Three years ago, I wrote about the different criteria to consider when choosing a modern two-factor authentication (2FA) solution, in What to Look for in a Modern Two-Factor Authentication Solution.
But the areas of access security and identity have evolved quickly since then. Here are a few updated aspects to look for in a (more) modern 2FA solution, to address the latest risks:
Easy & Fast for Users
It still holds true that the most secure technology is one your users actually want to use. Choose a 2FA solution that has minimal impact on end users, and provides:
- A lightweight 2FA mobile app that doesn’t require users to carry a separate device
- Easy authentication in seconds via push notifications sent to their phone
- Or, a secure USB device plugged into a laptop that only requires one tap to verify their identity
If you choose to use a 2FA mobile app, assure your users that the app will never store their passwords, view their data, or otherwise invade their privacy.
Low-Touch for Admins
A modern 2FA solution is a cloud-based one that doesn’t require hardware or software to install, and no servers to set up for deployment. Admins should be able to deploy the solution quickly - in a matter of hours or days, not weeks or months.
User provisioning should be made as easy as possible, too. While smaller deployments can allow users to sign themselves up using self-enrollment, larger groups with thousands of users can enroll via Active Directory synchronization and bulk user imports.
Finally, ongoing management of your modern 2FA solution shouldn’t require dedicated in-house security staff or hours of help desk support. A modern 2FA solution should give admins the capability to easily manage users, phones, tokens (if you choose to use them) and integrations from a single dashboard.
Built-In, Secure Design
Protect Against a Breach - A modern 2FA solution uses asymmetric cryptography to protect against the risk of stolen shared secrets. Attackers can steal shared secrets used to generate token numbers, which they can use to compromise user accounts and organizations. A modern 2FA provider should only store public keys on their servers, and private keys on your users’ devices.
Secure, Compliant Methods - Check to make sure your 2FA provider supports U2F (Universal 2nd Factor), one of the most secure methods that protects against phishing and man-in-the-middle (MitM) attacks. The National Institute of Science and Technology (NIST) recommends against using SMS-based 2FA that can be easily bypassed by attackers.
Fast, Easy Security Patching - To protect against new vulnerabilities, a modern 2FA solution should send frequent, automatic updates directly to your users’ devices in order to ensure they have the latest security patches.
A modern 2FA solution should also give admins access to authentication logs for reporting, analytics and compliance requirements. With detailed user and device reports, you should get visibility into the security health of your users’ devices with an at-a-glance security dashboard.
Your 2FA solution should also allow you to use APIs to export security logs to your security information and event manager (SIEM) for customized reporting and security analysis, and to meet industry compliance, such as for PCI DSS that requires tracking and monitoring security events and all access to network resources.
User Access Policies
More advanced 2FA solutions give your administrators the capability to create user access policies to further strengthen your security profile. Examples of user access policies might include:
- Block authentication requests originating from countries you don’t do business in
- Block requests from anonymous networks, like Tor
- Customize which authentication methods your users can use - require only the most secure methods, like U2F, and restrict the use of weaker methods, like SMS-based 2FA
A modern 2FA solution allows admins to create role-based access policies; organizing users into functional groups based on their job role and amount of access they need.
Low Total Cost of Ownership (TCO)
New 2FA solutions are offered as software as a service (SaaS), eliminating many upfront installation and maintenance costs associated with older solutions, including hardware, software, token, server and data centers.
Remember, 2FA technology that is difficult to deploy, use and maintain requires more work from your IT team and help desk support. Ongoing maintenance costs should be covered by design - a modern 2FA solution is managed by full-time security professionals that frequently roll out the latest security updates automatically to users, lessening the load on your IT team.
Plus, 2FA customer support should be responsive and proactive, helping your team through deployment, provisioning, integration and maintenance to reduce the resources needed to support a 2FA solution.
More Resources: Duo vs. Traditional 2FA
How does Duo stack up against traditional two-factor authentication solutions? Find out how to upgrade your security and lower your costs in Duo vs. Traditional Two‑Factor.
Two-Factor Authentication Evaluation Guide
Get more in-depth information by downloading the Two-Factor Authentication Evaluation Guide. In this guide, you will learn how to evaluate a solution based on:
- Security - Does your solution reduce risks, and can it provide visibility into your environment?
- Strategic Business Initiatives - Does your solution support cloud, mobile and BYOD initiatives? And can it fulfill compliance?
- Total Cost of Ownership (TCO) - Does your solution provide more upfront value, or more hidden costs?
- Resources Required - Determine what kind of resources it’ll take to deploy and provision your users.