7 Things to Consider Before Making the Switch to MFA

Multi-Factor Authentication
Deployment Guide
A Complete Guide to
Selecting and Deploying
Your MFA Solution

Okta Inc.
301 Brannan Street, Suite 300
San Francisco, CA 94107

info@okta.com
1-888-722-7871
Introduction
As threats to password security have
increased in recent years, multi-factor
authentication (MFA) has rapidly gained
adoption as a method for increasing
the assurance of authentication for
consumer and enterprise web and
mobile applications.

Authentication is generally accomplished by validating

one of three types of factors: something you know
(e.g. a password), something you have (e.g. an ID card),
and something you are (e.g. a fingerprint). Multi-factor
authentication employs two or more types of factors.
Web and mobile products most commonly employ the
use of multi-factor authentication with a password used
in conjunction with a time-based token that the user
possesses, though approaches to MFA vary widely and
present different tradeoffs.

In this guide, we compiled information on why an

MFA solution is a no-brainer, and the best practices
for deploying MFA. We review the results of a survey
completed in partnership with IDG that shows where the
priorities of your peers lie and how Identity and Access
Management (IAM) play a part in strong authentication
and security. Next we explore things to consider before
deploying your MFA solution, like policies and access
needs. Finally, we provide further practical advice for
people building multi-factor authentication for their
applications, based on our observations working with
engineering and product teams.

2
 Using IAM with
MFA in the Age
of Megabreaches
There's no shortage of threats, including: malware, hacking, phishing, and social engineering
and these tactics often lead to account compromise and credential theft.

Top Identity-Related Security Concerns

59% 43% 33%

Expansion of the user base Inconvenient authentication Lack of IAM policies

to include non-employees controls ignored/subverted

29% 24%

Reuse of same passwords Stolen credentials

Top Challenges in Managing Identity and Access

61%
35% 35%

Managing identity Integration with current Ability to collect and

and access across security solutions report on user access
application environments (50% for larger enterprises) info and patterns
3
 Looking Ahead—Priority of IAM and
Assessing Current IAM Capabilities:

92% of VPs+ perceive IAM as a

critical or high priority and
77% of managers do

30%
report a good or
45%
integrate IAM data
better ability to into their Security
detect compromise Operations Center
of credentials (SOC)

Addressing Security Concerns:

Most Important Potential Benefits of IAM Solutions

53%
Authentication to all apps,
services thus expanding the
user base safely

Automation of provisioning/
deprovisioning 45%
Improved user experience
with less inconvenient user
controls in place
43%
Adoption of more stringent
access controls 43%

https://www.okta.com/solutions/]
Visit Okta to learn more about IAM + MFA
4
*Research from IDG
 7 Things to Consider Before Making the Switch to MFA

7 Things to
Consider Before
Making the
Switch to MFA
Passwords are hard. The (what feels like constantly) 2. Consider your MFA policies
growing list of security requirements are intended to
A good MFA practice deployment will balance security
make passwords secure, but in many cases they’ve had
with usability to avoid becoming too onerous, so consider
the opposite effect. Complex passwords that meet all the
how you define your MFA policies to govern how and
requirements are often difficult to remember, so they’re
when an additional factor is required.
reused across many sites. Users scribble them on sticky
notes. They weave in easily discoverable pet’s names, It may seem a bit counterintuitive, but sometimes the
birthdays, and phone numbers. It’s no way to keep data key is to prompt for step-up authentication less often
secure. Thankfully, organizations are starting to not just instead of more. A well-considered risk-based policy
understand, but also support the concept that while configuration should trigger step-up authentication
access should be hard for hackers, it needs to be easy challenges only when necessary.
for legitimate users. And the best way to make that For example, a policy could ensure that a second
happen is with multi-factor authentication, or MFA. factor is required only when logging into a service from
MFA is a great way to secure your users’ apps and outside the corporate network (based on a range of IP
services from unauthorized access. Here are some addresses) or outside of the country (based on a GeoIP
points to consider as you plan your deployment. location lookup). Or maybe you have a certain group
of user accounts with broad access to sensitive data,
and you need a stricter policy for them. MFA allows
1. User education you to require a second-factor when they attempt to
access the sensitive resource, but not, say, when they
You’re deploying multi-factor authentication to reduce access the company events calendar. The basic idea is
security risks from password-only access, but some users that additional verification should be as transparent as
may see this as an inconvenience. They may be worried possible to the user to foster a good user experience
that this process change will take up time they feel could without compromising on security.
be better spent elsewhere.

