Serg Nvns - Fotolia

Multifactor authentication systems require IT balancing act

IT faces a tricky situation when it comes to multifactor authentication. Users often disapprove of multiple security layers, but there are some ways to split the difference.

CHICAGO -- IT shops that use multifactor authentication systems must juggle the needs for corporate data security and an easy user experience.

Many IT departments want to enforce multifactor authentication (MFA) on corporate content because more layers of authentication a user has to go through means more data security. But employees don't like having to take so many steps to access their work. Organizations are overcoming this conundrum by trying to meet users halfway, through technology such as single sign-on (SSO).

"Multifactor authentication is a must, and there isn't a quick workaround to this," said Chris Hoover, CTO at PossibleNOW Inc., an IT services provider in Duluth, Ga. "What you can do is use single sign-on to make users sign on just once so they have access to everything."

'Let them have access'

PossibleNOW uses two-factor authentication for all of its Microsoft Office 365 applications and documents. By using SSO, users don't need to authenticate for each app or document they access after going through the two layers of authentication just once.

The key to appeasing users is to make the second layer a short and simple step, Hoover said here at Cloud Identity Summit. At PossibleNOW, once the user enters the username and password for the first layer, they tap their corporate smart card for the second layer and gain access.

Other businesses take a similar approach to multifactor authentication systems.

A financial exchange organization in the Midwest, for instance, uses Duo Security, a third-party application service provider in Ann Arbor, Mich., to grant users access to all corporate apps through two-factor authentication. When users try to access a business application on their PC, they enter their username and password. Then, they receive an alert from the Duo app on their smartphone, asking to confirm or deny if they are trying to access the application. After that, the service uses SSO to grant access to all apps without requiring them to sign in again.

We take a user-centric approach.
Eric Szurgotlead identity management engineer at a financial exchange organization

"We ... take a user-centric approach," said Eric Szurgot, lead identity management engineer at the financial exchange organization.

Another strategy is to only enforce multiple authentication levels on applications or documents that handle sensitive data. This way, a user can more easily understand why they have to jump over multiple hurdles to gain access to specific critical content.

An IT manager in Atlanta, who oversees the identity management strategy of his company, said the organization bases its authentication requirements on the level of risk the user or their data poses. MFA is not required for all users or all applications, he said.

"If an employee handles a large amount of critical data, then we enforce multifactor authentication," he added. "Otherwise, let them go, and let them have access."

Which side to lean on?

Some organizations are stricter than others due to compliance requirements, however, and put that security over user experience when it comes to multifactor authentication systems. 

Easterseals Bay Area, an outpatient services provider for children with special needs in Pleasant Hill, Calif., requires MFA for all its medical data and patient records because it must comply with Health Insurance Portability and Accountability Act regulations. For added security, the organization disallows practitioners from using personal devices for work. Employees receive corporate-owned smartphones that they must use to access corporate data, although users typically would rather not have two phones, said Thomas Hintz, director of enterprise solutions at the company.

"We definitely lean toward the more secure side," Hintz said.

Data protection always involves a difficult balance between strong security and inconvenience for users, said Jack Gold, founder and principal analyst of J. Gold Associates in Northborough, Mass.

If a security measure is too annoying, users will try to find a way around it. But it's helpful if IT keeps users informed as to why it's adding a security layer and what happens if they don't use it, he said.

"User education and training is often overlooked at most companies, but it should be a key ingredient in any security plan," Gold said. "Get users on your side. IT must also provide a feedback path so users can weigh in on what works and what's burdensome and make required corrections as needed."

Next Steps

Compare two-factor and multifactor authentication

Office 365 provides more multifactor authentication support

Become a multifactor authentication mastermind

Dig Deeper on User passwords and network permissions