{"id":7891,"date":"2021-10-05T10:00:00","date_gmt":"2021-10-05T10:00:00","guid":{"rendered":"https:\/\/www.esecurityplanet.com\/2017\/03\/14\/multi-factor-authentication-a-critical-security-tool-for-enterprises\/"},"modified":"2022-08-16T18:39:06","modified_gmt":"2022-08-16T18:39:06","slug":"multi-factor-authentication","status":"publish","type":"post","link":"https:\/\/www.esecurityplanet.com\/mobile\/multi-factor-authentication\/","title":{"rendered":"Multi-Factor Authentication (MFA) Best Practices &amp; Solutions"},"content":{"rendered":"<p><em>This post has been updated for 2021.<\/em><\/p>\n<p>Passwords are the most common authentication tool used by enterprises, yet they are notoriously insecure and easily hackable. But even when passwords are secure, it\u2019s not enough. Recently, hackers leaked <a href=\"https:\/\/www.esecurityplanet.com\/threats\/hackers-leak-87000-fortinet-vpn-passwords\/\" target=\"_blank\" rel=\"noopener\">87,000 Fortinet VPN passwords<\/a>, mostly from companies who hadn\u2019t yet patched a two-year-old vulnerability.<\/p>\n<p>At this point, multi-factor authentication (MFA) has permeated most applications, becoming a minimum safeguard against attacks. End users tend to be careless with passwords, frequently reusing or sharing their passwords.<\/p>\n<p><strong>Jump to:<\/strong><\/p>\n<ul>\n<li><a href=\"#what-is\">What is multi-factor authentication?<\/a><\/li>\n<li><a href=\"#rise-of-mfa\">Rise of multi-factor authentication<\/a><\/li>\n<li><a href=\"#mfa-can-be-hacked\">MFA can be hacked<\/a><\/li>\n<li><a href=\"#use-cases\">MFA use cases and considerations<\/a><\/li>\n<li><a href=\"#when-mfa-isnt-enough\">Where to look when MFA isn\u2019t enough<\/a>\n<ul>\n<li style=\"font-weight: 400;\" aria-level=\"2\">Zero trust network access<\/li>\n<li style=\"font-weight: 400;\" aria-level=\"2\">Passwordless access<\/li>\n<li style=\"font-weight: 400;\" aria-level=\"2\">Privileged access management<\/li>\n<li style=\"font-weight: 400;\" aria-level=\"2\">Identity access management<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p>In fact, 62 percent of professionals admitted to sharing passwords over text messages or email and 46 percent said their company shares passwords for accounts used by multiple people. When this is happening, it\u2019s clear that organizations either aren\u2019t using MFA or are finding ways around it.<\/p>\n<p>Clearly, MFA can\u2019t work for everything. Let\u2019s take a look at some best practices for using multi-factor authentication and where you should look when it doesn\u2019t fit the bill.<\/p>\n<h2 id=\"what-is\"><strong>What is multi-factor authentication?<\/strong><\/h2>\n<p>Multi-factor authentication, or MFA, is simply an umbrella term for verifying the identity of end-users with a password and at least one other form of authentication. Initially, security vendors only offered two-factor authentication. Two-factor authentication, called dual authentication or 2FA, added another level to a User ID and password. Since then, security vendors have introduced new methods for authentication, which can be layered to create a multi-factor authentication solution.<\/p>\n<p>MFA incorporates at least two of three authentication methods, according to the PCI Security Standards Council:<\/p>\n<ul>\n<li>Something you know<\/li>\n<li>Something you have<\/li>\n<li>Something you are<\/li>\n<\/ul>\n<p>An MFA security solution may also incorporate additional factors, such as geolocation data or a time component. Many services now send alerts or require additional authentication when you log into their service from a new device.<\/p>\n<p>There are several options for achieving each method of authentication. Typically, \u201csomething you know\u201d is simply a user ID and password, but MFA solutions can also require the end-user to submit a PIN or the answer to a secret challenge question, like the ones you often have to answer on your bank\u2019s website.<\/p>\n<p>\u201cSomething you have\u201d traditionally required the use of tokens. A token acts as an electronic cryptographic key that unlocks the device or application, usually with an encrypted password or biometric data. Tokens are generally referred to as either \u201cconnected\u201d or \u201cdisconnected.\u201d Connected tokens are stored on hardware that holds a <a href=\"https:\/\/www.esecurityplanet.com\/networks\/how-to-run-your-own-certificate-authority\/\" target=\"_blank\" rel=\"noopener\">cryptographic certificate<\/a>, key, or biometric data, such as an SD card on a phone, a USB token, tokens kept on smart cards, or an employee key fob. Disconnected tokens are generally only good for one use and can be delivered via RFID or Bluetooth, or users can manually enter them into the computer.