Nonetheless, make sure everyone from management to

end users are aligned on why you’re making the shift to
MFA. It is important to achieve buy-in from form the entire
organization to ensure everyone plays a role in keeping
the company secure. Do this through education, so each
user can appreciate the security benefits they contribute
to by taking this additional step.

5
 7 Things to Consider Before Making the Switch to MFA

3. Provide for a variety of access needs 4. Think twice about using SMS for OTP
There are scenarios where a user has Internet access, SMS is easy, and with the prevalence of cell phones
but has little or no service from their cell phone carrier. and tablets, it’s nearly everywhere, so it has become a
This could be on a wifi-enabled airplane, at a rural home, common communications channel for OTP delivery. SMS
or simply in the basement of a large concrete building. has generally been assumed to be secure enough for
In these cases, where voice and SMS may not be feasible, this purpose, but that is due in part to the fact that the
Okta Verify with push or one-time password (OTP) are infrastructure is mostly both proprietary and opaque.
better choices, as their communication is encrypted Research shows that SMS security is lacking, and not only
over the phone’s Internet connection. when it comes to documented vulnerabilities. With SMS,
Hardware devices that generate event-based or you are trusting security to the telecom companies, and
time-based one-time passwords (TOTP) don’t require a even if you trust that they have security best practices
communication channel at all. They are also more difficult in place, there is always a risk of compromise through
to tamper with or copy. But along with the cost to deploy, spoofing and social engineering. In many cases, it’s not
a physical device becomes one more thing for employees that technically challenging for an attacker to port your
to carry around, forget at home, or lose. number to a device they control, and gain access to your
SMS messages and OTPs.
Thus, they may not be the go-to choice for short-term
contractors or in situations where there is substantial While NIST recommends against using SMS for these
churn in workers. reasons, ultimately you need to perform your own risk
assessment based on your users, use cases, and the data
When it comes to MFA factors, a lot of options exist to
being secured. After all, MFA with SMS is still better than
solve for a wide variety of scenarios. Choose what works
no MFA at all.
best for each scenario in your organization, keeping in
mind multiple policies and factors can be used when
there isn’t (and there hardly ever is!) a one-size-fits-all
solution to accommodate all situations.

6
 7 Things to Consider Before Making the Switch to MFA

5. Check compliance
requirements carefully 6. Have a plan for lost devices
Most IT compliance standards such as PCI DSS, SOX, The second authentication factor type in a typical MFA
and HIPAA mandate strong user authentication controls, deployment is “something you have” (the first being
making them likely motivators for an MFA deployment. “something you know” and third being “something you
It seems obvious, but if your goal is to meet such are”). In the case of SMS, voice, or an authentication
standards, make sure to have a detailed understanding app like Okta Verify or Google Authenticator, the user
of the requirements so you can tailor configuration and has their phone. In the case of a hardware token from
policies to them. YubiKey, RSA, or similar, the user has their token. But
anything a user has, a user can lose.
For example, PCI and HIPAA compliance both require
strong authentication, which is at least two strong A procedure for handling lost devices should already
authentication methods out of these three: something be part of your comprehensive IT helpdesk playbook.
you know, something you have, and something you are. Extend it to include devices used for MFA, and ensure
And SOX focuses less on technology—but to pass an that reporting a lost device results in:
audit, you’ll still need to prove that your organization’s • Expiring any current sessions and requesting the
finance and accounting data is secure. user re-authenticate
IT compliance requires implementing relevant standards, • Disassociating the device from the user’s account
but it also requires an ability to prove that you’ve met and access rights
them. Make documentation part of your configuration
• Remote wiping of corporate information on mobile
and implementation so you’ll be able to quickly and
devices, if necessary
confidently prove in an audit that they’ve been met.
Your future self (and your org!) will thank you. It’s also important to audit the user account’s activity prior
to the point in time when the device was lost to note any
unusual activity. If there is anything suspicious, consider
the possibility of a breach and escalate accordingly.

