A spike in home workers raises MFA resilience questions

Millions of employees who have been logging in from workstations on corporate networks are now logging in from home or elsewhere on public networks.
Written by Forrester Research, Contributor

In the midst of the coronavirus pandemic, many businesses are asking -- or mandating -- that office-based employees work from home. Millions of employees that have been logging in from workstations on corporate networks are now logging in from home, or elsewhere on public networks. Stronger authentication, and VPNs, that used to be required for a subset of employees, at any given time, become the point of entry for your entire workforce. So, what happens if your multifactor authentication (MFA) provider's infrastructure goes down? 

For organizations that deal with personally identifiable information (PII) and other sensitive information, having remote workers log in with only username/password, even over VPN, is not acceptable. A critical piece of any MFA platform service is a high-availability configuration, to ensure authentication requests are processed if the infrastructure fails or parts of the network are overloaded.

So, let's say you have high availability in place. What happens when the assurances of high availability from a single MFA vendor are not enough, what should the organization do? A client at a banking institution that I spoke with raised some excellent points on the challenges with addressing this: Swapping in a second vendor isn't easy -- there's purchase and licensing, integration to the VPN platform, user provisioning, mobile-app-authenticator setup, VPN client configuration changes, user (re)training, and many other considerations. Building a parallel VPN entry point that uses a different MFA solution is costly and has the same issues as a swap-out. Plus, there is the increased risk of expired tokens, user confusion, and system upkeep. In short, these challenges are daunting to implement and introduce new challenges. Therefore, consider a more targeted approach.

Take the following steps as you develop an MFA resilience plan:

  1. First, ensure that you have high availability in place for MFA and that it is turned on and configured properly.
  2. Account for differences in vendor support for cloud vs. on premise applications. The latter may require you to invest in additional infrastructure, depending on your MFA vendor.
  3. Get SLAs in place, or other written assurances, from your MFA vendor for uptime, including for extreme cases such as a pandemic.
  4. As noted above, rolling out a back-up MFA system from a separate vendor is expensive and difficult. Therefore, identify your most critical apps and users – those that would have a significant impact on your business if down for days or even hours – and build MFA redundancy for those.

This post was written by Senior Analyst Sean Ryan, and it originally appeared here.

Editorial standards