Reducing the friction of MFA rollout

May 17, 2022
cybersecurity

Image by Sergey Nivens for Shutterstock

By Carlota Sage, guest columnist

You likely already know that multi factor authentication (MFA) is an authentication method requiring two or more different elements for gaining access to resources. MFA adds an extra layer of security to ensuring your users are who they say they are.

But does your internal audience understand the WHY of MFA? Not the what, not the technical how, but WHY we bug them so much to use this?

In my “Six Things” article, I suggested enabling multi factor authentication (MFA) everywhere you can, saying:

“…make sure you communicate this change well ahead of making it, adding in a lot of context on WHY this is important. Don’t just turn it on; you’ll create a lot of unnecessary friction with your users.”

MFA: Why is it?

I have a mantra: “Any friction you add to your users’ process risks becoming an obstacle.”

Think about it. Any friction is an obstacle.

Even something as simple as MFA, for your end users, is an obstacle. You have to help them see it as a part of the process. For that, it either needs to be invisible or they need to understand why they’re doing it.

Invisible MFA is tough! There aren’t many vendors doing this type of MFA. The only one I’ve seen so far is TypingDNA, which has a two-factor authentication method that looks at an individual’s unique typing behavior. Otherwise, you start moving into “zero trust” models (man, I hate that term, but will write on that later!), where you can use factors such as the device serial number before allowing authentication.

The most common form of MFA is, of course, a token or number generated by an application like the Google or Microsoft  Authenticators. There are also hardware tokens such as Yubico’s YubiKey.

But WHY does the user need to do this? “For security” is an answer, but it’s not enough. You have to give users context in order for them to integrate this into their process. I find it’s easier to use analogies; I describe MFA as the deadbolt above their front door knob, which usually has a lock already. Someone very determined may still try to break in, but it will likely take longer or they’ll make enough noise to draw unwanted attention — lowering the risk of a successful breach of the front door.

By taking time to communicate the why, you’ll be making them part of your process and they’ll be much more willing to make MFA part of theirs.

Posted in ITSR Featured Interview