Once the immediate security concerns are handled, focus

should shift to getting the employee back to work with
a replacement device or login method. For example, an
alternative process like calling the IT helpdesk to verify
identity requirements can allow the employee to be
productive while replacement factors are implemented.

7
 7 Things to Consider Before Making the Switch to MFA

7. Be prepared to review and revise Bonus: Consider adaptive MFA

It’s rare that complex deployments and policies are a These tips are a great start, and step-up MFA can even
perfect fit the first time. With a process change that can allow fine-grained control over how and when MFA is
potentially affect all employees, it’s always a good idea applied, but it requires careful consideration to configure.
to track the effectiveness of an MFA solution as it is In some cases, even for well-defined policies and criteria,
being deployed and used and be able to refine policies you may want to be able to make decisions on-the-fly
based on observations. based on changes to user or device context.

Get comfortable with the auditing functionality early in To take advantage of the ability to make dynamic
the process and it will be invaluable for troubleshooting changes, check out Okta’s Adaptive MFA solution.
and adjusting policy configuration. Once you’ve Adaptive MFA works by noting access patterns and then
deployed MFA to users, use auditing tools to spot adapting the policy around each user or group.
check adoption and use. A mechanism that allows user For example, an employee who routinely travels and
feedback to be reported can also be a good idea. checks email from overseas may only periodically
And while users may not always take the time to require a second authentication factor, but an employee
provide written feedback, an audit trail gives you some who never travels would immediately receive an MFA
visibility into what they actually experienced. Did it take challenge should they do so. Risk-based policies, like
them three tries to enter their OTP? Did they give up? prompting for a step-up authentication challenge when
Problems like this could indicate a misconfiguration, a trying to access resources through an unauthorized
gap in user education, or simply a scenario that wasn’t proxy or automatically blocking access from known
considered in the initial rollout plan. malicious IPs can also kick in when triggered by
suspicious events.
Using audit tools and encouraging employee feedback
assures all stakeholders that the system is working Adaptive MFA is a powerful tool to automatically derive
as intended and new security policies are being dynamic policies over time—ones that are tight enough
successfully adopted. to give you the security your organization requires, but
flexible enough to treat your users as individuals.

8
 Building Secure Multi-Factor Authentication

Building Secure Multi-Factor Authentication

Three best practices

for engineering and
product leaders
Introduction
Volumes have been written about how to design secure processes for authenticating the customer and forwarding
authentication for electronic systems. In this brief we calls or SMS. Will the attacker be able to impersonate the
provide some practical advice for people building user and convince or pressure a customer service rep to
multi-factor authentication for their applications, based route calls or SMS to a number she controls?
on our observations working with engineering and
Every second-factor will need a method for replacement,
product teams. We explore three ways to increase the
and so this begs the question of how to develop secure
security of your MFA feature:
recovery flows. Here are some tips for designing a secure
1. Understand and manage the vulnerability of your recovery flow for your second-factor, noting that different
account recovery flow approaches will suit different circumstances:
2. Protect your login flow from brute force attacks • Independence of primary and secondary factors.
3. Design to manage tradeoffs between risk, usability, Separate the recovery of the second-factor from the
and cost recovery of the primary factor. Should an attacker
gain access to primary authentication factor, the
Throughout this brief we assume that the password has
second-factor becomes immaterial if it can be reset
been compromised, and examine the second-factor
with possession of just the password. Further,
through this lens.
the recovery flow for the second-factor should be
completely separate from the recovery flow for the
password. For example, if an email message is the
Understand and manage the vulnerability method for recovering the password, make sure to
of your account recovery flow recover the second-factor through an altogether
separate channel.
Multi-factor authentication is only as secure as its account
recovery flows. In many highly publicized recent cases, • Involve an administrator. An administrator can in
attackers have been able to exploit vulnerabilities in the many scenarios implement a sophisticated high
account recovery process to gain control of an account. assurance authentication method.

