Deploying multifactor authentication successfully requires both an employee-education process as well as the right tech solution, says ProQuest CTO Roger Valade.
For WillowTree, a Charlottesville, Va.-based developer of mobile apps for Fortune 500 companies, MFA was a no-brainer. If a hacker gains access to its systems, the breach not only affects the company but its customers as well, says Adrian Guevara, vice president of security.
“Our biggest concern is that we are developing ssolutions we hand over to our clients,” he says. “We want to make sure we’re not the weak link in the supply chain.”
The company’s MFA strategy takes into account that credential loss isn’t a maybe — it’s a given, says Guevara. He and his team read on a daily basis about so-called “credential dumps” — incidents in which usernames and passwords are released onto the public internet — and realized that it needed to take action to avoid joining that club.
“With a credential dump, the lead time is about three to six months before you find out,” Guevara says. “We’re trying to add an extra layer of protection.”
It’s why MFA was the first thing on his priority list when he joined the firm three years ago. Since user experience and acceptance is a barrier, Guevara started the journey by doing department visits to discuss MFA with the various teams and making sure the IT team was approachable so that the implementation would be informed by user wants and needs.
The first MFA implementation was a two-factor messaging option that would text employees with a code when they were trying to log on to applications and systems. However, two years ago, the National Institute of Standards and Technology released digital identity guidelines that pushed WillowTree to update its MFA options. Today, the company uses push notifications from LogMeIn and hardware tokens, giving users a choice about which solution they want to use. The technology has been invaluable, says Guevara. “People are going to pick lousy passwords and people are going to be tricked into sharing their passwords. MFA makes it a nonissue.”
Multifactor Authentication Adoption Is All About the User
ProQuest and WillowTree were lucky — and smart. Thanks to their work gaining end-user buy-in, they didn’t get a lot of user pushback from colleagues, and adoption has been strong. Generally, though, when it comes to MFA, user experience can be the biggest barrier to use and compliance, something Ryan Esparza can confirm.
When Esparza, the CIO of Alpharetta, Ga.-based Jackson Healthcare, a staffing company, implemented an MFA solution on a test basis, the results were not good.
The software was clunky and asked users to reauthenticate too frequently, which impacted productivity, says Esparza. “Turning it on, we realized the user experience was kind of terrible,” he says. “We were testing it with just the IT group, and with certain applications it required reverification over and over. It was a mess.”
The IT department asked business leaders and various department heads about their application use. Ultimately, the company decided on Okta’s MFA solution, rolling it out to all 1,500 user accounts at once. As part of the rollout, Esparza partnered with the company’s internal marketing team to create a marketing campaign.