Multi-Factor Authentication (MFA): Enterprise Strategy and Market Assessment

Authors

Doug Simmons – Principal Consulting Analyst

Gary Rowe – CEO/Principal Consulting Analyst

John Myracle – Principal Consulting Analyst

Sorell Slaymaker – Principal Consulting Analyst

Abstract

Multi-Factor Authentication is gaining traction as a best practice for enterprise security programs. It is based on the premise that traditional, single-factor authentication schemes (like IDs and passwords) are relatively easy to break and as threats escalate, simply not good enough. It is a good time to consider making MFA a cornerstone of your enterprise IAM infrastructure given improved MFA vendor offerings and the inherent weaknesses of phishing-vulnerable password-based authentication. Requiring multiple factors from different categories for high risk or high-value transactions is the emerging security best practice standard.

A great MFA strategy consists of utilizing multiple sources of identity along with a set of business rules and information that can dynamically identify the degree of certainty of a user’s identity, while also being convenient to the user.

This report starts by looking at the basic components and use cases for MFA, then evaluates the types of MFA approaches currently being deployed, the impact of MFA on the enterprise and provides a review of our short-list of vendors and solutions. We also leverage our consulting experience in providing a pragmatic checklist or starting point for organizations looking to architect, prototype, build/source and deploy an MFA solution for their enterprise.  We then conclude with a set of recommendations and next steps.