Aug 01 2023

Setting Up a Secure Multifactor Authentication Solution

Securing your multifactor authentication solution promotes a stronger security posture.

Multifactor authentication is a must-have for university cybersecurity. MFA can reduce the chances of compromise by orders of magnitude, and some experts believe that most ransomware attacks can be prevented by using MFA.

Although there isn’t widespread consensus on just how beneficial MFA is, it can definitely help prevent compromises. What’s more, MFA is increasingly required by cyber insurance companies and cybersecurity standards.

MFA is now considered a best practice for all organizations and an important component of university cybersecurity strategy. However, the strength of MFA solutions varies widely depending on how securely they’re designed, deployed and maintained.

Attackers frequently target authentication solutions, including MFA services, and a poorly secured MFA implementation can provide a way for an attacker to compromise many accounts at once.

You can take the following steps to help ensure that your university’s MFA solution is properly secured — and stays that way.

Click the banner to learn how to protect your institution from ransomware.

Design the MFA Implementation with Security and Resilience in Mind

Ideally, your MFA implementation should be as secure as possible and expose the smallest attack surface, but this approach can create a new single point of failure.

As one of your most important cybersecurity services, your MFA should be designed and implemented with built-in redundancy. This way, the failure of any one MFA component doesn’t cause a denial of service for all of your MFA users.

At the same time, you should generally architect MFA implementations to implement principles of privileged access management:

  • No one, even your trusted security and system administrators and engineers, should be able to interact directly with the MFA solution. Require use of hardened jump servers as intermediate steps en route to the MFA solution.
  • Require strong, phishing-resistant MFA for all MFA administrators. The Cybersecurity and Infrastructure Security Agency recommends that one of the MFA’s authentication factors be a secure physical device — a smart card or a security key, like a YubiKey. It might not be practical for all users to have such devices, but it’s certainly reasonable for your MFA administrators to use them.
  • Check the cybersecurity health of all MFA administrators’ computers before allowing them to access the MFA solution. Make sure their computers are fully patched, properly configured and operating as expected.
  • Make sure all MFA administrative activities are monitored and logged, with copies of the logs stored in a secure location where they cannot be altered or deleted.

LEARN MORE: Is this the end of passwords?

Keep the MFA Software Well Secured

All software components of your MFA, from the MFA applications themselves to the firmware and operating systems they run on, must be effectively secured at all times, from initial implementation through solution retirement. This includes:

  • Verifying the integrity of all software and updates before installation
  • Keeping all software fully patched and up to date
  • Configuring all software with security in mind, making sure to change any default settings that might give attackers a way to compromise the system
  • Protecting the physical security of MFA components
  • Replacing any MFA components or MFA solutions that are approaching end of life and will no longer be supported
  • Monitoring all MFA components for indicators of compromise, component failures or any other anomalous behavior that might indicate a security or operational issue

EXPLORE: What you should know about passwordless authentication.

Hope for the Best, but Plan for the Worst

A major compromise or failure of your university’s MFA solution may seem unthinkable. It’s so tempting to tell yourself it will never happen — and hopefully it won’t. But you absolutely need to be prepared in case things go wrong and the unthinkable becomes your reality.

Make sure your incident response, business continuity and disaster recovery plans all take your MFA solution into account. Whether your MFA is affected by a cyberattack, a natural disaster or a facilities problem, you should have plans in place that will enable you to quickly restore your MFA capability.

Your incident response plan also should clearly define the conditions under which your MFA should be taken offline or shut down.

Once you have those plans in place, make sure that they work. Consider conducting periodic exercises to ensure everyone knows their roles and responsibilities for MFA service restoration. This also is a great way to train new staff.

Of course, you’ll want to regularly back up your critical MFA data and store copies of those backups in a secure offsite location. But don’t forget to frequently test your backup restoration processes so your backups are valid and your restoration technologies and procedures are working smoothly.


Become an Insider

Unlock white papers, personalized recommendations and other premium content for an in-depth look at evolving IT