Toggle Nav
Search
  • Sign In
My Cart
Menu
Account

6 Tips to Better Secure Your MFA

6 Tips to Better Secure Your MFA

Not all Multi-Factor Authentication (MFA) methods are the same. Before we go any further, it is important to mention that any MFA method is better than nothing. Even the MFA methods I say not to use are better than no MFA at all. This blog is for anyone who wants to go to the next level, to have the “best” MFA, whether you’re in a regulated industry like finance or healthcare, you have a vested interest in security such as law enforcement or Department of Defense, or you just want to move your security posture towards the effective side of the security spectrum.

 

How Do The Experts "Grade" Common MFA Protocols?

 

Do Not Use Security Icon

Do Not Use

  • SMS text messages
  • Voice (includes PSTN, VoIP, & cellular)
  • Email
Low Security Icon

Low Security

  • Lookup codes (one-time passwords, backup, recovery, or emergency)
  • Facial recognition
  • Fingerprint
  • Personal security questions
Medium Security Icon

Medium Security

  • Time-based One-Time Passwords (TOTP)
  • Hash-based One-Time Passwords (HOTP)
High Security Icon

High Security

  • Authenticator application push
  • Certificate-based authentication
  • Physical USB Security Keys (FIDO U2F Tokens)
  • Smart cards

 

6 Tips for a More Secure Multifactor Authentication System

 

1

If you are using a multifactor solution that has several methods enabled by default, make sure you are disabling methods you don’t use.

2

Set up administrator notifications for new enrollments.

3

Layer other security controls with multifactor authentication (e.g. blocking all logins from countries your business doesn’t operate in, locking accounts for at least 90 minutes after 3-5 failed login attempts, require passwords be at least 14 characters long and changed at least once per year, using a SIEM solution to identify anomalous activity).

4

Utilize multifactor authentication methods that are “out-of-band” methods (e.g. using the app on your phone to log in to your computer or using a hardware TOTP token to log in to apps on your phone).

5

Use secure interactive methods over static access methods (e.g. using application push feature from a reputable company to an up-to-date smart phone with a screen lock that has all OS and application updates).

6

Have a third-party audit of your environment at least once every three years and validate your MFA implementation against the assets they discover to make sure nothing slipped through the cracks over the years.

 

Closing The Security Loop

Your business should have an IT Security Policy that outlines the approved MFA methods, password requirements, user on-/off-boarding procedures, security authorization procedures for various access requests, and many other topics. We recommend resources like:

  • Center for Internet Security’s CIS Critical Security Controls Framework. Nearly all their base documentation is free with registration. They also have corporate policy templates available for free as well.
  • Secure Controls Framework is another great resource with a lot of free resources. Their corporate policy templates are premium content.

 

What MFA Products Does Vista Recommend?

We’re proud to help you with your MFA needs using both Microsoft Entra’s multifactor features and Cisco Duo MFA products. There are a variety of features, capabilities, and licenses for both Microsoft Entra and Cisco Duo which, when combined with the contents of this blog post, can make it tough to decide what the right choice for your company is.

 

Need help identifying exactly what combination of products and features is right for your organization? We're here to help!

 

Sources & Additional Reading

  1. Microsoft Learn: What authentication and verification methods are available in Microsoft Entra ID? Authentication method strength and security
  2. Microsoft Blog: It's Time to Hang Up on Phone Transports for Authentication
  3. United States General Services Administration: Authentication methods
  4. United States Cybersecurity & Infrastructure Security Agency: Capacity Enhancement Guide: Implementing Strong Authentication
  5. OneLogin: The Evolution of Multi-Factor Authentication (MFA)
  6. Kaspersky blog: SMS-based two-factor authentication is not safe — consider these alternative 2FA methods instead
  7. Security Boulevard: Why Using SMS Authentication for 2FA Is Not Secure
  8. CNWR IT Consultants: Which Form of MFA Is the Most Secure? Which Is the Most Convenient?
  9. KnowBe4 KB4-Con session: 12 Ways to Hack 2FA
  10. United States National Institute of Standards and Technology: Special Publication 800-63 Digital Identity Guidelines including SP800-63-3 Implementation Resources
  11. OneLogin: What’s the Difference Between OTP, TOTP and HOTP?
  12. Yubico Cyber insurance requirements
  13. Microsoft Entra blog: Authentication strength – choose the right auth method for your scenario!

 

Want to see more articles like this?

Get great content delivered to your inbox!

Technology Cybersecurity

Share:

Posted in Blogs