Multi-factor Authentication and Single Sign-On for Remote Employees

With entire workforces and student bodies at all levels of education now logging in from home, deploying Single Sign-On and Multi-factor Authentication is as important as ever. 

The more time people have an open connection to the Internet; the more opportunities cybercriminals have to hack their accounts and possibly gain access to the entire network of a company or educational institution.

And the challenge isn't likely to go away anytime soon. Work From Home (WFH) mandates are likely to continue for months. That makes the implementation of Multi-Factor Authentication (MFA) critical for maintaining a strong security posture. And to keep end-users from getting too harried about login processes, deploying Single Sign-On capabilities is also important.

In this article, we present the high-level tactics to consider when implementing MFA, followed by key considerations for SSO. Taking these measures will help you ensure personal data and digital assets remain safe from the cybercriminal community when everyone is forced to WFH.

MFA Deployment Tactics

Deploying MFA across your network infrastructure can't take place overnight, and it's not a one-time project with an ending. It's a continuous security program that requires an on-going commitment from your IT team and your entire organization.

But you can make the process work more efficiently with these key tactics:

• Take an Inside-Out Approach—before rolling out MFA to users, first, rate the criticality of all your infrastructure hardware devices and applications, on-premises and in the cloud. You can then prioritize which systems to protect first with MFA. You may discover legacy systems that do not support MFA. For these systems, you either need to update or assume the risk of a breach. You might also need to restrict access.
• Sell the Value—communicate why you are implementing MFA. With everyone working online, they should realize they are increasing the organization's attack surface. But you also want them to know that MFA protects both their personal information and the organization's assets.
• Empathize—the internal IT team needs to accept that non-technical people will view MFA as more work and consider it an inconvenience. They may have to get used to carrying a security key or a device with an authenticator unless biometric recognition is available on their devices.
• Train and Support—provide video and written instructions that explain how your MFA process works. Those familiar with MFA realize it's pretty simple. But for anyone not familiar, the extra steps can easily throw them off, and they may not be able to log in. So be sure to make technical support readily available.
• Test Before Deployment—just as you would with any application, test MFA on each system with a small group before deploying to the entire company. This allows you to make sure MFA works and that users don't have too much difficulty gaining access.
• Prioritize Users—start with your admin accounts and anyone that has extra network-access privileges. They represent the greatest risk to your digital assets should their accounts get breached. Other end-users to consider as a high priority are your executive team members, followed by frontline personnel in finance and human resources. Taking care of these groups first will also give you a way to further test your rollout and iron out any kinks before deploying to the entire organization.
• Track Registrations: As you rollout MFA, you will need to confirm if everyone has registered and which authentication methods they choose to use. The longer a user waits, the more time hackers have to compromise their account.

After completing your MFA deployment, measure the impact on security and productivity. This includes asking for feedback and checking on help desk activity. It's also important to monitor for failed logins, phishing attacks, and denied privilege escalations. Yes, the purpose of MFA is to protect digital assets, but if employees are having a difficult time doing their jobs, policy changes might be in order, or you may need to use different MFA tactics.

Leveraging SSO to Make MFA Less Onerous

While there may be certain critical applications that require their own unique MFA process, you can make your overall MFA program less onerous by integrating MFA for groups of applications with Single Sign-On (SSO). SSO gives users the ability to log in once with MFA, and then have access to multiple services.

For example, SSO could be used to give authorized access to Microsoft Office applications as well as warehouse and marketing applications—all with one MFA login session. But if someone wants to access the ERP or CRM platform, they have to use a separate login for each application.

To identify an SSO solution that works well for your company, make sure it integrates easily with your MFA mechanisms and protocols. Also, check for the applications the SSO solution can be applied so. For example, some on-premises solutions provide SSO to web and enterprise applications but not VDI and SaaS applications. Conversely, other vendors provide SSO for cloud and SaaS applications but not on-premises applications.

Expect the Unexpected

Once you complete your MFA and SSO rollouts, expect the unexpected. In addition to confused users and systems where the MFA and SSO processes are not configured properly, this includes lost devices and forgotten passwords—the typical things that cause Help Desk headaches.

The key is to prepare the support staff and add extra resources if possible. Over time, you will adjust your systems, and users will gain experience. You will also likely find they appreciate the benefits of MFA and SSO—just a little extra step to keep their data and the organization's data safe from cybercriminals!