A Spike In Home Workers Raises MFA Resilience Questions
In the midst of the coronavirus pandemic, many businesses are asking, or mandating, that office-based employees work from home. Millions of employees who have been logging in from workstations on corporate networks are now logging in from home or elsewhere on public networks. Stronger authentication, and VPNs, that used to be required for a subset of employees at any given time now become the point of entry for your entire workforce. So what happens if your multifactor authentication (MFA) provider’s infrastructure goes down? For organizations that deal with personally identifiable information (PII) and other sensitive information, having remote workers log in with only a username/password, even over VPN, is not acceptable. A critical piece of any MFA platform service is a high-availability configuration to ensure that authentication requests are processed if the infrastructure fails or parts of the network are overloaded.
So let’s say that you have high availability in place. What happens when the assurances of high availability from a single MFA vendor are not enough? What should the organization do? A client at a banking institution whom I spoke with raised some excellent points on the challenges involved in addressing this: Swapping in a second vendor isn’t easy — there’s purchase and licensing, integration to the VPN platform, user provisioning, mobile app authenticator setup, VPN client configuration changes, user (re)training, and many other considerations. Building a parallel VPN entry point that uses a different MFA solution is costly and has the same issues as a swap-out. Plus, there is the increased risk of expired tokens, user confusion, and system upkeep. In short, these challenges are daunting to implement and introduce new challenges. Therefore, consider a more targeted approach.
Take the following steps as you develop an MFA resilience plan:
- First, ensure that you have high availability in place for MFA and that it is turned on and configured properly.
- Account for differences in vendor support for cloud vs. on-premises applications. The latter may require you to invest in additional infrastructure, depending on your MFA vendor.
- Get service-level agreements in place, or other written assurances, from your MFA vendor for uptime, including for extreme cases such as a pandemic.
- As noted above, rolling out a backup MFA system from a separate vendor is expensive and difficult. Therefore, identify your most critical apps and users — those that would have a significant impact on your business if down for days or even hours — and build MFA redundancy for those.