Multi-factor authentication solutions are in high demand. Most organisations we talk to, have a pretty good idea of where their current authentication systems fall short. But they rarely know what multi-factor authentication solutions are capable of. As a result, they seldomly ask the right questions and purchase and force-fit mediocre multi-factor authentication software, resulting in a poor security posture, rough UX, increasing costs, etc.
We want to help prevent that. In this article, you will discover what essential questions you should ask and how you to evaluate and compare multi-factor authentication solutions for their:
Organisations looking for multi-factor authentication solutions mostly do so to prevent account takeovers and credential theft. But how can you tell which MFA solution provides the most protection? These are the most important questions you should ask to evaluate a solution’s security impact.
Does the multi-factor authentication solution exclude the use of passwords?
Compromised passwords cause 81% of data breaches. Passwords are susceptible to guessing, man-in-the-middle, social engineering, and other cyber attacks. Organisations that rely on passwords attempt to make passwords secure by requiring users to come up with longer and more complex passwords, which only add friction instead of security. You’re better off not relying on passwords to authenticate. We did a deep dive on that topic here.
Make sure that the solution you’re considering truly is passwordless. Many vendors claim to be passwordless but still rely on passwords as a fallback method.
Also ask the vendor if their solution uses factors from two or more categories. The factor categories are:
- Possession, i.e. what a user has, like an app on a phone.
- Inherence, i.e. what a user is like a fingerprint or a face scan.
- Knowledge, i.e. what a user knows, like PIN code.
Multi-factor authentication solutions should, by definition, use factors from two or more categories. Requiring users to use a password and a PIN to log in doesn’t constitute MFA and doesn’t provide much more protection against attackers.
Is the verification of each authentication factor done in zero-knowledge?
Authentication factors shouldn’t be stored on any server, nor should the server learn this data during the authentication process. Learning authentication data could enable an attacker to impersonate the user. If authentication data is stored on servers, you’ll need specific security hardware and the necessary processes to ensure that this data is only known inside this secure hardware.
Does the solution provide strong proof of user login or signature that holds up to a third party, i.e. does it guarantee non-repudiation?
Does the solution rely on cryptography for the possession factor?
A challenge-response pattern based on cryptographic keys establishes a strong form of possession, as the actual authentication factor (i.e., a cryptographic key) is not sent over during authentication. This is not the case with cached passwords or tokens. These are sent to the backend for verification and could thus be intercepted and copied.
What is the level of brute-force security offered?
A brute force attack is a hacking method that uses trial and error to crack passwords, login credentials, and encryption keys. The hacker tries multiple usernames and passwords to test various combinations until they find the correct login information.
Brute-force security is usually expressed in bits and indicates the attacker’s probability of getting lucky and guessing the login details without knowing the cryptographic keys. It also shows the proof value of an authentication. 20-bit corresponds to a likelihood of one in a million of an attacker being correct. It would be best if you didn’t settle for a solution that offers anything less than 128-bit brute-force security. This guarantees protection from all realistic brute-force attacks.
Has the multi-factor authentication solution been penetration tested?
A penetration or pen test is a simulated cyber attack against your computer system to check for exploitable vulnerabilities. This can involve attempting to breach application systems to uncover vulnerabilities. The multi-factor authentication solutions you’re considering should be subjected to these tests.
Will the multi-factor authentication solution help us meet the following requirements? PSD2/Strong Customer Authentication, eIDAS and GDPR.
An MFA solution should help you provide services beyond just logging in. These services might consist of authentication in a banking services app, performing payments, signing documents and other highly litigious activities. All activities performed with the MFA solution should be non-repudiable and court-admissible. The multi-factor authentication solutions you’re considering should help you meet these mandates.
Authentication flows and methods are a instrumental to a frictionless user experience. Long, drawn-out authentication processes can increase your drop-off rate by 7% per second the process takes. There are multi-factor authentication solutions that will help you implement frictionless authentication flows. Here’s how you can ensure that a multi-factor authentication solution is beneficial for your user experience.
Does the solution ensure a minimal number of user interactions and steps to completion?
