I honestly don’t understand why so many organizations are sleeping in and failing to engage MFA. A relatively small operation, it costs nothing but some extra support, but it prevents that kind of misery.
It is definitely visible to end users who have to log into an app. But for organizations, it’s usually a little more work. I can mention a few points, but this overview is not complete:
Begins with the simple question of where the MFA is operating. Ideally, of course, you want to use it “everywhere” and manage it centrally, rather than arranging something new for each application separately. So you will first have to submit some form of Single Entry if you don’t already have one.
– Then comes the question of how the MFA works. Nowadays, your own phone is usually used for this. But not everyone has a phone or wants to use it for work. And what can you expect from your employees if their phone goes out. Do they have to buy a new one right away or else they won’t be able to work? Who pays for that? Can an employer block or even delete a private phone if something happens?
– More and more are outsourced and often you are restricted to a specific configuration during the contract. If you want something different, you should indicate this in advance. But most people don’t care about these kinds of “details” and assume the supplier will make sure everything is safe. Then you just have to hope that in four years you will remember to ask for it.
And what do you do with apps that have to be logged in somewhere? They don’t have a phone or anything. There are other solutions, like just an exception, but someone will have to figure this out and implement it. And if it was entirely managed by outside parties, no one would want to make an exception.
Some ‘extra support’ can be very costly, especially if you include the hours that people cannot work because they are waiting for support. Of course you also have this problem without MFA, but it gets bigger.
Not to mention, most people don’t really understand what MFA is and why you want it. Security is often tested as a series of bullying and burning hoops that these poor users have to jump through. Rational people know better, of course, but most have no internal motivation to demand more security. They do what the supplier asks for and nothing more. And if the supplier thinks “You ask, we run away”, then this does not happen.
[Reactie gewijzigd door CAPSLOCK2000 op 19 november 2021 15:42]
“Coffee buff. Twitter fanatic. Tv practitioner. Social media advocate. Pop culture ninja.”