<\/p>\n<p>As websites have adopted MFA, \u201csomething you have\u201d has expanded to mean the end user\u2019s credit card or mobile phone, called mobile authentication. In mobile authentication, a one-time password (OTP) or PIN is generated and sent to the end user\u2019s smartphone via text, although an added layer of security can be added by using an OTP app, a certificate, or a key stored on the phone. Mobile authentication is often seen as a cheaper and easier <a href=\"https:\/\/www.esecurityplanet.com\/mobile\/multi-factor-authentication\/\" target=\"_blank\" rel=\"noopener\">alternative to biometric authentication<\/a>.<\/p>\n<h3>Biometric authentication<\/h3>\n<p>Identification by \u201csomething you are,\u201d or biometric authentication, relies on either physical or behavioral characteristics. Physical characteristics include retina scans, iris scans, facial recognition, fingerprints, voice recognition, hand geometry, earlobe geometric, or hand vein patterns. Behavioral characteristics include keystroke dynamics, such as measuring the way a user types, how fast, or the amount of pause on a given key. While biometrics can require special equipment, some solutions simply leverage the sensors in smartphones.<\/p>\n<p>Biometrics offers the <a href=\"https:\/\/www.esecurityplanet.com\/threats\/the-pros-and-cons-of-advanced-authentication\/\" target=\"_blank\" rel=\"noopener\">most secure method of authentication<\/a>, but there are problems. For example, some people\u2019s fingers don\u2019t always have enough minutiae points for the scanner to pick up, as is the case with workers who do heavy manual work with their hands, burn victims, or people with skin diseases. Attackers can also trick scanners simply by capturing the fingerprint. For more on the pros and cons of biometric solutions, as well as a list of select Biometric vendors, see <a href=\"https:\/\/www.esecurityplanet.com\/trends\/biometric-authentication\/\" target=\"_blank\" rel=\"noopener\">Biometric Authentication: How It Works<\/a>.<\/p>\n<h3>Passwords alone won\u2019t cut it<\/h3>\n<p>The unfortunate reality is that many people are lazy with their passwords, and even when they aren\u2019t, brute force attacks can crack many passwords in <a href=\"https:\/\/www.hivesystems.io\/blog\/are-your-passwords-in-the-green\" target=\"_blank\" rel=\"noopener\">less than a day<\/a>. And <a href=\"https:\/\/www.webopedia.com\/definitions\/social-engineering\/\" target=\"_blank\" rel=\"noopener\">social engineering<\/a> can crack even more considering how many people include the names of their families and birthdays. MFA is the bare minimum for securing networks and applications because passwords alone can be too easily hacked.<\/p>\n<h3>Two-factor authentication<\/h3>\n<p>The most common form of MFA is two-factor identification, sometimes referred to as dual authentication, two-step verification, or 2FA. Two-factor authentication combines a user ID, password, and at least one of two other methods for ensuring user identification. A common approach to 2FA is to require a one-time password (OTP) sent via SMS to a cell phone or a credit card number.<\/p>\n<p>Twitter, Google, Microsoft, Apple, Facebook, and Amazon all use SMS to support two-factor authentication, although they can also use push notifications on smartphones. Two-factor authentication is also being deployed for mobile security and by Internet of Things companies such as Nest to secure IoT devices.<\/p>\n<h2 id=\"rise-of-mfa\"><strong>Rise of multi-factor authentication<\/strong><\/h2>\n<p>In recent years, more companies have turned to multi-factor authentication solutions to address their security and <a href=\"https:\/\/www.esecurityplanet.com\/networks\/security-compliance\/\" target=\"_blank\" rel=\"noopener\">compliance<\/a> concerns. A 2021 survey found that approximately <a href=\"https:\/\/www.yubico.com\/blog\/75-of-enterprise-security-managers-plan-to-increase-mfa-spending-according-to-new-study-by-yubico-and-451-research\/#:~:text=MFA%20is%20the%20top%20security,a%20reaction%20to%20COVID%2D19.\" target=\"_blank\" rel=\"noopener\">49 percent of businesses<\/a> adopted MFA in reaction to the COVID-19 pandemic. With more employees working from home, their data was more at risk from weaker networks and personal devices.<\/p>\n<p><a href=\"https:\/\/www.strategymrc.com\/\" target=\"_blank\" rel=\"noopener\">Stratistics MRC<\/a> estimates that the global multi-factor authentication market will reach $13.59 billion by 2022, spurred largely by growth in e-commerce, the increase in online transactions, network security threats, and legislative compliance. Banking, financial services, and insurance industries constitute the largest share of adopters, with North America leading adoption, according to Orbis Research.<\/p>\n<p>But despite early adoption rates, businesses are neglecting their cloud environments when it comes to MFA. According to <a href=\"https:\/\/techcommunity.microsoft.com\/t5\/azure-active-directory-identity\/your-pa-word-doesn-t-matter\/ba-p\/731984\" target=\"_blank\" rel=\"noopener\">Alexander Weinert<\/a>, Director of Identity Security at Microsoft, only 11 percent of enterprise cloud users have adopted MFA. And because attackers look for the path of least resistance, that leaves the other 89 percent extremely vulnerable.