Top 10 MFA implementation challenges & how to avoid them

Weak password security is the most common means for bad actors to get their hands on sensitive information and cause a breach. When work-from-home became the norm during the pandemic, cybercriminals saw an opportunity. At the peak in 2021, phishing attacks spiked to 220%. In the haste to get remote offices rolling, password hygiene plummeted. And hackers loved it.

Though returning to the office has increased, many still work from home and will not go back. Clearly, passwords alone aren’t enough.  Multi-factor authentication (MFA) is a better way to secure your company from a breach, so phishing-resistant MFA has become a priority as a result.

The need for multi-factor authentication (MFA) is understood, but that doesn’t mean adoption is always a smooth ride. While spending on MFA is trending up, making MFA work can be a rough road full of potential implementation challenges.

What is multi-factor authentication?

Multi-factor authentication (MFA) is a security technology that uses multiple ways to confirm a user’s identity when they attempt to sign in to an application. Multiple factors make it more difficult for an unauthorized user to gain access. One example of MFA is a password paired with a text or email confirmation.

MFA is a more robust authentication method than simple password authentication because it asks you to provide something you know (e.g., a username or password), something you own (e.g., a one-time code sent to your phone), and/or something you are (e.g., biometric information).

The objective of MFA is to create a defensive layer to prevent unauthorized access to a device, application, network, or data. If one factor is compromised, there are additional barriers that the threat still has to overcome before reaching the target.

Challenges of implementing MFA

Though successfully implementing MFA can be challenging, it doesn’t have to be. You can introduce MFA throughout your organization if you know the dangers to avoid. Let’s look at the most common challenges of implementing MFA and how to avoid them.

1. Not accurately implementing MFA could negate your organization’s cyber insurance

Cyber insurance is a big deal. In order to get cyber insurance today, an organization must have all its apps secured with MFA. With the United States government’s Executive Order on Improving the Nation’s Cybersecurity and the Office of Management and Budget’s (OMB) Federal Zero Trust Strategy. Ignoring ZTA means getting cybersecurity insurance will be tricky or incredibly expensive — a huge frustration and a potential liability.

2. MFA implementation can be costly and time-consuming

If you have to first modernize your apps one-by-one before moving them to the cloud, it takes about six months and millions of dollars per app. Not to mention the opportunity cost of having your valuable developers spend their time retrofitting old technology rather than on innovation. 

3. Low MFA adoption rates

Some companies that implement MFA also make it optional for their employees because they discover the rate of adoption is very low. Even though MFA is just as easy to use as password-only sign-on, people resist making the switch. The reason isn’t surprising. Humans are creatures of habit, especially when it comes to the path of least resistance.

Bottom line: To guarantee widespread MFA adoption at your company, make MFA implementation mandatory. You may see some initial resistance, but people adapt, and the long-term payoff is worth it.

4. Implementing MFA with select users and apps

Implementing MFA is a time- and cost-intensive venture, so it can be tempting to reduce the scope of your implementation. Some organizations apply MFA only to users with access to the most sensitive information or critical applications. A reduced scope won’t give you the protection you need.

Bad actors don’t need direct access to the most sensitive applications to succeed. Any weak point in your system can be exploited to lead to other areas within your system. If an attacker gains access to a low-risk application, it can be an entry point to access sensitive data.

Bottom line: implement MFA across all of your applications and users.

5. Creating more user friction with MFA

It’s possible to treat MFA as an extra step that you tack onto your security policies and procedures. While that simplifies implementation, it also makes daily usability more frustrating. This approach adds friction by complicating sign-on every time a user needs to access the system.

MFA should be handled in a way that improves the authentication process and makes it seamless for your employees. One way to do this is by incorporating adaptive MFA. Adaptive MFA uses contextual information and business rules to determine which authentication methods to use in a particular situation.

Bottom line: use adaptive MFA to grant legitimate users the appropriate level of access with fewer steps and less friction and reduce the risk of unauthorized access.

6. Authenticating with SMS alone

Multi-factor authentication prompts users to authenticate using two or more methods. A standard authentication method is via SMS or text messaging. It’s also an insecure method that can put you at risk of a data breach.

Cyber attackers love to go phishing with SIM-swapping techniques to steal SMS authentication codes. Additionally, SMS messages sent to your desktop are easy prey for an attacker to intercept.

