Deterred by issues such as cost and complexity, these firms are missing out on something that can significantly improve the robustness of their core IT infrastructure. It’s a situation that needs to change quickly.
Why the reluctance?
MFA usage involves the combination of a number of different factors to improve the sign-on or log-in processes used by an organisation’s staff.
Factors include something an individual knows (a password or phrase), something they have (a hardware token or mobile device) and something they are (a fingerprint or face). These are combined in different ways depending on the organisation’s security requirements and acceptance by users.
Reluctance to make use of MFA techniques comes down to two perceived issues: cost and friction.
Many small and mid-sized companies are deterred by the anticipated required investment and believe the money would be better allocated elsewhere.
Often, company managers think they will need to deploy and manage a new on-premise server to operate the MFA infrastructure and then distribute hardware-based tokens to all users. They see these costs continuing to mount as the tokens need to be replaced or reset over time.
From a user perspective, MFA may be viewed as an imposition that increases friction by complicating their log-on procedures. Having to hunt in a bag for a token and then type in strings of numbers to gain access to IT systems appears more trouble than it’s worth.
MFA has evolved
Thankfully, MFA has evolved to the point where these issues have been resolved. Rather than requiring an on-premise server, MFA services can be delivered using a cloud-based platform as a Software-as-a-Service (SaaS) deployment.
This removes the need for investment in on-premise hardware and reduces ongoing management and maintenance. Users can be added, removed and managed quickly and easily.
For users, rather than needing a dedicated hardware token, codes can be delivered via a mobile phone. This removes the need to carry an extra item and can streamline the process.
Push notifications can be sent by the MFA system to a user’s device. Instead of having to enter a six-digit number, the user can simply respond to the notification with one press on their phone’s screen.
Mark Sinclair is ANZ Regional Director, WatchGuard Technologies