<\/p>\n<h2 id=\"mfa-can-be-hacked\"><strong>MFA can be hacked<\/strong><\/h2>\n<p>While MFA can prevent a lot of attacks, motivated bad actors aren\u2019t going to let one extra layer of protection stop them. And it\u2019s not hard for them to use social engineering to get around it, or else phishing attacks wouldn\u2019t be so popular.<\/p>\n<p>One way attackers have started to circumvent MFA is by calling victims and convincing them that someone has hacked their account. They tell the person they\u2019re going to initiate a password reset on their end. When the victim receives a one-time password, they read that code to the attacker. Then, the attacker has everything they need to take over the account for good.<\/p>\n<p>Alternatively, attackers can intercept text messages or emails meant to deliver your <a href=\"https:\/\/www.esecurityplanet.com\/threats\/attackers-use-bots-to-circumvent-one-time-passwords\/\" target=\"_blank\" rel=\"noopener\">one-time passcodes<\/a>, preventing you from knowing that anything was amiss. Through channel-jacking, attackers can use a software-defined radio to route incoming messages away from the intended recipient and into their own devices.<\/p>\n<h2 id=\"use-cases\">MFA use cases and considerations<\/h2>\n<p>MFA isn\u2019t just for e-commerce sites or employees. Before adopting a multi-factor authentication solution, consider these other scenarios and issues:<\/p>\n<h3>B2B vendors<\/h3>\n<p>In 2017, New York State introduced new financial regulations requiring banks, insurance companies, and other financial services companies to establish and maintain cyber security programs that meet specific standards \u2014 including examining <a href=\"https:\/\/www.esecurityplanet.com\/networks\/best-practices-for-reducing-third-party-security-risks\/\" target=\"_blank\" rel=\"noopener\">security at third-party vendors<\/a>. Yet 32 percent of IT professionals don\u2019t <a href=\"https:\/\/www.esecurityplanet.com\/networks\/companies-dont-evaluate-their-third-party-vendors\/\" target=\"_blank\" rel=\"noopener\">evaluate third-party vendors for security<\/a>, according to a NAVEX Global survey. Don\u2019t be one of them.<\/p>\n<p>Security experts advise IT professionals to protect the entire information pipeline since <a href=\"https:\/\/www.esecurityplanet.com\/networks\/how-to-mitigate-fourth-party-security-risks\/\" target=\"_blank\" rel=\"noopener\">even fourth-party vendors can present a security risk<\/a>. One way to mitigate the risk is to require that vendors include multiple authentication methods. Be sure to outline the restrictive use of access and any repercussions for unauthorized or negligent behavior.<\/p>\n<h3>VPN Authentication<\/h3>\n<p>More employees are accessing enterprise applications and data <a href=\"https:\/\/www.esecurityplanet.com\/endpoint\/remote-workforce-security\/\" target=\"_blank\" rel=\"noopener\">remotely<\/a>, which poses a security risk even with VPNs. Be sure to include VPNs when evaluating MFA solutions. However, as we\u2019ve seen, MFA can be hacked, so employ other security methods with your VPN security in addition to MFA, like <a href=\"https:\/\/www.esecurityplanet.com\/products\/zero-trust-security-solutions\/\" target=\"_blank\" rel=\"noopener\">zero trust<\/a> and least privileged access.<\/p>\n<h3>MFA for services<\/h3>\n<p>VPNs and traditional log-ins aren\u2019t the only way hackers can access corporate data, of course. That\u2019s why companies should consider two-factor authentication for services, advised Veracode co-founder and CTO Chris Wysopal.\u00a0 \u201cIf you\u2019ve implemented two-factor authentication for remote access to your company, why aren\u2019t you implementing two-factor authentication with all the services you\u2019re using that also have access to your company\u2019s data?\u201d Wysopal told <em>eSecurity Planet<\/em>. \u201cTry to keep parity with what you already thought was a good idea to do to yourself.\u201d<\/p>\n<p>We saw the effect third parties can have on data vulnerabilities with the <a href=\"https:\/\/www.esecurityplanet.com\/threats\/fireeye-solarwinds-breaches-implications-protections\/\" target=\"_blank\" rel=\"noopener\">SolarWinds breach<\/a> in 2020. By accessing the SolarWinds network, the attackers gained a backdoor into thousands of networks using the service. MFA could potentially have added a layer of protection between the end-users and the threat.<\/p>\n<h3>Independence of the authentication<\/h3>\n<p>If security is a top concern, then look for a solution that offers out-of-band (OOB) authentication. Out-of-band authentication means that the authentication methods are delivered through a different network or channel, which adds another layer to the security. That might be as complex as requiring a physical token or as simple as sending a one-time password (OTP) via text to a smartphone.<\/p>\n<p>One caveat: if the smartphone is also used to submit the OTP, you\u2019ve lost the benefits of out-of-band, since the network is the same. That\u2019s not a small issue, as many employees now use mobile devices to access corporate data, and smartphones can be lost or stolen fairly easily.