Bottom line: SMS authentication is so insecure that the National Institutes of Standards and Technologies (NIST) recommends not using it at all. Use alternative authentication methods, such as biometrics, security keys, or magic links.

7. Not going passwordless

SMS isn’t the only insecure authentication method. Passwords are notoriously hated by security professionals. Chances are, your organization sees each of these scenarios every day:

• Employees use the same password — or a nearly identical one — for every application.
• Workers use passwords that are easy to remember, which means they’re weak passwords and are easy to discover.
• Users don’t change passwords regularly (or ever).
• Employees write their passwords on sticky notes and then stash them under their keyboards. 

Passwords are one of your weakest links in security. But you can eliminate that liability by opting for passwordless authentication. Users can prove who they are without the use of a password — usually by using one of three methods:

• Biometrics — for example, fingerprint, retina scan, or facial recognition
• A possession factor — you have something, such as a phone, that only the valid user should possess
• Magic links — a link that’s sent to your email address 

Bottom line: not only is passwordless authentication more secure, but it’s also more convenient. 

8. Underestimating the impact of MFA on your business

People are naturally resistant to change. And for many, learning a new technology isn’t easy. Before you embark on any significant initiative, get a clear understanding of the people hurdles.  Some typical pitfalls include:

• Only nominal buy-in from executive leadership. If your company’s leadership team isn’t championing the implementation of MFA, expect the project to be an uphill battle.
• Too little education. If your employees don’t understand what MFA is and how it will improve their lives, they’ll drag their feet through the process. Over-communicate and be transparent about the entire implementation project. Make yourself available to answer questions and have information available in emails, staff meetings, FAQs, etc.
• Difficulties adapting. Even if users are willing to change, they may have problems learning the new system. Be prepared for less tech-savvy users to need additional help and training. Research how long similar organizations took to transition, and learn about the training and assistance they used that your people are likely to need.

Bottom line: more resistance means a longer implementation time, which increases productivity loss throughout the organization. Be sure you have this element buttoned up before you begin your MFA implementation, or you could have unwanted business impacts.

9. Deploying all at once

While deploying multi-factor authentication for every user and on every application is the eventual goal, it isn’t wise to do it all at once. Plan out a staged approach to your MFA adoption, and take it in small chunks so that you can learn and correct as you go.

Start with a test group — a small subset of employees who are the only users of a test-case application. This might be your accounting department using a piece of financial software that no one else uses. Implement MFA on the application and train the users on the new process.

Take notes and learn from the experience, then gradually roll out all your applications across the company. There are various rollout approaches you can use:

• Prioritize the high-risk applications and users first
• Start with smaller teams and gradually scale larger
• Implement MFA on the most straightforward applications first

Bottom line: You have several valid options for implementing MFA throughout your organization, but the key is to be strategic in your rollout decision-making.

10. Not implementing MFA on legacy applications

Legacy applications pose a particular challenge for multi-factor authentication: they weren’t built for modern authentication methods. Typically, the only way to implement MFA on a legacy app is to go in and rewrite the code itself. That approach is prohibitively expensive and time-consuming; many times, it isn’t even possible.

Bottom line: As a result, many organizations shrug their shoulders and elect to implement MFA everywhere throughout the company except on legacy systems. But that brings us back to pitfall number two: if you don’t implement MFA on every application, you leave a point of entry for attackers.

How to implement MFA on legacy applications with Identity Orchestration

Fortunately, there’s a solution — and it’s easier than you might expect. You can implement MFA on legacy applications by pairing them with an identity orchestration platform.

An identity orchestration platform is like a proxy that sits between your legacy app and the user. The orchestration platform presents the user with an MFA technology. It does all the authenticating on behalf of the application, then tells the application that the user has passed the sign-on requirements.

Orchestration does all this without touching the legacy application. You don’t need to change any code, and you can implement it on any identity provider. Because no coding is involved, you can implement this solution quickly — in just hours — and inexpensively.

MFA implementation can be done successfully throughout your entire organization — even down to your legacy applications. But the difference between an effective rollout and a painful one is in your planning. Know the challenges and how to avoid them — and don’t leave your legacy applications out of the effort.

Dig deeper into deploying MFA on legacy applications and talk to one of our identity experts today to see how Strata’s Identity Orchestration Platform can help you use MFA for all your apps — no matter where they are.