The solution to this dilemma is actually rather simple. By using Multi-Factor Authentication<\/a>, IT organizations can address the weakest link in their security paradigm. In fact, you can think of a single password with MFA enabled as having an infinite number of unique passwords because of the MFA addition. <\/p>\n\n\n\n While passwords should still be unique, the addition of MFA is transformative to security. Here\u2019s how.<\/p>\n\n\n\n Multi-Factor Authentication (MFA) is also referred to as two-factor authentication (2FA)<\/a>. It adds an additional layer of security to the sign-in process. The user is required to provide an additional form of identification to gain access.<\/p>\n\n\n\n MFA requires two or more of the following methods for successful authentication:<\/p>\n\n\n\n What usually happens is the MFA requirement surfaces once a user logs in with their password. The system may send a code to their registered cell phone, require a code generated by an app like Google Authenticator, or from a Universal 2nd Factor key<\/a>. It may also require the user to scan their fingerprint or face should the device compatibility exist.<\/p>\n\n\n\n By simply adding this extra layer, organizations can make it extremely difficult for a remote attacker to gain access. Now not only would the attacker need to crack the password but they’d also need access to a physical device (or fingerprint \/ face in the case of a biometric) that’s in possession of the actual user.<\/p>\n\n\n\n What organizations need to realize is that MFA isn\u2019t a one-size-fits-all solution. Whether device-based or application-level multi-factor authentication would suit an organization better depends largely on its unique circumstances.<\/p>\n\n\n\n Device-based MFA requires the user to clear the secondary authentication requirement when logging into their device, either when it boots up or when the login occurs. In order to access the device, the user will need their login credentials in addition to the MFA code. <\/p>\n\n\n\n This significantly reduces the risk of unauthorized access to the device, while adding a secondary, downstream impact on preventing unauthorized use to the IT resources an employee\u2019s device can access. Coupled with full disk encryption<\/a>, this process can dramatically step-up security on a device.<\/p>\n\n\n\n Device-based MFA is extremely important because the device is often a conduit to a large part of the organization’s IT resources, such as NAS or cloud and on-prem applications. In the event of a breach, the data stored locally on the device would be at risk as well. <\/p>\n\n\n\n Through modern, cloud-based solutions, device-based MFA is becoming much more straightforward; IT admins can implement MFA for Mac<\/a> and Windows devices, while some can even support MFA for Linux-based devices as well.<\/p>\n\n\n\n Application-level MFA is a more granular approach whereby the user is required to clear secondary authentication when seeking access to individual apps. While the underlying principle is the same as device-based MFA, it\u2019s a more frequent occurrence as users may have to go through the process every single time they login.<\/p>\n\n\n\n This MFA method is great for a platform or device-agnostic environment, or ones that support BYOD policies<\/a> that allow employees to access IT resources via their personal devices. It\u2019s also a core method for conditional access capabilities<\/a>. <\/p>\n\n\n\n For example, users may choose to access an app like Google Drive through a desktop web browser or a mobile app, but if they have MFA enabled they\u2019ll need to clear the secondary authentication before access is granted.<\/p>\n\n\n\n Time-based One-Time Passwords (TOTPs) sent on the registered email or cell phone number work well as a secondary authentication factor for application-level or device-level MFA. When a login is detected, the system sends a TOTP MFA code<\/a> to the registered method and only grants access once the correct TOTP is entered by the user.<\/p>\n\n\n\n Push notifications<\/a> operate similarly to TOTPs but are easier on the user. When a login is attempted, the user receives a push notification on their registered device. Access is only granted once the authentication request is accepted. Users tend to prefer push notifications over TOTPs because they do not have to deal with the hassle of inputting a numerical code. <\/p>\n\n\n\n Additionally, if push notifications are implemented via a mobile app like 探花大神 Protect<\/a>, another layer of security exists naturally thanks to the biometrics inherent in today\u2019s mobile phones (e.g. facial recognition login or fingerprint authentication).<\/p>\n\n\n\n Biometrics are a highly secure authentication factor as well. Fingerprint and face scanning is now supported by most high-end phones. Many enterprise-grade laptops also feature fingerprint sensors and some also do facial recognition for login. Access to the device won\u2019t be granted unless the user physically authenticates their identity. <\/p>\n\n\n\n Physical security keys provide another great secondary authentication factor for device-based MFA. These keys are sometimes USB dongles that have rotating access codes on them. They’re highly secure since there’s no risk of the user entering the code into a fraudulent website or someone reading the code off of the screen. There are also U2F keys that can just be plugged into your computer as well. Apps can be compromised remotely, the physical key can’t.