At CoNetrix we've helped many customers implement Multi-Factor Authentication (MFA) over the past year. Most of these implementations have been to support employees working from home or migration to cloud-based services such as Microsoft 365.
Overall I consider MFA to be a positive approach to improving account security and preventing unauthorized access due to phishing or weak passwords. But as MFA becomes more common, are there any "gotchas" that we need to consider?
I recently encountered a situation where a user was getting prompted for an MFA "allow" through a smartphone app when they weren't actively trying to log on. This type of non-interactive login using MFA is potentially dangerous because the user can become desensitized and automatically click "allow" or "approve" without knowing if it's a valid login attempt. Obviously this completely defeats the purpose of using MFA in the first place.
How do we prevent this problem?
- Ensure your MFA solution is configured so it is only used for interactive logins and not background processes or services.
- Train the users they should only see an MFA prompt when they are trying to login, and don't approve logins automatically.
- If the above are not practical or effective, then consider configuring MFA to require the user to enter a code instead of approving through a push alert.
Multi-Factor Authentication is a great solution to provide an additional layer of security to protect our businesses. However like any technology, we need to carefully consider the implementation and how it will affect our employees.