A guide to MFA prompt frequency: How often should you require MFA?
Optimize multi-factor authentication (MFA) prompt frequency to solve this often-overlooked aspect of MFA implementation.
Published May 30, 2023Every year, cybercriminals have more opportunities to exploit vulnerable user accounts and gain unauthorized access to corporate networks. Stolen or compromised credentials pose one of the largest financial threats to organizations, at around $4.5m per data breach. Compromised login credentials are the most common initial attack vector.
To protect key assets, organizations can (and should) implement multi-factor authentication (MFA). MFA adds an extra layer of protection to the login process by prompting users for additional verification before granting access. If a genuine user’s credentials fall into the hands of a threat actor, MFA will request further proof of identity — blocking many unauthorized access attempts.
But getting MFA right can be a challenge. You need to protect your systems from unauthorized logins without making life difficult for your end users.
In this blog, we will discuss practical strategies for optimizing MFA prompts — in other words, how to figure out how often you need to require MFA. By applying best practices, you can implement robust security controls and minimize frustration.
MFA requires users to provide additional verification beyond a password. When users log in with their credentials, the MFA system will ask them to provide further proof of identity. This adds protection to user accounts should a cybercriminal obtain the user’s credentials.
There are many different ways to requests additional verification. Generally, MFA methods fall under one of the following categories:
Something the user knows: Such as a code or one-time password (OTP).
Something the user possesses: Such as a mobile device authenticator app push notification, hardware token, or codes delivered via SMS.
Something the user is: Such as biometrics (fingerprints, facial recognition, etc.)
By verifying the user’s identity in multiple ways, organizations can decrease the success rate of unauthorized access attempts.
Optimizing MFA prompt frequency is essential for balancing security and usability. It’s easy to think that more frequent prompts improve protection, but that’s not always true. Frequent prompts (think, at every connection) can easily frustrate users, creating an ideal environment for MFA fatigue or brute force attacks, not to mention lower productivity.
What’s the right frequency for your team? There’s no black and white answer, but try to define what sufficient access protection looks like for your team, while minimizing disruption.
Based on our work with thousands of clients, we’ve pulled together best practices to help you implement MFA well.
To strike the right balance, businesses and organizations need to implement security measures that are effective and appropriate for their specific risks, while ensuring a convenient and efficient user experience. Too many prompts leave users frustrated, increasing abandoned login attempts, and mistakes.
Any compromised user account is, of course, a huge security concern. While it’s important to implement MFA across all users, you can adjust the frequency of prompts to the risk level of the user, group or OU (organizational unit).
You might require additional verification on every login for administrator-level or privileged accounts, for example. Meanwhile, you could configure other policies for standard accounts or users with limited access to sensitive information.
Research common MFA methods, and ensure that your MFA solution offers flexibility to let you choose more than one secure method.
For example, we often see admin-level accounts authenticate with hardware tokens or keys, while “average” end users authenticate with a push notification or authenticator app. Or, you might offer different options to remote or hybrid employees, using a hardware token in the office, and push notifications when they’re out of office (and may be prompted more frequently for MFA). It’s all about balance.
The risk levels of your accounts and services change over time. Likewise, changes in user behavior might mean your security settings are no longer adequate. By checking system logs, understanding usage patterns, and regularly reviewing prompt frequency settings, you can ensure that security measures remain up-to-date and effective.
Depending on your MFA provider, you may receive some support on system setup. When you onboard UserLock, you receive guidance on implementing MFA policies, including help with frequency, granular settings, and best practices.
When optimizing your prompts, it can be helpful to regularly:
Review your frequency settings to make sure they match your risk levels
Check device settings to ensure users can only connect from permitted devices, reducing your potential attack surface
Install any necessary software updates
Most MFA solutions allow some level of customization around MFA prompts. The more granular the customization, the easier it will be for you to set up MFA for long-term success.
There are two ways to customize MFA prompts: how you set up the prompts and the text of the prompt itself.