<\/p>\n<h2 id=\"when-mfa-isnt-enough\"><strong>Where to look when MFA isn\u2019t enough<\/strong><\/h2>\n<p>As threats adapt, so too do security tools. While MFA can do a lot to protect your network, it won\u2019t be enough for every scenario. MFA can&#8217;t protect servers, for example, because they contain too much and have too many entry points. Unlike applications that generally have just one way in (the login screen), servers might have different points of access for admins than they do users or applications.<\/p>\n<p>Additionally, MFA doesn\u2019t work when you\u2019re looking at spoofed login pages, CEO fraud, or links to malware. Because authentication doesn\u2019t matter in these scenarios, it won\u2019t prevent an attacker from stealing your information or infecting your device with malware. Instead, you need other security measures in place to block these actions.<\/p>\n<p>So, what should you have in place when MFA fails?<\/p>\n<h3>Zero trust network access<\/h3>\n<p>Employees shouldn\u2019t be able to put in a password and access every piece of information on a network. They should only get access to the data and systems they need, and even with that, they\u2019ll need to verify their identity before gaining entry. <a href=\"https:\/\/www.esecurityplanet.com\/networks\/how-to-implement-zero-trust\/\" target=\"_blank\" rel=\"noopener\">Zero trust network access<\/a> (ZTNA) guards both the interior and exterior of a business\u2019s network and keeps sensitive data more secure.<\/p>\n<p>Zero trust protects against internal attacks that MFA can\u2019t stop. Unfortunately, internal employees sometimes seek to use company data for their own gain, and they don\u2019t need to get around MFA because they set it up. But, if ZTNA is in place, the employee won&#8217;t be able to access as much data, and they won\u2019t be able to do as much damage. Additionally, <a href=\"https:\/\/www.esecurityplanet.com\/products\/best-user-and-entity-behavior-analytics-ueba-tools\/\" target=\"_blank\" rel=\"noopener\">abnormal behaviors<\/a>, like accessing data late at night or from a different location, might automatically lock their account until IT investigates \u2013 a feature that&#8217;s also useful for stopping account takeovers.<\/p>\n<h3>Passwordless access<\/h3>\n<p>Clearly, passwords aren\u2019t as secure as we\u2019d like, but what\u2019s the alternative? <a href=\"https:\/\/www.esecurityplanet.com\/trends\/passwordless-authentication-101\/\" target=\"_blank\" rel=\"noopener\">Passwordless authentication<\/a> works with information that the person has, like biometrics, or something they possess instead of something they know, as it is with password authentication. Key fobs are an example of passwordless access.<\/p>\n<p>It\u2019s easier for individuals to use, meaning they don\u2019t resort to <a href=\"https:\/\/www.webopedia.com\/definitions\/shadow-it\/\" target=\"_blank\" rel=\"noopener\">shadow IT<\/a> practices, and the IT department gets greater visibility into each person\u2019s activity. It can also lower operating costs by reducing the amount of helpdesk resources you spend helping users reset their passwords and the number of successful phishing attempts.<\/p>\n<h3>Privileged access management<\/h3>\n<p><a href=\"https:\/\/www.webopedia.com\/definitions\/privileged-access-management\/\" target=\"_blank\" rel=\"noopener\">Privileged access management<\/a> (PAM) is similar to zero trust in that each employee only gets access to what they need to do their job, but its focus is only on the sensitive data, rather than the network as a whole. Each employee has a different account level depending on how IT expects them to interact with the data and systems the company uses. For example, while an accountant might have privileged access to financial information, they likely wouldn\u2019t get customer records.<\/p>\n<p>PAM limits the number of internal users that have access to sensitive information, so IT can better control its use. Additionally, it applies to both people and applications, helping to protect against third-party vulnerabilities. While PAM may include MFA as a part of authentication, it goes further in providing greater account control and security.<\/p>\n<h3>Identity access management<\/h3>\n<p><a href=\"https:\/\/www.itbusinessedge.com\/security\/best-iam-software\/\" target=\"_blank\" rel=\"noopener\">Identity access management (IAM)<\/a>, like PAM, ensures that employees only get access to the information and systems they need, but unlike PAM, it\u2019s not only concerned with sensitive data. Instead, it encompasses all of the systems on the network and provides an audit trail for compliance purposes. IAM provides a single management console that IT can use to monitor the activity on each account and investigate strange behaviors.<\/p>\n<p>IAM, too, often includes MFA, but it doesn\u2019t rely solely on authentication to protect your data. Instead, it uses MFA as the first line of defense and then implements other features to protect beyond the perimeter.