Multi-Factor Authentication (MFA) Solution Requirements

#2. Enterprise Access

Your MFA solution should work seamlessly with all your network access systems. For instance, if you use Virtual Private Networks (VPN) to encrypt your data, and provide remote users with a secure connection over the Internet, the solution should work with the VPN. It should also “harden” the VPN to prevent data breaches, and ensure that only authorized users have access.

Similarly, if you may use Secure Socket Shell (SSH) to access remote Linux systems or Remote Desktop Protocol (RDP) to remotely connect to other computers, you should be able to use the MFA solution with these systems. Further, the solution should be able to prevent account hacking attacks on these systems.

Also check if your VPN solution integrates with Remote Authentication Dial-In User Service (RADIUS), and communicates directly with your MFA solution using standard RADIUS protocols.

Does the MFA solution support current (or future) network access systems?

• VPN access
• Wi-Fi access
• SSH/RDP access
• RADIUS integration

#3. Application Integration

If your organization has a Lightweight Directory Access Protocol (LDAP) directory, the MFA solution should integrate with it, either as a software agent installed on your local network, or through LDAP over SSL (LDAPS). Ideally, the solution should also offer tight integrations with other security products and identity solutions to help authenticate users, and simplify network security management.

Also, look for a solution that supports custom integrations with applications and services, both on-premises and in the cloud. It should integrate with these apps via an API, and without the need to rip and replace other solutions?

Does the MFA solution work with all business-critical apps?

• Integration with cloud applications
• Integration with on-premises applications
• Integration with Human Resource Management Systems (HRMS)
• Directory integration, such as Active Directory (AD) or LDAP
• Integration with other identity solutions like password managers and endpoint security

#4. Flexible Authentication Policies

Deploy an MFA solution that allows you to configure granular policies at various levels: per-user, per-application, per-group, and also globally.

Application and group-level policies are important, because they allow you to configure specific protective policies for sensitive applications, or high-risk users. With global policies, you can apply the desired security threshold or baseline across the enterprise.

Also check what kind of admin controls are available. The solution should help admins to better control access to corporate systems, applications, and data, particularly in a zero-trust security environment.

Does the MFA solution enable flexible and sophisticated authentication policies at a granular level?

• Granular policies for different identities, apps, devices, browsers, communities, and contexts
• Allows definition of which factors can be used to verify identities
• Customizable authentication flow
• Intuitive, user-friendly admin console
• Risk-based flow
• Includes documentation around policy configurations

#5. Open Standards Support

The MFA solution must support modern open standards for authorization and authentication. For instance, Security Assertion Markup Language (SAML) allows users to access multiple web applications using one set of login credentials. It can also be used to configure MFA between different devices. Choose a solution that works with SAML to provide an additional authentication measure for authorized users.

Similarly, the OAuth 2.0 (Open Authorization) standard provides an authorization process, so users can seamlessly move between services. It also protects the user’s login credentials. However, it regulates only user authorization, not authentication, so password only-based systems are still vulnerable to cyberattacks. MFA adds one or more authentication factors to verify the user’s identity before granting access, and minimize the threat of attacks.

Does the MFA solution support popular, modern standards for secure connections to web applications?

• SAML
• OpenID Connect
• OAuth 2.0

#6. Developer Support

If your organization needs to closely integrate existing apps with MFA, the solution must provide the necessary developer tools, including Application Programming Interfaces (APIs) and Software Development Kits (SDKs).

Does the MFA solution provide developer tools to customize it, and integrate it with custom applications and third-party systems?

• APIs for MFA registration and lifecycle management
• SDKs for all major platforms and programming languages
• Command line to enroll in MFA and process push notifications
• Client libraries to customize the look-and-feel of the MFA page
• Sandbox environment to safely test MFA in a non-production environment
• Documentation, e.g., developer guides

#7. User Community Support

The MFA solution should be easy to use by all authorized users with minimal friction in their day-to-day work. This includes both internal users like employees (in-office and remote), and external users like third-party vendors, freelancers, suppliers, etc.

The solution should work well even if users have limitations, such as disabilities, lack of smart devices, or poor cellphone networks. They should be able to self-enroll to the system, and choose their preferred authentication options. Finally, it should be easy to onboard users with minimal resistance.

Does the MFA solution support all authorized users that access your systems and data?

• Employees
• IT administrators
• Third-party vendors
• PartnersCustomers

Also, does it support all devices these users may be using?

• Desktops
• Laptops
• Mobile devices
• Onsite and remote devices
• Bring Your Own Device (BYOD)

#8. Reporting

It’s crucial to look for an MFA solution with robust reporting and analytics capabilities. Reports will provide an oversight of your security posture, and help you identify gaps and take steps to improve. Reports are also important for auditing, and to demonstrate compliance.

Does the MFA solution provide reports that enable you to enhance your security based on threat data and also meet compliance requirements?

• Externalize authorization events to third-party SIEM solutions
• Easily accessible from the admin console
• Easy to schedule, generate, and export
• Out-of-the-box and customizable reports
• Detailed authentication logs and audit trails
• Ability to effect system change based on authorization events
• Real-time information about failed/malicious login attempts, security events, unsecured or compromised devices, etc.

#9. Advanced Requirements

Your MFA solution should satisfy all the basic requirements highlighted above. However, many solutions have all these features. To choose the best solution among them, it’s best to compare them based on the advanced requirements given below.

Behavioral Analytics

Does the MFA solution use behavioral analytics to intelligently adapt, and does it require different authentication factors?

• Familiarity signals
• Attack signals
• Anomalies (user behavior and context signals)
• Continuous authentication

Device Trust

Does the solution consider the authentication device being used?

• Device health, including version, tampered, lock, encryption, browser plug-in, and more
• Device reputation
• X.509-based certificates
• Integration with mobile device management (MDM)

General Considerations

Select a solution that can scale to support your future needs, and make sure it is highly available. Also, when comparing prices, don’t be swayed by the low cost of initial setup or onboarding to finalize your choice. Instead, consider the total cost of ownership (TCO), which will change depending on custom integrations, admin controls, use cases, support costs, etc. Look for a solution that can help you minimize admin/overhead costs, and comes with a clear pricing model.