How to implement MFA for all applications

App Identity Modernization

Aldo Pietropaolo
Written by: Aldo Pietropaolo

We use multi-factor authentication (MFA) every day. It’s rote: we log in to apps and enter our username and password. Then, we prove it’s really us, commonly by entering a code sent to our phone or email. This is a standard MFA process.  It rose to prominence in the early 2010s as cybersecurity threats increased and the need for stronger authentication methods became necessary. 

Today, though, it’s become substandard. Hackers have figured out man-in-the-middle attacks that intercept the authentication process. Because hackers’ technologies continually advance, MFA technologies must constantly work to stay one step ahead. Upgrading MFA technology to passwordless and ensuring, at a minimum, that all applications use MFA is now necessary to stay secure and move toward a Zero Trust security posture. 

Related: The difference between authentication & authorization — why it matters

MFA mandates: why you should care

The New York Department of Financial Services (NYDFS): The NYDFS cybersecurity regulation requires MFA implementation for regulated financial institutions operating in New York State. This mandate sets a benchmark for cybersecurity standards within the financial sector.

United States: The Cybersecurity and Infrastructure Security Agency (CISA) actively promotes MFA adoption across federal agencies. This Executive Order 14028, as noted above, mandates MFA and other robust cybersecurity practices for federal agencies and their contractors. Several states also have data privacy and security regulations that indirectly encourage or make MFA essential for businesses handling personal data. 

Europe: The General Data Protection Regulation (GDPR) doesn’t explicitly mandate MFA, but it emphasizes strong security measures to protect EU citizens’ personal data, making MFA a practical necessity for many organizations.

Canada: The Office of the Superintendent of Financial Institutions (OSFI) and other regulatory bodies in Canada strongly recommend MFA for financial institutions as part of their cybersecurity best practices.

International: Many countries are updating their cybersecurity frameworks to incorporate recommendations or requirements for MFA adoption.

NIST: The Cybersecurity Framework (CSF) 2.0 provides updated guidance for all organizations with the aim of helping reduce cybersecurity risks. The CSF 2.0 is “a suite of resources that can be customized and used individually or in combination over time as an organization’s cybersecurity needs change and its capabilities evolve.” 

Understanding the evolving regulatory landscape is crucial even if your organization doesn’t currently face a strict MFA mandate. Proactively implementing MFA demonstrates your commitment to cybersecurity and positions you well for future compliance requirements. However adhering to any of these regulations is difficult for all your legacy applications. 

What are the MFA challenges for legacy applications?

Why can’t you just add MFA to legacy or non-standard applications? The problem for many companies is that their legacy applications aren’t equipped to handle advanced MFA. Many were developed before MFA existed, and most home-grown applications were not created based on standards, so they don’t understand modern protocols. 

You need to make your legacy application more secure, but it’s not easy. That leaves you with some dreaded options—usually rewriting the application to understand multi-factor or passwordless technologies. 

Rewriting an application typically requires hundreds of valuable developer hours and thousands of dollars in labor costs. Because MFA technologies are constantly evolving, this isn’t a one-time investment. Development will most likely be a continuous cycle; it’s like being on the identity modernization treadmill and never being able to get off.

That’s the bad news. But there’s good news, too: you have another option that’s both low on development resources and cost.

How to have MFA on all your apps without rewriting code

Equip your legacy app with the latest MFA technologies by pairing it with Identity Orchestration. You don’t need to change the application itself or touch any code to make MFA work for legacy applications.

Identity Orchestration uses an abstraction layer called an identity fabric that sits between the application and the policies that govern authentication. The Identity Orchestration software determines which assets are sensitive and makes a policy decision to send you to an MFA technology before granting access. 

The platform does this without touching the application itself. 

This solution can be implemented quickly — in just hours instead of months of development work. The latest MFA solutions are always available to you, and you don’t have to worry about being out of compliance with Biden’s executive order for a lengthy period.

Overcoming the challenges of adding MFA to legacy applications

Identity Orchestration resolves additional challenges that often plague applications with built-in MFA technologies.

Built-in MFA

One common business challenge is there isn’t a single authenticator or MFA provider that everyone likes. For example, RSA is ubiquitous in some places, but it’s completely unused in other regions. Your application needs various MFA technologies based on the user and the context. That’s too difficult to handle, even with solutions like Azure and Okta.

An Identity Orchestration platform can do those kinds of contextual checks and support many-to-many relationships very easily. 

Device reliance

There’s also the problem of losing your phone or another physical token. Many MFA solutions rely on devices that can be lost or stolen. Replacements take time, and that means you could be locked out of doing your work for a full day, a week, or longer. MFA can become so strong on protection that you actually lock out valid users.

Identity Orchestration can give you the flexibility to rely on multiple MFA options, with several recovery scenarios that let you keep working without interruption.

Cybersecurity insurance

Having MFA on all your apps is a must for cybersecurity insurance.  

Add MFA to your legacy applications with Identity Orchestration

With identity orchestration, it is possible to add MFA capabilities to your application without heavy development time or labor costs. Stay compliant, keep your company and customers secure, and ensure you get cybersecurity insurance. 

Protect your company’s sensitive data from cyberattacks. Most importantly, avoid the downward spiral of continually rewriting and updating your application to stay current with evolving technologies. To learn more, read the step-by-step guide to modernizing application identity at scale.

Modernize any app with any IDP in minutes. Join the 'Orchestration Kitchen' workshops.