<\/p>\n<p>Overall, MFA is a great tool to incorporate into your cybersecurity infrastructure, but it can&#8217;t be the only one. It will stop a lot of attacks, especially by bad actors looking for the path of least resistance, but you\u2019ll need other security measures in place to stop motivated attackers. Zero trust, passwordless access, IAM, and PAM are all good options to consider.<\/p>\n\n\n<div id=\"ta-campaign-widget-66d6d0bfa8822-popup-wrapper\" class=\"ta-campaign-widget__popup-wrapper\">\n    \n<div\n    style=\"\n        --ta-campaign-plugin-primary: #3545ed;\n        --ta-campaign-plugin-button-text: #fff;\n        --ta-campaign-plugin-button-hover-background: #3231b4;\n        --ta-campaign-plugin-button-hover-text: #fff;\n        --ta-campaign-plugin-button-toggle-background: #3231b4;\n        --ta-campaign-plugin-button-toggle-text: #3231B4;\n    \"\n    data-ajax-url=\"https:\/\/www.esecurityplanet.com\/wp\/wp-admin\/admin-ajax.php\">\n    <div\n        id=\"ta-campaign-widget-66d6d0bfa8822\"\n        class=\"ta-campaign-widget ta-campaign-widget--popup\"\n        data-campaign-fields='{\"properties\":{\"campaign_type\":\"popup\",\"campaign_category\":false,\"sailthru_list\":[\"cybersecurity-insider\"],\"popup_type\":\"exit_intent\",\"appearance\":{\"colors\":{\"primary_color\":\"#3545ed\",\"button\":{\"button_text_color\":\"#fff\",\"hover\":{\"button_hover_background_color\":\"#3231b4\",\"button_hover_text_color\":\"#fff\"},\"toggle\":{\"button_toggle_background_color\":\"#3231b4\",\"button_toggle_text_color\":\"#3231B4\"}}},\"custom_scss\":\"\"},\"behavior\":{\"opt_in_enabled\":true},\"language\":{\"tagline\":\"Get the Free Cybersecurity Newsletter\",\"subtagline\":\"\",\"content\":\"Strengthen your organization&#39;s IT security defenses by keeping up to date on the latest cybersecurity news, solutions, and best practices. Delivered every Monday, Tuesday and Thursday\",\"email_placeholder\":\"Work Email Address\",\"opt_in\":\"By signing up to receive our newsletter, you agree to our Terms of Use and Privacy Policy. You can unsubscribe at any time.\",\"subscribe_button\":\"Subscribe\"}},\"identifier\":\"66d6d0bfa8822\",\"campaign_id\":26045,\"campaign_type\":\"popup\",\"popup_type\":\"exit_intent\",\"newsletters\":[\"cybersecurity-insider\"],\"behavior\":{\"opt_in_enabled\":true},\"appearance\":{\"colors\":{\"primary\":\"#3545ed\",\"button\":{\"text\":\"#fff\",\"hover\":{\"background\":\"#3231b4\",\"text\":\"#fff\"},\"toggle\":{\"background\":\"#3231b4\",\"text\":\"#3231B4\"}}},\"custom_css\":\"\"},\"language\":{\"tagline\":\"Get the Free Cybersecurity Newsletter\",\"subtagline\":\"\",\"content\":\"Strengthen your organization&#39;s IT security defenses by keeping up to date on the latest cybersecurity news, solutions, and best practices. Delivered every Monday, Tuesday and Thursday\",\"email_placeholder\":\"Work Email Address\",\"opt_in\":\"By signing up to receive our newsletter, you agree to our Terms of Use and Privacy Policy. You can unsubscribe at any time.\",\"subscribe_button\":\"Subscribe\"}}'>\n\n                <div class=\"ta-campaign-widget__exit\">\n            <svg class=\"w-8\" fill=\"none\" stroke=\"currentColor\" stroke-width=\"1.5\" viewBox=\"0 0 24 24\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" aria-hidden=\"true\">\n                <path stroke-linecap=\"round\" stroke-linejoin=\"round\" d=\"M6 18L18 6M6 6l12 12\"><\/path>\n            <\/svg>\n        <\/div>\n        \n        <div class=\"ta-campaign-widget__wrapper\">\n            <div class=\"ta-campaign-widget__header mb-6\">\n                                <h3 class=\"ta-campaign-widget__tagline\">\n                    Get the Free Cybersecurity Newsletter                <\/h3>\n                \n                \n                                <p class=\"ta-campaign-widget__content mt-6\">\n                    Strengthen your organization's IT security defenses by keeping up to date on the latest cybersecurity news, solutions, and best practices. Delivered every Monday, Tuesday and Thursday                <\/p>\n                            <\/div>\n\n            <form class=\"ta-campaign-widget__form\">\n                <div class=\"ta-campaign-widget__input mb-4\"  data-field=\"email\">\n                    <label\n                        class=\"sr-only\"\n                        for=\"email-66d6d0bfa8822\">\n                        Email Address\n                    <\/label>\n                    <input\n                        class=\"ta-campaign-widget__input__text\"\n                        placeholder=\"Work Email Address\"\n                        id=\"email-66d6d0bfa8822\"\n                        name=\"email\"\n                        type=\"email\">\n                <\/div>\n\n                                <div class=\"ta-campaign-widget__checkbox mb-4\" data-field=\"opt_in\">\n                    <div class=\"flex items-start\">\n                        <input\n                            id=\"opt-in-66d6d0bfa8822\"\n                            class=\"ta-campaign-widget__checkbox__input mr-2\"\n                            name=\"opt-in\"\n                            type=\"checkbox\"\/>\n                        <label\n                            class=\"ta-campaign-widget__checkbox__label\"\n                            for=\"opt-in-66d6d0bfa8822\">\n                            By signing up to receive our newsletter, you agree to our Terms of Use and Privacy Policy. You can unsubscribe at any time.                        <\/label>\n                    <\/div>\n                <\/div>\n                \n                <button class=\"ta-campaign-widget__button\" type=\"submit\" >\n                    Subscribe                <\/button>\n            <\/form>\n        <\/div>\n    <\/div>\n<\/div>\n\n<style>\n<\/style><\/div>\n","protected":false},"excerpt":{"rendered":"<p>This post has been updated for 2021. Passwords are the most common authentication tool used by enterprises, yet they are notoriously insecure and easily hackable. But even when passwords are secure, it\u2019s not enough. Recently, hackers leaked 87,000 Fortinet VPN passwords, mostly from companies who hadn\u2019t yet patched a two-year-old vulnerability. At this point, multi-factor [&hellip;]<\/p>\n","protected":false},"author":175,"featured_media":19465,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"_gazelle_contributing_experts":"","footnotes":""},"categories":[18],"tags":[1866,555,7253],"b2b_audience":[34],"b2b_industry":[],"b2b_product":[404,384,381],"class_list":["post-7891","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-mobile","tag-biometrics","tag-mobile-security","tag-multi-factor-authentication","b2b_audience-evaluation-and-selection","b2b_product-hackers","b2b_product-identity-management-privacy","b2b_product-network-access-control-nac"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v22.9 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Multi-Factor Authentication Best Practices &amp; Solutions<\/title>\n<meta name=\"description\" content=\"Multi-factor Authentication identifies end users with a password and form of id. Discover the benefits of MFA now.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.esecurityplanet.com\/mobile\/multi-factor-authentication\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Multi-Factor Authentication Best Practices &amp; Solutions\" \/>\n<meta property=\"og:description\" content=\"Multi-factor Authentication identifies end users with a password and form of id. Discover the benefits of MFA now.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.esecurityplanet.com\/mobile\/multi-factor-authentication\/\" \/>\n<meta property=\"og:site_name\" content=\"eSecurity Planet\" \/>\n<meta property=\"article:published_time\" content=\"2021-10-05T10:00:00+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2022-08-16T18:39:06+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/assets.esecurityplanet.com\/uploads\/2017\/03\/MFA.jpeg\" \/>\n\t<meta property=\"og:image:width\" content=\"1400\" \/>\n\t<meta property=\"og:image:height\" content=\"927\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"Loraine Lawson\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@eSecurityPlanet\" \/>\n<meta name=\"twitter:site\" content=\"@eSecurityPlanet\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Loraine Lawson\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"11 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/www.esecurityplanet.com\/mobile\/multi-factor-authentication\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.esecurityplanet.com\/mobile\/multi-factor-authentication\/\"},\"author\":{\"name\":\"Loraine Lawson\",\"@id\":\"https:\/\/www.esecurityplanet.com\/#\/schema\/person\/c840dc2e596aa5448a85bb07efd2b57e\"},\"headline\":\"Multi-Factor Authentication (MFA) Best Practices &amp; Solutions\",\"datePublished\":\"2021-10-05T10:00:00+00:00\",\"dateModified\":\"2022-08-16T18:39:06+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.esecurityplanet.com\/mobile\/multi-factor-authentication\/\"},\"wordCount\":2425,\"publisher\":{\"@id\":\"https:\/\/www.esecurityplanet.com\/#organization\"},\"image\":{\"@id\":\"https:\/\/www.esecurityplanet.com\/mobile\/multi-factor-authentication\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/assets.esecurityplanet.com\/uploads\/2017\/03\/MFA.jpeg\",\"keywords\":[\"biometrics\",\"mobile security\",\"multi-factor authentication\"],\"articleSection\":[\"Mobile\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.esecurityplanet.com\/mobile\/multi-factor-authentication\/\",\"url\":\"https:\/\/www.esecurityplanet.com\/mobile\/multi-factor-authentication\/\",\"name\":\"Multi-Factor Authentication Best Practices & Solutions\",\"isPartOf\":{\"@id\":\"https:\/\/www.esecurityplanet.com\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/www.esecurityplanet.com\/mobile\/multi-factor-authentication\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/www.esecurityplanet.com\/mobile\/multi-factor-authentication\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/assets.esecurityplanet.com\/uploads\/2017\/03\/MFA.jpeg\",\"datePublished\":\"2021-10-05T10:00:00+00:00\",\"dateModified\":\"2022-08-16T18:39:06+00:00\",\"description\":\"Multi-factor Authentication identifies end users with a password and form of id. Discover the benefits of MFA now.