For example, Acme’s web application provides for MFA In enterprise scenarios, companies will be in the
based on a soft token app installed on a user’s phone best position to authenticate members of their own
and allows the user to enroll a phone number for the organization through shared secrets derived from the
purposes of receiving a backup second-factor for account content of the employee’s work or profile, the company,
recovery in the event that the user is unable to access and human relationships. One notable approach is to ask
their soft token. The strength of Acme’s second-factor an employee’s manager to authenticate the user and then
now depends on the strength of the telecom provider’s authorize IT to execute the MFA reset.

9
 Building Secure Multi-Factor Authentication

In consumer scenarios an administrator will be able to factor). Second, obscuring the second-factor provides
interrogate a user across a large set of shared secrets. an attacker with less visibility into another layer of
For example, upon onboarding, consumer banking security. Implement a rate limit and lock policy on
applications will collect a large set of obscure personal the second factor. The probability that a user enters
details that become shared secrets for the purposes of their token incorrectly multiple times is low. As such,
account recovery. Recent events in the person’s history your suspicion of attack should grow with each
with the application or company can also constitute viable failed attempt. Response times should grow with
shared secrets. The evaluation of a set of shared secrets each subsequent attempt to decrease the aggregate
can be automated via web or voice and can in many number of attempts possible per unit time, with a
cases provide better assurance than a human through complete account lockout (where feasible) upon
lower vulnerability to social engineering. several consecutive failed attempts. For time-based
second-factors, manage rate limits according to the
• Provide a backup second-factor. Many scenarios
life of the token.
require an automated method for recovering the
second-factor (for example, products serving large • Logs and alerts. Collect and analyze unsuccessful
numbers of users where 1:1 support is prohibitively second-factor attempts. In the event of several
expensive, or there is a need to reduce operational failed second-factor challenges, alert the user or an
costs). Enrolling the user in more than one second- administrator of this suspicious behavior, and prompt
factor at the time of onboarding allows the user to the user to enroll a new token.
recover a second-factor by completing authentication • Use an out-of-band token. A second-factor that is
through a backup second-factor. One notable, simple verified through a channel separate from the primary
and low cost example is to provide users with a card factor adds extra protection against brute force
(either physical or printable) with a set of codes that attacks (and phishing). For example, a popular new
can be used only once, and that can be used as a factor sends the user a push notification on a mobile
backup second-factor. phone with details about the authentication request
and a prompt to accept or deny the request. This
channel is unaccessible to a traditional brute force
guessing approach.
Protect login flows from brute
force attacks
As the availability of inexpensive computing resources
increases so does the vulnerability of authentication
systems to brute force guessing attacks. However
several simple techniques can be used to significantly
improve the security of your multi-factor authentication
in the circumstance where the password has been
compromised:

• Login flow sequence, rate limits, and account locking.

Placing the challenge for the second-factor on a
page beneath the login page has two benefits. First,
it protects your user from an attack aimed at locking
them out of their account once a failed login attempts
limit is reached (with rate limits applied to the primary

