. MFA doesn’t have to be a pain. You have choices; the selections on the market can satisfy your security needs and the needs of your users. Impact and Result Short term: Learning new processes can take a little bit of time, but end users will adapt to the changes with the right solutions, and authentication will be streamlined. Long term: Efficiency will be more apparent with fewer help desk tickets, which subsequently means less end-user time wasted waiting for password resets, etc. You’ll also experience increased security overall in the long term thanks to the added authentication component.

1. Be absolutely certain who your users are.
External Incidents:
• Passwords as the sole authenticator introduce risk to an organization.
o They’re not enough on their own:
Too easy to crack, sniff, elicit
“All passwords are crackable.” - SANS
o Passwords are subject to credential theft, as well as creating additional work for service desk with managing forgotten passwords.
As an information security officer, I’m dealing with the following:
Events/incidents:
Compromised system or stolen passwords through phishing and/or employee negligence.
Regulatory requirements for secure employee access to internal systems. For example, remote access to PCI data.
As the operations manager, I’m dealing with the following:
Events/incidents:
Users with password fatigue. Dealing with multiple different passwords for different systems/identities leads to substandard practices including insecure
synchronization of passwords, use of weak passwords, and writing down and sharing of passwords.
Proliferation of cloud services exacerbates this problem and exposes password stores to potential compromise by service provider and/or attacks against the service
provider (service provider holds all passwords except in a federated IAM model).
More opportunities for error.
o Higher than optimal number of calls to help desk for password resets, resulting in unnecessary IT spend and reduced user productivity.
Tie in with SSO/IAM – opportunities to reduce number of sign-ins at the same time as implementing strong/MFA authentication.
o Regulatory requirements for secure customer access to services such as online banking.
Passwords are no longer sufficient for secure authentication. Anything less than 2-factor authentication is unacceptable in today’s world.
• Password cracking requires no skill. Recent continuing high profile hacks involving release of ID/password underscore the risk to organizations from re-used
passwords.
• MFA and strong authentication is applicable to everyone and achievable for everyone.
• Login and password reset help desk tickets account for a substantial portion of help desk load – reducing this through SSO may not be sufficiently secure
without MFA.
1. Understand the project
2. Make the case for MFA and analyze requirements
3. Identify best-fit MFA solutions
4. Develop MFA implementation action plan
In today’s ever-changing threat landscape, passwords are an easy access point for attackers – they’re easy to hack and crack. If you’re not adding another layer of
authentication onto your current practices, you’re leaving yourself vulnerable. MFA can apply to all organizations.
You don’t want your organization in the news for stolen user credentials or a breach due to human error related to authentication mismanagement, nor do you want
to lose credibility with clients for not having secure processes.
Once you understand the user groups that are in scope and their security requirements – you can start to look at solutions that work for you.
Use language that stakeholders and users will appreciate and emphasize the value the project brings to them and the organization – communication is integral to the
success of your MFA implementation.