\",\"breadcrumb\":{\"@id\":\"https:\/\/www.esecurityplanet.com\/mobile\/multi-factor-authentication\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.esecurityplanet.com\/mobile\/multi-factor-authentication\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.esecurityplanet.com\/mobile\/multi-factor-authentication\/#primaryimage\",\"url\":\"https:\/\/assets.esecurityplanet.com\/uploads\/2017\/03\/MFA.jpeg\",\"contentUrl\":\"https:\/\/assets.esecurityplanet.com\/uploads\/2017\/03\/MFA.jpeg\",\"width\":1400,\"height\":927,\"caption\":\"Computer showing a shield over a login screen.\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.esecurityplanet.com\/mobile\/multi-factor-authentication\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/www.esecurityplanet.com\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Multi-Factor Authentication (MFA) Best Practices &amp; Solutions\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.esecurityplanet.com\/#website\",\"url\":\"https:\/\/www.esecurityplanet.com\/\",\"name\":\"eSecurity Planet\",\"description\":\"Industry-leading guidance and analysis for how to keep your business secure.\",\"publisher\":{\"@id\":\"https:\/\/www.esecurityplanet.com\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.esecurityplanet.com\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.esecurityplanet.com\/#organization\",\"name\":\"eSecurityPlanet\",\"url\":\"https:\/\/www.esecurityplanet.com\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.esecurityplanet.com\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/assets.esecurityplanet.com\/uploads\/2020\/10\/eSecurity_logo_MainLogo.png\",\"contentUrl\":\"https:\/\/assets.esecurityplanet.com\/uploads\/2020\/10\/eSecurity_logo_MainLogo.png\",\"width\":1134,\"height\":375,\"caption\":\"eSecurityPlanet\"},\"image\":{\"@id\":\"https:\/\/www.esecurityplanet.com\/#\/schema\/logo\/image\/\"},\"sameAs\":[\"https:\/\/x.com\/eSecurityPlanet\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.esecurityplanet.com\/#\/schema\/person\/c840dc2e596aa5448a85bb07efd2b57e\",\"name\":\"Loraine Lawson\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.esecurityplanet.com\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/assets.esecurityplanet.com\/uploads\/2020\/12\/loraine-lawson.jpeg.256x256_q100_crop-smart-150x150.jpg\",\"contentUrl\":\"https:\/\/assets.esecurityplanet.com\/uploads\/2020\/12\/loraine-lawson.jpeg.256x256_q100_crop-smart-150x150.jpg\",\"caption\":\"Loraine Lawson\"},\"description\":\"Loraine Lawson is a freelance writer specializing in technology and business issues, including integration, health care IT, cloud and Big Data.\",\"url\":\"https:\/\/www.esecurityplanet.com\/author\/loraine-lawson\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Multi-Factor Authentication Best Practices & Solutions","description":"Multi-factor Authentication identifies end users with a password and form of id. Discover the benefits of MFA now.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.esecurityplanet.com\/mobile\/multi-factor-authentication\/","og_locale":"en_US","og_type":"article","og_title":"Multi-Factor Authentication Best Practices & Solutions","og_description":"Multi-factor Authentication identifies end users with a password and form of id. Discover the benefits of MFA now.","og_url":"https:\/\/www.esecurityplanet.com\/mobile\/multi-factor-authentication\/","og_site_name":"eSecurity Planet","article_published_time":"2021-10-05T10:00:00+00:00","article_modified_time":"2022-08-16T18:39:06+00:00","og_image":[{"width":1400,"height":927,"url":"https:\/\/assets.esecurityplanet.com\/uploads\/2017\/03\/MFA.jpeg","type":"image\/jpeg"}],"author":"Loraine Lawson","twitter_card":"summary_large_image","twitter_creator":"@eSecurityPlanet","twitter_site":"@eSecurityPlanet","twitter_misc":{"Written by":"Loraine Lawson","Est. reading time":"11 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.esecurityplanet.com\/mobile\/multi-factor-authentication\/#article","isPartOf":{"@id":"https:\/\/www.esecurityplanet.com\/mobile\/multi-factor-authentication\/"},"author":{"name":"Loraine Lawson","@id":"https:\/\/www.esecurityplanet.com\/#\/schema\/person\/c840dc2e596aa5448a85bb07efd2b57e"},"headline":"Multi-Factor Authentication (MFA) Best Practices &amp; Solutions","datePublished":"2021-10-05T10:00:00+00:00","dateModified":"2022-08-16T18:39:06+00:00","mainEntityOfPage":{"@id":"https:\/\/www.esecurityplanet.com\/mobile\/multi-factor-authentication\/"},"wordCount":2425,"publisher":{"@id":"https:\/\/www.esecurityplanet.com\/#organization"},"image":{"@id":"https:\/\/www.esecurityplanet.com\/mobile\/multi-factor-authentication\/#primaryimage"},"thumbnailUrl":"https:\/\/assets.esecurityplanet.com\/uploads\/2017\/03\/MFA.jpeg","keywords":["biometrics","mobile