Getting Started with Multi-Factor Authentication, a Must-Have for 2018

Stroz Friedberg is a specialized risk management firm built to help clients solve the complex challenges prevalent in today’s digital, connected, and regulated business world

Passwords are notoriously not secure. The very thing you want to keep a secret—your password—you have to tell a system to gain entry. One of the emerging trends in security is identity verification through biometric authentication. This includes fingerprint, face, and voice recognition to name a few. But even biometrics are not bulletproof. Some of these cutting edge technologies meant to increase security can be fooled by voice recordings, pictures, or even someone’s twin, and false positives are a genuine concern. Single-factor authentication, even if it deploys biometrics, is not enough.

As a result, Stroz Friedberg predicts many more companies will actively embrace multi-factor authentication (MFA) this year to combat the assault on these fallible authentication methods. With well-implemented MFA, the weaknesses in one factor are mitigated by using the second, or even third factor. In practice, individuals will increasingly be required to present several pieces of evidence to verify their identities. Typically the evidence will include at least two of the following: something they know (knowledge), something they have (possession), and something they are (inherence). One example would be using voice recognition plus a personal identification number (PIN) or password to authenticate customer service calls.

To get started with MFA, organizations should take these 10 steps.

1. Understand user behavior:

A number of factors must be understood before selecting a MFA solution. One of the most important is the specific use-case. For example, when clients of a financial institution call customer service and need to verify their identity, they might find inputting a long, time-based passcode on their cellphones difficult. So, a voice biometrics solution may be preferred. Voice biometrics may also be a good idea if the users often have their hands busy, like if they’re professional drivers. For services delivered solely on a smartphone, organizations might consider leveraging inherence factors through the built-in camera for facial recognition and fingerprint sensors. It’s essential to envision the user of MFA before moving forward so the organization can ensure identity authentication won’t inhibit business.

2. Check regulatory recommendations:

Another consideration is industry regulations and recommendations. The Federal Financial Institutions Examination Council (FFIEC), for example, provides financial institutions general guidance on MFA. Organizations should be sure to check for applicable guidelines before implementing a plan.

3. Review everyday usability for the organization:

If MFA software is too complicated to configure, it may be hard for the organization to maintain and may unintentionally create new areas of exposure. Rekeying, meaning to reset the “lock” to be opened by another key, is also an issue. If the authentication factor is compromised, how do you update the system and set up a new factor? In biometrics this is particularly challenging. Take fingerprint recognition. What if the user loses their right thumb? Be sure to consider issues of daily use before selecting the solution.

4. Risk and threat analysis:

Perform a rigorous evaluation on the risks a MFA solution is intended to reduce and on the risks associated with the MFA solution itself to ensure the chosen solution fits the organization’s needs and risk posture. For example, could a recording or photo confuse a voice biometrics system? Could a stored database of MFA verifiers be compromised?

5. Select three identity verification tools to review:

Once you understand your users’ needs, industry regulations and recommendations, solutions’ risks, and your organization’s tolerance for implementation complexity, it’s time to select a tool. The marketplace of MFA vendors is rapidly expanding, so there are many options. Consider selecting three tools to evaluate and test prior to selection and deployment. For help, there’s also been a rise in security consulting dedicated to MFA. Look for a consultant who is solution or platform independent, meaning one who can review your needs and the solutions objectively, without any incentive to sell you on a particular one.

6. Perform a pilot test:

This is the beginning of the testing phase, which is essential because any solution that creates significant challenges in authentication can frustrate users, increase customer service costs, and escalate churn. Before rolling out a complete product with all the bells and whistles, verify that a limited version is effective by testing it out with a small group that’s representative of the larger user pool. Test it with users in other countries, in various time zones, and with those using Macs, PCs, and Linux operating systems.

7. Perform a penetration test:

Before full-fledged implementation, perform a penetration test to ensure that the changes meant to improve the security of identification verification does not decrease the security of the network itself. Check to see if credentials are well-protected or if there are ways to bypass MFA. An iron door doesn’t provide security if a nearby window is open.

8. Prepare to manage the change:

MFA presents organizations with a massive change management challenge. The pilot will help ease the shift and allow for adjustments as needed prior to roll-out. But the change management function of human resources should be involved. They can expertly build awareness about the shift and provide training to the users.

9. Monitor the system’s use:

Once the system is deployed, the security team must monitor for brute force attacks and unlikely authentication requests, such as logins by the same person originating in different countries in a short window of time. Many organizations monitor user name and password usage for these types of signals, and they should continue to do so for MFA.

10. Continuous improvement and innovation:

What’s cutting-edge and effective today might not be in a year or two. New products hit the market regularly; threats are evolving as criminals find new ways to compromise cutting-edge tools; and organizations’ needs change rapidly from their own innovation and M&A. Plan for a cycle of continuous improvement with the MFA solution to ensure it meets the security needs of the business.


This year, MFA will continue to gain momentum as a critical element of identity verification. But to be effective, the organization must select the right solutions for its users and internal IT capabilities; the solutions must be implemented solidly to avoid creating new points of exposure; and the system must be monitored and updated. Cyber criminals are nimble, forward-thinking, and persistent, and may still figure out how to get the best of your layered system—but without MFA they’re only one factor away from access. No matter how many multiple layers an organization employs, continued vigilance and threat awareness is a constant.

For more on the conditions driving this trend and other cybersecurity forecasts, please see Aon’s 2018 Cybersecurity Predictions.


Our lawyers don’t want to miss out on the fun and would like you to know that all of the posts are the opinions of the individual authors and don’t necessarily reflect the opinions or positions of Stroz Friedberg. The ideas and strategies discussed herein may not be appropriate for any one reader’s situation and are not meant to be construed as advice.

Risk Areas: Cyber

I am: In the C-Suite or a Director, An InfoSec professional

Tags: MFA, multi-factor authentication



Commentary, new discoveries, and innovative ideas right to your inbox.

Stroz Friedberg

Sorry! You are using an older browser which is not supported by this website.

Please download one of these free browsers to enjoy all our website has to offer:
Firefox, Chrome or Internet Explorer.