You can enable MFA for any user, group or OU in your Domain for all logon, unlock and reconnections to interactive sessions.
The key to MFA is only prompting when needed.
With granular MFA, you have the choice to apply MFA by the type of operating system (Workstation or Server), the connection type (Local or Remote), and the frequency with which MFA is asked (at every connection, every N days). With UserLock, security teams can also tailor their MFA settings to require MFA by user, device, workstation, location, or country.
It’s also helpful to customize the text your end-users will see when they are prompted to complete MFA. UserLock allows you to completely personalize the MFA prompt your end users will see.
UserLock users can also enable an “Ask for help” button on the displayed dialogs to allow the end user to send e-mail (and consequently, applications compatible with e-mail such as Slack) and/or popup help requests to UserLock administrators responsible for implementing MFA.
While it could seem like a small detail (any MFA is good MFA, right?), fine-tuning how you prompt for MFA can make a big impact on your end-users’ experience and, ultimately, security.
Frustrated users are more likely to fall victim to an MFA bypass attack. Apply MFA enough to ensure secure connections, but not so often that your users view MFA as a nuisance to swat away at whatever cost. Hitting that balance can help significantly reduce the risk of unauthorized access.
The key to MFA is only prompting when needed. With UserLock, security teams can tailor their MFA settings to require MFA by user, device, workstation, location, or country.
While MFA brings many benefits, there are also potential challenges.
Granular settings allow administrators to tailor user prompting to their organization, achieving the delicate balance of security versus efficiency. Before implementing an MFA solution, check that it offers the granular controls you need.
Some MFA solutions may be tricky to install or require the integration of multiple systems. Choose an MFA solution that seamlessly integrates with your existing access management tools, such as Userlock’s integration with on-premises or hybrid Active Directory environments.
Different applications have varying requirements for authentication protocols and data exchange formats. As a result, integrating MFA tools into existing systems may require compatibility testing and adjustments. Before deciding on an MFA solution, check that it is compatible with your existing environment.
MFA prompt frequency and type should avoid frustrating end-users. Cybercriminals know that repeated requests lead to mistakes — hence the growing occurrence of MFA fatigue social engineering tactics. To provide a frictionless MFA experience for your users, avoid repetitive prompting and tweak settings where necessary.
T teams should customize MFA so that it doesn’t interrupt workflows. If a user might be offline, choose an MFA solution that gives offline access. Likewise, if employees work remotely, choose a platform that can verify users outside of the corporate network.
Implementing MFA can be a costly process. But — when compared with the $4.45 million average cost of a data breach in the U.S. — this outlay often justifies itself.
MFA requires external factors to work correctly. Before deploying MFA in your organization, check that other factors — like connectivity, software, and device access — will allow your prompts to work efficiently. You should also check that any software or connections involved in the MFA process are secure before using them.
To reduce MFA request frequency further, single sign-on (SSO) is a technology that allows users to access multiple applications and services using a single set of login credentials. Once they have verified their identity once, users can access other services without repeated prompting. SSO can help reduce the frequency of verification, resulting in a more convenient user experience that maintains a high level of security.
UserLock SSO combines MFA with SSO to streamline the login process while ensuring secure user identity verification.
MFA brings a crucial added layer of protection to the login process. On top of a password, MFA asks users for additional verification, helping to prevent bad actors from gaining unauthorized access using compromised credentials.
But balancing security and convenience is a constant challenge. Optimizing your MFA can be an ongoing process, configuring the system to balance security measures while ensuring a user-friendly experience.
Although MFA brings numerous benefits, there are potential implementation challenges, such as:
User frustration
Initial implementation costs
Interruptions to the user’s day-to-day activities
External factor reliability
By customizing MFA settings, it’s possible to protect system access without disruption.
With its granular controls and customizable prompts, UserLock gives you the flexibility to balance security and convenience. With its customizable controls and range of authentication methods, UserLock makes it possible to implement customized MFA that meets your team’s unique needs.