Security

Businesses Deploy MFA as Worker Resistance Declines

Multifactor authentication is seen as a must-have by more businesses in a world of increasing threats.

Karen J. Bannan is a freelance writer and editor who has written for a variety of publications including The New York Times, The Wall Street Journal, Time and CIO.

When content curation company ProQuest launched in 1938, it had a singular task: to convert newspapers and other documents into microfilm or microfiche. The resulting media was maintained in libraries, and the only security measure required was a library card.

Today, the company deals exclusively with digital content. It offers its customers — mostly schools and colleges — access to more than 1.5 billion documents in its online search platform, which covers six centuries of content. Security is extremely important, because if a threat actor gained access to the network, it could put hundreds of years of knowledge at risk.

The company must also secure customer information in addition to its own, says CTO Roger Valade.

About three years ago, ProQuest took on its security challenge directly, deploying a multifactor authentication solution from Cisco’s Duo Security brand combined with Okta for all of its employee-facing applications, including email and Microsoft SharePoint. MFA is required for secure online access to specific cloud-based resources, including its own service, says Valade.

“Because our products are subscription products, we actually use Okta and Duo as the authentication mechanism for our own employees to access them,” explains Valade. “We’re a very global company. So, having a solution that’s deployed on lots of different varieties of phones, in lots of different languages, is invaluable.”

The Basics of Multifactor Authentication

MFA isn’t a new concept. It’s been around for more than 20 years and has always been just on the cusp of mainstream IT, says Garrett Bekker, a principal analyst in the information security practice at 451 Research.

“I just read a paper that said passwords are terrible and obsolete and are going away in favor of MFA — and it was written in 2001,” Bekker says. “It made me laugh because it could have been written today. Those are very valid statements, but only 53 percent of organizations have implemented MFA.”

The main reason is that MFA requires a huge change for end users, who must authenticate the use of a website or application with more than just a password. There are several different types of MFA, including those that use hardware keys, tokens or biometric data such as a fingerprint. Each provides organizations with a way to ascertain the true identity of a person trying to access a company resource.

Deploying multifactor authentication successfully requires both an employee-education process as well as the right tech solution, says ProQuest CTO Roger Valade.

For WillowTree, a Charlottesville, Va.-based developer of mobile apps for Fortune 500 companies, MFA was a no-brainer. If a hacker gains access to its systems, the breach not only affects the company but its customers as well, says Adrian Guevara, vice president of security.

“Our biggest concern is that we are developing ssolutions we hand over to our clients,” he says. “We want to make sure we’re not the weak link in the supply chain.”

The company’s MFA strategy takes into account that credential loss isn’t a maybe — it’s a given, says Guevara. He and his team read on a daily basis about so-called “credential dumps” — incidents in which usernames and passwords are released onto the public internet — and realized that it needed to take action to avoid joining that club.

“With a credential dump, the lead time is about three to six months before you find out,” Guevara says. “We’re trying to add an extra layer of protection.”

It’s why MFA was the first thing on his priority list when he joined the firm three years ago. Since user experience and acceptance is a barrier, Guevara started the journey by doing department visits to discuss MFA with the various teams and making sure the IT team was approachable so that the implementation would be informed by user wants and needs.

The first MFA implementation was a two-factor messaging option that would text employees with a code when they were trying to log on to applications and systems. However, two years ago, the National Institute of Standards and Technology released digital identity guidelines that pushed WillowTree to update its MFA options. Today, the company uses push notifications from LogMeIn and hardware tokens, giving users a choice about which solution they want to use. The technology has been invaluable, says Guevara. “People are going to pick lousy passwords and people are going to be tricked into sharing their passwords. MFA makes it a nonissue.”

Multifactor Authentication Adoption Is All About the User

ProQuest and WillowTree were lucky — and smart. Thanks to their work gaining end-user buy-in, they didn’t get a lot of user pushback from colleagues, and adoption has been strong. Generally, though, when it comes to MFA, user experience can be the biggest barrier to use and compliance, something Ryan Esparza can confirm.

When Esparza, the CIO of Alpharetta, Ga.-based Jackson Healthcare, a staffing company, implemented an MFA solution on a test basis, the results were not good.

The software was clunky and asked users to reauthenticate too frequently, which impacted productivity, says Esparza. “Turning it on, we realized the user experience was kind of terrible,” he says. “We were testing it with just the IT group, and with certain applications it required reverification over and over. It was a mess.”

The IT department asked business leaders and various department heads about their application use. Ultimately, the company decided on Okta’s MFA solution, rolling it out to all 1,500 user accounts at once. As part of the rollout, Esparza partnered with the company’s internal marketing team to create a marketing campaign.

53%

Percentage of organizations that have implemented multifactor authentication

Source: 451 Research

“MFA has been a good addition because it’s reduced the number of help desk calls for password resets and other problems. We’re in a zero-trust world, so not having this type of security isn’t an option anymore, but we definitely saw other benefits too. Once we went to Okta, the phones stopped ringing and we were confident that the people logging on were who they said they were,” he says.

ProQuest’s Valade says education helped with user compliance as well. Once the company’s more than 2,500 global employees understood what was at stake and how easy two-factor authentication could be, they warmed to the new software.

“We've really trained everyone that, in order to adequately protect our enterprise resources, confirming that not only does the person at the end of the keyboard know their password but has access to their phone, their phone number and their thumbprint is really, really important,” he says.

Users Can Adopt MFA at Their Own Pace

When Ryan Esparza, CIO at staffing company Jackson Healthcare, implemented multifactor authentication from Okta, his staff enrolled 80 enterprise applications that were used across departments. Today, that number has climbed to 2,400 apps.

Esparza didn’t go on a software or cloud spending spree. Instead, his team offered a self-enroll option, letting employees add Okta to apps they needed — a move that brought lots of shadow IT out into the sun.

Today, the company has a better picture of the applications that are connecting to and using its network and can make sure that access is behind a multifactor gateway. The experience helps Jackson keep MFA compliance high.

“When people can protect all of their applications and it works well and works easily, they become your messengers,” Esparza says. “There’s a constant positive vibe around MFA.”

Illustration by David Vogin