<\/p>\n\n\n\n It\u2019s important to be mindful of the end user\u2019s capabilities when deploying MFA for both Devices and Applications. A complex solution involving physical keys might be easily adaptable for the IT administrators in your organization but not for those in a customer support role, for example. MFA accessibility<\/a> is critical.<\/p>\n\n\n\n There are MFA methods that are suitable for both device-based and application-level MFA. If hardware compatibility exists, fingerprint, facial or even retinal scanning can be utilized for access control. Push notifications can also be used across devices and applications, and provide a frictionless experience for all users, regardless of job title.<\/p>\n\n\n\n It is very important to consider ease and convenience for the end user when deploying MFA. The biometric factor is a good choice as it\u2019s not only incredibly secure, but can be very easy to use. <\/p>\n\n\n\n The end user simply has to place their finger on the scanner or use the device\u2019s camera to scan their face. Not only is the biometric hardware in devices more secure and faster than ever before, but this factor does not rely on any kind of digital communication (such as an email or SMS verification code). This means the possibility of it being compromised is even further reduced. <\/p>\n\n\n\n Push notifications are increasingly becoming the MFA method of choice for applications as they have a number of inherent benefits to both security and ease of use. They\u2019re incredibly easy for the end user who only has to tap once on a notification from their smartphone (which they are rarely far from) to authenticate. <\/p>\n\n\n\n Not only that, but often the user also has to enter their PIN or authenticate via fingerprint or facial recognition to complete the action (or they used that method to gain access to the smartphone), adding in an additional factor seamlessly to increase security. Because this method requires the user to be in possession of the device on which the notification is sent, it is virtually impossible for remote attackers to gain access.<\/p>\n\n\n\n Organizations that realize the benefits of MFA often rush to deploy it in one fell swoop. That can end up being counterproductive. The initial step before implementation must include user education to avoid pushback, confusion, or a painful rollback. <\/p>\n\n\n\n \n The Fine Art of Making MFA Palatable <\/p>\n \n In this webinar recording, learn tips & tricks for maximizing IT security while minimizing user pushback with DoorDash's System Administrator <\/p>\n <\/div>\n Focus on deploying MFA on devices first as they’re the single most important access point to all of the organization’s IT resources, and users can become used to using a second factor with minimal disruption to their workflows. Overall security can be significantly improved by simply enabling MFA on devices. <\/p>\n\n\n\n Applications that have the most sensitive data come next. Ensure enhanced protection by deploying MFA methods that are both highly secure and convenient for end users, such as push notifications Thereafter, any other app that may require an additional layer of security can be brought into the fold as well.<\/p>\n\n\n\n While IT admins generally recognize the fundamental benefits of multi-factor authentication, it can still be challenging to roll it out across the organization. The 探花大神 Directory Platform<\/a> reduces the friction typically associated with MFA rollouts and continued use, and enables admins to distribute access to all IT resources through a single, secure identity and layer MFA across devices, applications and more. Learn more about MFA benefits<\/a> and how 探花大神 makes multi-factor authentication a reality.<\/p>\n","protected":false},"excerpt":{"rendered":" IT organizations need to consider two major types of Multi-factor Authentication: device-based MFA and application-level MFA.<\/p>\n","protected":false},"author":9,"featured_media":5526,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"_oasis_is_in_workflow":0,"_oasis_original":0,"_oasis_task_priority":"","inline_featured_image":false,"footnotes":""},"categories":[2781],"tags":[],"collection":[2775],"platform":[],"funnel_stage":[3015],"coauthors":[2511],"acf":[],"yoast_head":"\nWhat is Multi-Factor Authentication? <\/span><\/h2>\n\n\n
![\"2D](\"\/wp-content\/uploads\/2016\/11\/MFA-illustration.jpg\")
<\/figure><\/div>\n\n\n\n
What is Device-based MFA?<\/span><\/h2>\n\n\n\n
What is Application-level MFA? <\/span><\/h2>\n\n\n\n
![\"application](\"\/wp-content\/uploads\/2016\/11\/Application-Level-MFA.jpg\")
<\/figure>\n\n\n\nWhat factors are the best for each MFA method?<\/span><\/h2>\n\n\n\n
Things to keep in mind when deploying MFA for Devices and Applications<\/strong><\/h2>\n\n\n\n
1. Use MFA methods that work across Devices and Applications<\/h3>\n\n\n\n
2. Convenience for the end user is very important<\/h3>\n\n\n\n
3. Take a more structured approach to your MFA deployment<\/h2>\n\n\n\n
![\"探花大神\"](\"https:\/\/jumpcloud.com\/wp-content\/uploads\/2021\/06\/Hyper-Secure-with-SSO-MFA-aspect-ratio-160-110.png\")
\n <\/div>\n A Comprehensive MFA Platform with 探花大神<\/h2>\n\n\n\n