How to implement multi-factor authentication

Logins that take multiple steps to complete are quickly becoming the norm. Multi-factor authentication (MFA), which involves two or more actions to enter a digital system, is part of the comprehensive cybersecurity system of today.  

Here, we examine how MFA works and share tips on how to install the systems.  

What is multi-factor authentication?  

MFA combines multiple security checks to enter an account. If users pass these correctly, then they may enter.  

Microsoft describes how they deploy MFA: “When you sign into the account for the first time on a new device or app (like a web browser) you need more than just the username and password. You need a second verification method – what we call a second ‘factor’ – to prove who you are.” 

Put in cybersecurity terms, access is granted when secure elements are correctly combined. The classic scenario is when users put together something they know (i.e. a password), with a factor they have or can generate (i.e. a temporary code), as well as an element of who they are (i.e. biometrics).  

MFA’s benefits include increased security for users and their data, along with quicker security response times. The added layers of security protect individual user accounts. If the MFA fails, a security message is sent to cybersecurity managers.  

What to consider when designing multi-factor authentication 

Most individuals are familiar with MFA – from online banking, digital accounts and other protocols, the security is used to verify identity. For charities looking at MFA, consider what techniques are available. The National Cyber Security Centre outlines a few.

Fast Identity Online 2 (FIDO2) describes an open-source protocol which authenticates identity via common devices, like mobile phones. In essence, the technology sends codes to trusted device. Users then enter this code as part of the sign-on process.  

Additional access keys are sent to the device or computer and need to be obtained through a secure app. The apps generate “challenges” and users need to respond appropriately to gain the code.

Code generators can be hardware or software based. These typically generate a one-time-passcode. Common examples are token-based hardware. Some banking platforms use this type of device to produce a code for entry.

Another form of MFA tech, message-based notices are those that are delivered to another app, email, or text message. 

When considering what tech to use in your MFA system, evaluate options systematically. It’s helpful to think about what risks you’re trying to address versus the appropriate way to mitigate. Bear in mind what tech is already in use against further investment.  

Top tips for implementation 

MFA, despite its benefits, does create additional administrative work for charity staff. Depending on the technology, there could be additional widgets or information needed at hand. To start off with, here are the top tips to get staff on board.  

Multi-factor authentication at its core pulls out from users something only they know; something they have and something they are. When implementing the tech, ensure that you’re clear on what those elements entail.

Top tip: MFA doesn’t have to be all three elements. Make a risk-based decision.   

Rolling out digital strategy includes communication and education. Make sure that staff are aware of what you’re trying to achieve by sharing the aims of MFA and what risks are being prevented.  

Top tip: Offer staff IT support specifically for MFA trouble-shooting. You’ll want to ensure that they are able to access their processes in a timely manner.  

Okta suggests brainstorming a list of user needs and access rights. Consider how frequently users need to log on, what data they are accessing, and how many layers of MFA are required.  

Top tip: Make sure there’s a back-up factor or user-accessible alternative.  

To learn from potential errors, start with a small pilot group. Microsoft leans into this approach and its advantages. They say: “Administrative accounts are your highest value targets and the most urgent to secure, but you can also treat them as a proof of concept for wider adoption.” 

Top tip: Learn before rolling out to a wider audience. 

Last, keep record of how MFA access is coming along. Document any new risks, and how the technology might help in avoiding breaches. Review the charity’s cybersecurity insurance and any other policies which might require your systems to have MFA in place.  

Top tip: MFA might not be the best or only solution for everyone. Tailor security to suit your needs.