security","multi-factor authentication"],"articleSection":["Mobile"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.esecurityplanet.com\/mobile\/multi-factor-authentication\/","url":"https:\/\/www.esecurityplanet.com\/mobile\/multi-factor-authentication\/","name":"Multi-Factor Authentication Best Practices & Solutions","isPartOf":{"@id":"https:\/\/www.esecurityplanet.com\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.esecurityplanet.com\/mobile\/multi-factor-authentication\/#primaryimage"},"image":{"@id":"https:\/\/www.esecurityplanet.com\/mobile\/multi-factor-authentication\/#primaryimage"},"thumbnailUrl":"https:\/\/assets.esecurityplanet.com\/uploads\/2017\/03\/MFA.jpeg","datePublished":"2021-10-05T10:00:00+00:00","dateModified":"2022-08-16T18:39:06+00:00","description":"Multi-factor Authentication identifies end users with a password and form of id. Discover the benefits of MFA now.","breadcrumb":{"@id":"https:\/\/www.esecurityplanet.com\/mobile\/multi-factor-authentication\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.esecurityplanet.com\/mobile\/multi-factor-authentication\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.esecurityplanet.com\/mobile\/multi-factor-authentication\/#primaryimage","url":"https:\/\/assets.esecurityplanet.com\/uploads\/2017\/03\/MFA.jpeg","contentUrl":"https:\/\/assets.esecurityplanet.com\/uploads\/2017\/03\/MFA.jpeg","width":1400,"height":927,"caption":"Computer showing a shield over a login screen."},{"@type":"BreadcrumbList","@id":"https:\/\/www.esecurityplanet.com\/mobile\/multi-factor-authentication\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.esecurityplanet.com\/"},{"@type":"ListItem","position":2,"name":"Multi-Factor Authentication (MFA) Best Practices &amp; Solutions"}]},{"@type":"WebSite","@id":"https:\/\/www.esecurityplanet.com\/#website","url":"https:\/\/www.esecurityplanet.com\/","name":"eSecurity Planet","description":"Industry-leading guidance and analysis for how to keep your business secure.","publisher":{"@id":"https:\/\/www.esecurityplanet.com\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.esecurityplanet.com\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.esecurityplanet.com\/#organization","name":"eSecurityPlanet","url":"https:\/\/www.esecurityplanet.com\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.esecurityplanet.com\/#\/schema\/logo\/image\/","url":"https:\/\/assets.esecurityplanet.com\/uploads\/2020\/10\/eSecurity_logo_MainLogo.png","contentUrl":"https:\/\/assets.esecurityplanet.com\/uploads\/2020\/10\/eSecurity_logo_MainLogo.png","width":1134,"height":375,"caption":"eSecurityPlanet"},"image":{"@id":"https:\/\/www.esecurityplanet.com\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/x.com\/eSecurityPlanet"]},{"@type":"Person","@id":"https:\/\/www.esecurityplanet.com\/#\/schema\/person\/c840dc2e596aa5448a85bb07efd2b57e","name":"Loraine Lawson","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.esecurityplanet.com\/#\/schema\/person\/image\/","url":"https:\/\/assets.esecurityplanet.com\/uploads\/2020\/12\/loraine-lawson.jpeg.256x256_q100_crop-smart-150x150.jpg","contentUrl":"https:\/\/assets.esecurityplanet.com\/uploads\/2020\/12\/loraine-lawson.jpeg.256x256_q100_crop-smart-150x150.jpg","caption":"Loraine Lawson"},"description":"Loraine Lawson is a freelance writer specializing in technology and business issues, including integration, health care IT, cloud and Big Data.","url":"https:\/\/www.esecurityplanet.com\/author\/loraine-lawson\/"}]}},"_links":{"self":[{"href":"https:\/\/www.esecurityplanet.com\/wp-json\/wp\/v2\/posts\/7891"}],"collection":[{"href":"https:\/\/www.esecurityplanet.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.esecurityplanet.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.esecurityplanet.com\/wp-json\/wp\/v2\/users\/175"}],"replies":[{"embeddable":true,"href":"https:\/\/www.esecurityplanet.com\/wp-json\/wp\/v2\/comments?post=7891"}],"version-history":[{"count":0,"href":"https:\/\/www.esecurityplanet.com\/wp-json\/wp\/v2\/posts\/7891\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.esecurityplanet.com\/wp-json\/wp\/v2\/media\/19465"}],"wp:attachment":[{"href":"https:\/\/www.esecurityplanet.com\/wp-json\/wp\/v2\/media?parent=7891"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.esecurityplanet.com\/wp-json\/wp\/v2\/categories?post=7891"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.esecurityplanet.com\/wp-json\/wp\/v2\/tags?post=7891"},{"taxonomy":"b2b_audience","embeddable":true,"href":"https:\/\/www.esecurityplanet.com\/wp-json\/wp\/v2\/b2b_audience?post=7891"},{"taxonomy":"b2b_industry","embeddable":true,"href":"https:\/\/www.esecurityplanet.com\/wp-json\/wp\/v2\/b2b_industry?post=7891"},{"taxonomy":"b2b_product","embeddable":true,"href":"https:\/\/www.esecurityplanet.com\/wp-json\/wp\/v2\/b2b_product?post=7891"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}