There are numerous ways to measure the level of friction. The most straightforward way is to count the required user interactions and steps to completion. There are multi-factor authentication solutions on the market that enable your users to log in with a single finger scan without compromising cyber security. We’ve developed an authentication method that uses a biometric scan on the user’s mobile device. Click the button below and discover how it will delight and protect your users.
Can the solution be branded or integrated within our applications? E.g., does the vendor provide white-label components, a comprehensive API and SDKs?
A mobile SDK will help you seamlessly integrate the solution into your app and provide a unified authentication experience, bypassing the need for the user to download a third-party app. The user doesn’t have to leave your app to log in. That’s easier on yourself and the user and will slash your abandonment rate and increase conversions. Our Mobile SDKs recreate the core functionality you need to make your app and web portals completely passwordless. Find out what our Mobile SDK can do for you.
Does the vendor support Android and iOS?
Every solution should support these operating systems
Can you use the solution for web and non-web applications, e.g., authentication in and between mobile apps, kiosks, etc.?
Numerous multi-factor authentication solutions enable authentication in mobile and web applications. Your user would only need one universal authenticator, preferably embedded into your app. This cancels out the need to purchase, implement, provide and manage various authentication systems.
Does the solution provide the right amount of context to the user to help make informed decisions?
Well-timed context and information are critical ingredients for a frictionless user experience. If the vendor does this right, your users will require a minimum number of interactions to log into your web or mobile app.
Does the vendor provide modules or APIs to allow user self-registration and self-management?
Supporting multiple devices and authentication methods enables users to authenticate even when they don’t have their primary device or can’t authenticate under normal circumstances. Self-service capabilities, such as registering new devices and choosing between authentication mechanisms, lighten the IT team’s administrative load, accelerate user adoption, and are crucial to user retention.
Total Cost Of Ownership
Cost is an important consideration when evaluating multi-factor authentication solutions. Unfortunately, determining the budget required to purchase, implement, deploy, upgrade and manage isn’t straightforward. The following questions will help you gauge the price of multi-factor authentication solutions:
Basic Price Model
Is the vendor's pricing per user, active user, device, integration, authentication, etc.?
Active User Pricing is straightforward, dynamic, and cost-effective. Subscription fees are automatically calculated and adjusted according to exact usage. This price model automatically excludes inactive user accounts in the monthly cost calculation.
Is there a cost associated with every authentication attempt?
If you’re considering multi-factor authentication solutions that rely on SMSes, emails or phone calls, please include the associated costs in your considered expenses. The best thing to do, however, is to not pick these types of solutions for reasons we mentioned earlier.
Is the solution a SaaS or deployed as a managed service or in-house?
Running software as a SaaS puts most of the responsibility for keeping it running on the provider. This comes with a cost and reduces your control with strong vendor lock-in. A good SLA is crucial but will increase the price. Running software as managed service or in-house will enable you to maintain control over the solution, its deployment, the service and performance level, and its costs. Deploying authentication software in the same environment as your other systems reduces issue resolution times and limits the number of suppliers/vendors involved in this process.
Direct Cost Components
Will the solution enable you to save on password resets by not supporting passwords and eliminate SMSes, HSMs and hardware tokens as authentication factors?
Passwords, SMSes, tokens or HSMs all cost money in terms of IT support and upkeep. Organisations pay between €63 and €184 per password reset, and up to 50% of helpdesk calls are password reset-related. That’s a massive drain of person-hours and money to reset accounts or automate account recovery. Enterprises often spend millions on password-related support alone.
SMSes make companies haemorrhage money, paying up to 15 Eurocents per SMS. Plus, they’re susceptible to phishing and social engineering. Hardware authentication factors are considered safer than SMSes, but they must be purchased and replaced if broken or lost. Passwordless multi-factor authentication solutions will help you cut these costs altogether.
End-user Rollout and Migration Costs
Can you roll out the solution using our in-house resources?
Strategic Business Value
Most organisations purchase a multi-factor authentication solution to solve 1 or 2 specific problems. We think that an MFA solution should do more. It should also satisfy your business needs. Evaluate multi-factor authentication solutions’ impact by asking these questions.