10
 Building Secure Multi-Factor Authentication

Design to manage risk, usability Conclusion

and cost Roadmap to MFA Success
The design of a multi-factor authentication feature will
To recap, multi-factor authentication is a compelling
have significant implications on security, usability, and
method for application developers to increase the
cost in any context. A higher assurance second-factor
security of access to their applications. Many steps
can in some cases present the burden of increased
must be taken to ensure the security of an MFA feature,
hassle for end users and administrators which can
including analyzing the 2nd factor recovery flow,
impact the adoption of MFA for your product and
designing against brute force attacks, and balancing
thereby decrease security. Here are some best
security, usability and cost.
practices for balancing risk, usability and cost:
A modern, automated approach to multi-factor
• Offer a spectrum of options to serve diverse user
authentication helps take control of credentials to
populations. Different user populations present
drastically reduce the risk of a data breach. Where should
different levels of risk and hence, warrant different
organizations start?
levels of assurance. For example, an administrator
can have a larger scope of access than an individual We recommend you focus on these key milestones:
user. As such, you may wish to provide relatively 1. Eliminate passwords wherever possible
stronger second-factors for administrators, while
2. Enable strong, unique passwords everywhere else
offering more convenient options for users. In
consumer scenarios different users will have 3. Secure account recovery flows with independent
different preferences and a lower assurance more primary and secondary factors
convenient option that is actually used may provide 4. Harden critical applications with step-up
more security than a high assurance option that authentication
lacks adoption.
5. Apply unified policy to on-premises, cloud, and
• Support federated authentication. In enterprise mobile applications
scenarios many companies are implementing
6. Automate provisioning with accurate entitlements
authentication and MFA locally for identities
they manage, and federating to resources. This 7. Deprovision at scale, and enable visibility
approach allows product development teams to and reporting
outsource administration of policy and security 8. Roll out centralized, real-time reporting and alerts
processes to customers. Enabling customers to for all authentication events
implement MFA independently allows them to
9. Integrate your identity management strategy with
optimize across the aforementioned considerations
existing security tools
according to their specific circumstances and
constraints. For example, a customer can design 10. Extend identity and multi-factor authentication to
administration of account recovery to suit their include partners, suppliers, and contractors
specific IT function. This outsourced approach has
the added advantage of allowing users to use one
token for access to all resources.

11
 Building Secure Multi-Factor Authentication

Why Okta for MFA? Enable rapid response to compromise

Okta’s modern approach to identity management is • Centralized view into all authentication data across
uniquely positioned to help businesses take control of cloud, mobile and on-premises applications
both identity and multi-factor authentication to reduce • Identify unusual and suspicious behaviors
data breaches. With Okta’s multi-factor authentication,
• Enrich and enhance your cybersecurity ecosystem
you can:
investments via Okta’s System Log API, including:
Enable strong multi-factor authentication Splunk, ArcSight, IBM QRadar, Palo Alto Networks,
“everywhere” F5 Networks and more

• Deploy MFA quickly and easily with 5,000 out

of the box connections on the Okta application
To see how easy it is to administer Okta’s
network
Adaptive multi-factor authentication
• Extend coverage to on-premises applications via solution and pilot the authentication
support for RADIUS, RDP, ADFS and LDAP process, watch this demo.
• Facilitate intelligent, contextual access decisions
based on device and connection attributes

But to protect against data breaches in a comprehensive

way, you need more than strong authentication. With
Okta it’s easy to: About Okta
Centralize identity Okta is the leading provider of identity for the
enterprise. The Okta Identity Cloud connects and
• Reduce account management complexity
protects employees of many of the world’s largest
• Unify access for users to eliminate passwords while enterprises. It also securely connects enterprises to
simplifying access their partners, suppliers and customers. With deep
• Mitigate risk and reduce identity sprawl by integrations to over 5,000 apps, the Okta Identity Cloud
restricting access to services via intelligent enables simple and secure access from any device.
SAML connections Thousands of customers, including Experian, 20th
Century Fox, LinkedIn, Flex, News Corp, Dish Networks
Reduce the attack surface and Adobe trust Okta to work faster, boost revenue and
• Automated provisioning and deprovisioning stay secure. Okta helps customers fulfill their missions
accelerates consistent onboarding, while faster by making it safe and easy to use the technologies
eliminating orphan accounts they need to do their most significant work.

• Extensible for custom applications via SCIM, SDK For more information, visit us at www.okta.com or follow
and Okta’s API us on www.okta.com/blog.

• Complete lifecycle management ensures the right

level of access to the right applications with access
request workflows

12