MFA: A Guide

What is MFA?
MFA is an essential element of logging into devices, networks, and proving a user is who they say they are. In the past you only used to require a username and password to gain access to the network or a device, but that is now known to be outdated and insecure. Threat actors can either steal credentials or develop code to brute force their way through a simple username and password combination. MFA stops them being able to do this and keeps your network more secure.

What does MFA look like?
For authentication to be considered multi-factor it should use at least 2 of these elements alongside a username:

1. Something the user knows – e.g. a password, passphrase, or pin
2. Something a user has – physical token, dongle, or a phone based authenticator
3. Something the user is – also known as biometrics e.g. face ID, thumbprint.
   
   

Is MFA necessary?
MFA is a key component to authenticating your users are who they say they are. It is an essential step in user management. In a modern network setup it is considered standard practice, and not implementing MFA is viewed by auditors, assessors and compliance authorities and below expected best practice. If you can evidence you have alternate means of authenticating users that provides equal protections to MFA then ensure you are highlighting this and any associated documentation to an auditor.

Where should we be enforcing MFA?
MFA must be in place for:

1. All users should be using MFA for all remote access to the network
2. Access to Backups should require MFA
3. All users who wish to access their professional email from a personal device (such as a personal phone)
4. Privileged users should be required to use MFA when performing privileged actions.

When should MFA not be enforced?
As a rule, MFA should be enabled wherever a product or service offers it to reduce the risk of credential compromise and a threat actor breaking in. If you identify an example where MFA is having more negative than positive impact and would like to turn it off, you should discuss tis with the security team, document your reasoning and the specifics of the case, and review the edge case regularly in case circumstances change. You should prepare to hand over this documentation of reviews in an audit or assessment.

Users don't like the additional step of MFA.
Change is difficult and it is not uncommon that users will view any additional steps to access information and devices as cumbersome and blockers to the functioning of their day. However MFA has proven benefits that outweigh the risks of operating without it. Remind users MFA is in place to protect them, their colleagues, and everyone your organization interacts with. You are expected to authorize who is in your physical buildings, and are applying the same requirements to your digital environment.

Acceptable Use Policies (AUPs)
Remember that you have a duty of care towards your network users, and as such can set a code of conduct for network use. This is called an AUP. This policy should outline the practices, behavior and rules for use of the network, and that should include adhering to the use of MFA where required. In the event that a user is found to be violating the code of conduct, the AUP gives you an opportunity to enter into a discussion about behavior, disciplinary action, and revocation of access to key accounts.

Checklist
As you roll out MFA:

1. Ensure MFA is enforced (not enabled) on key areas of security such as backups, remote access, and privileged accounts.
2. Communicate clearly with users about the protections afforded by MFA and why it is being
   implemented.
3. Document any legitimate edge cases where MFA is not enforced for future review and for audit records.
4. Update your AUP to include adhering to the MFA requirements of your organization
5. Review MFA rollout regularly and check any new services or software installed since your last update have MFA enforced.