Does the MFA solution align with our deployment model?
The multi-factor authentication solutions you’re considering should seamlessly align with your deployment model. It should be able to run on-premise or in any cloud environment, no matter the cloud’s ownership, scale and access. This will make it more likely for you to satisfy the needs you’re trying to meet with your deployment model.
Will the solution enable us to keep control over our users' authentication process?
The solution should enable you to fully own the authentication process. This matters for three reasons: firstly, it allows you to seamlessly determine the process and keep your users in your environment. Secondly, a third-party MFA solution provider would know how, where and when your user logs into their account, which poses privacy issues. Thirdly, because a third-party authenticator provider stores your users’ data, that provider presents an additional risk to an organisation’s security posture.
Is the multi-factor authentication solution compatible with other business initiatives, such as enabling remote work or onboarding cloud applications? And can it integrate with our Single Sign On (SSO)?
Your solution should enable your organisation to facilitate these initiatives rather than hamper them. Find yourself a multi-factor authentication solution that allows for authentication across all devices and locations without compromising user experience UX and your cyber security.
Does the authentication solution support the full breadth of users' authentication use-cases?
Make sure that the MFA solution you’re looking at satisfies all your needs. To do that, you should inventorise all authentication systems and flows. And all evaluate them for their strengths and weaknesses. This will enable you to draw up requirements for every authentication use case in your organisation. The next step is to find a vendor that is receptive to these requirements and can cater its offering to your needs. Avoid vendors and solutions that aren’t adaptable to your authentication use cases.
Is the vendor willing and able to extend their product offering, potentially with third-party technology, to precisely solve your authentication challenges?
This ties in with the previous point. Your vendor should provide more than an MFA solution. It should also offer stellar support and customer service. Some vendors provide a one-size-fits-all solution and get away with it based on their reputation and size. Choose vendors willing to adjust and cater to your needs instead of forcing you to fit their multi-factor authentication solutions into your systems.
Integrating a multi-factor authentication solution can be a long-drawn and costly affair. These are the questions you should ask the vendor you’re interviewing to ensure it’s not.
Analysis and Proof of Concept
Does the vendor provide you with a solution that meets your requirements?
The first requirement for a smooth and budget-friendly integration is for the multi-factor authentication solution to meet your needs. We’ve brought it up before. Beware of vendors that aren’t willing to adjust their offering to your demands.
Do you have the opportunity to run a proof of concept?
While some organisations pass on a proof of concept, we advise you to run one. It’s a trial run that will help determine if an MFA solution is viable in your system and meets your organisation’s requirements. It’s critical that the vendors you’re in talks with allow proofs of concept.
The actual deployment of software often is a heavy burden on an organisation. Many person-hours and budgets spent on additional tools are wasted during this critical phase. To cut these costs and efforts, your vendor and multi-factor authentication solution should provide various features. You should ask these questions to assess whether an MFA solution is easy to deploy.
Is the multi-factor solution cloud-agnostic?
Meaning can you use the solution in all cloud deployment models? Cloud-agnostic solutions make it easier to deploy the solution right next to your cloud-hosted applications, regardless of the cloud providers you use and intend to use in the future. Do not be locked into one specific cloud provider because of your multi-factor authentication solution.
Does the solution include RESTful APIs, SDKs, or plugins?
RESTful API, Mobile SDKs, plugins and integrated IdP via SAML or OIDC guarantee quick integration into your applications and systems and help you maintain control over your cyber security infrastructure. These simplify integration into other applications and make it easier for your developers to quickly add authentication and get back to developing new, strategic features that increase business value.
Based on this overview, making a choosing the right MFA solution can be daunting. Especially considering that the questions in this article are just the basic ones. To make evaluating MFA solutions and MFA vendors easier for you, and to find the best MFA solution for your organisation, we’ve developed the Requirement Checklist for Multi-Factor Authentication Solutions. This checklist helps organisations evaluate and compare multi-factor authentication solutions for the all the criteria you just read. On top of that, you’ll be able to evaluate your current authentication systems, too. Click the banner below and get your free Requirement Checklist for MFA solutions.