OM-BP-0004: Make MFA Mandatory (Best Practice)

Rationale

If users are given the choice, some users may choose the option that is perceived as the simplest or more comfortable to them.

Bad Practices

• Do not implement MFA.

• Make MFA an optional feature

Implementation Details

N/A

Quotes

1. Allowing MFA to Be a Choice

If you're going to implement MFA, it should not be an opt-in process for end users. Ping Identity's Bird says the most common mistake he sees among customers is rolling it out as a choice or an option.

"When users are given choices without a clear, value-based explanation, they will choose either the method that feels the easiest or they will stay with the method they are already comfortable with," he says. "Security is not an option. Presenting it as one is problematic."

Takeaway: If you're going to implement MFA, make sure its use is mandatory.

Enabling MFA on all personal or work accounts is a critical security practice.

(…) Above and beyond enabling MFA, IT departments should prioritize steps to mitigate lateral movement by attackers; specifically, credential hygiene and network segmentation. To limit the damage of data exfiltration, information rights management can be applied to files. Building protective controls into your network will raise the threshold for attackers, improving your organization’s ability to detect anomalous activity in the environment.

Adopt MFA

Multi-factor authentication can stop credential-based attacks dead in their tracks. Without access to the additional factor, the attacker can’t access the account or protected resource. MFA should be mandatory for all admin accounts and is strongly recommended for all users. The preferred method is to use an authenticator app rather than SMS or voice where possible.

Related Good Practices