5 Things to Consider with Multi-Factor Authentication

Chris Fields, VP of Security Strategy


Multi-factor authentication (MFA) is becoming a mandatory component of a secure identity and access management landscape.  You know you need to implement MFA and are contemplating where to start and what other considerations need to be evaluated.  Below are 5 things to consider on your MFA journey that will 1) save you time, 2) prevent rework and 3) avoid frustrating end users:

1. MFA Server

The MFA server is the “brain” that drives all policy decisions and functionality.  Think of it as the horse you choose to ride on your journey to the MFA finish line.  Flexibility to provide multi-factor (something you know, have or are), risk-based, step-up or other advanced access capabilities are key.  This “brain” should have broad out of the box integrations to various endpoints to maximize use of its capabilities in all facets of your identity and access management landscape. The MFA Server should be accessible to your on-premise and cloud applications, services and servers. The placement and mix of those endpoints may even determine whether you select an on-premise or cloud MFA server.

2. MFA Clients

The MFA clients are the various devices that end users use to interact with the MFA server for proper authentication vetting.  A capable MFA server will support myriad MFA client devices and identification techniques including desktops, laptops, tablets, mobile phones, grid cards, smart cards, RFID cards, key fobs (OTP), hard tokens (OTP), soft tokens (OTP) and biometric readers (to name a few). Mobile phones are becoming a very popular option because they not only are ubiquitous but also support many of the identification techniques that normally require deployment of additional hardware, especially one-time password (OTP) & biometric options.   Be sure to confirm support for all the client devices that are most common in your organization to minimize challenges with leveraging your MFA server before you make your selection.  Also, make sure you select the right identification techniques based on your user populations and factor in the deployment time and complexity.

3. VPN Integration

Remote access is typically the first use case out of the gate for MFA integration.  Most companies already have a VPN gateway in place so it becomes the first “stake in the ground” for making your MFA server decision.  Ideally you would pick your MFA server first, to maximize the capabilities I described in the MFA Server and MFA Client considerations, but reality isn’t always so neat and clean.  You may be lucky to have had your VPN software long enough to be at an inflection point, where the current technology is due for an upgrade or replacement and it makes sense to re-prioritize your VPN selection based on your MFA selection.  This is where going with a capable MFA Server yields the benefit of a wide range of out of the box integrations with popular VPN platforms.

4. PIM Integration

Privileged Identity Management (PIM) integration is typically the next integration point for MFA.  VPN integration ensures that the user and device are vetted properly to connect to the network remotely, but once on the network, both internal users and external users need to strengthen their authentication to servers for privileged access.   Instead of integrating each server individually with your MFA solution, integrating through a Privileged Identity Management gateway is becoming a more popular alternative.  Similar to the VPN integration scenario, ideally you would select your MFA solution first and maximize integration options with popular PIM solutions.

5. Access Management Integration

Application Access Management integration is usually the next integration point for MFA.  Having an access management solution in place is a best practice for managing access to applications, especially web applications.  Integrating your MFA solution with an access management solution provides an efficient mechanism for providing MFA capabilities at the individual application level. Since access management solutions form the authentication and authorization backbone for internal and external applications, this essentially extends your MFA capability to internal and external users in a very efficient manner.


Taking these 5 considerations into account when you are looking at your MFA solution will lead to a much less bumpy road for your administrators and end users.  The end result will be a consistent MFA end user experience for your users across the enterprise and a sound technical approach to solving the most common MFA use cases.

Request additional information here. 

Five Ways To Spot a Phishing Email

Think you’re clever enough to recognize a phishing attempt? Think again. Cybercriminals are getting smarter and their phishing skills are getting better, but we’ve put together this list of clues to help you avoid a costly error.

By Sharon Florentine (This story originally published in CIO) 

No one wants to believe they’d fall for a phishing scam. Yet, according to Verizon’s 2016 Data Breach Investigations Report, 30 percent of phishing emails get opened. Yes, that’s right — 30 percent. That incredible click-through rate explains why these attacks remain so popular: it just works.

Phishing works because cybercriminals take great pains to camouflage their “bait” as legitimate email communication, hoping to convince targets to reveal login and password information and/or download malware, but there are still a number of ways to identify phishing emails. Here are five of the most common elements to look for.

1. Expect the unexpected

In a 2016 report from Wombat Security, organizations reported that the most successful phishing attacks were disguised as something an employee was expecting, like an HR document, a shipping confirmation or a request to change a password that looked like it came from the IT department.

Make sure to scrutinize any such emails before you download attachments or click on any included links, and use common sense. Did you actually order anything for which you’re expecting a confirmation? Did the email come from a store you don’t usually order supplies from? If so, it’s probably a phishing attempt.

Don’t hesitate to call a company’s customer service line, your HR department or IT department to confirm that any such emails are legitimate – it’s better to be safe than sorry.

2. Name check

If you receive an email or even an instant message from someone you don’t know directing you to sign in to a website, be wary, especially if that person is urging you to give up your password or social security number. Legitimate companies never ask for this information via instant message or email, so this is a huge red flag. Your bank doesn’t need you to send your account number — they already have that information. Ditto with sending a credit card number or the answer to a security question.

You also should double-check the “From” address of any suspicious email; some phishing attempts use a sender’s email address that is similar to, but not the same as, a company’s official email address.

3. Don’t click on unrecognized links

Typically, phishing scams try to convince you to provide your username and password, so they can gain access to your online accounts. From there, they can empty your bank accounts, make unauthorized charges on your credit cards, steal data, read your email and lock you out of your accounts.

Often, they’ll include embedded URLs that take you to a different site. At first glance, these URLs can look perfectly valid, but if you hover your cursor over the URL, you can usually see the actual hyperlink. If the hyperlinked address is different than what’s displayed, it’s probably a phishing attempt and you should not click through.

Another trick phishing scams use is misleading domain names. Most users aren’t familiar with the DNS naming structure, and therefore are fooled when they see what looks like a legitimate company name within a URL. Standard DNS naming convention is Child Domain dot Full Domain dot com; for example, info.LegitExampleCorp.com. A link to that site would go to the “Information” page of the Legitimate Example Corporation’s web site.

A phishing scam’s misleading domain name, however, would be structured differently; it would incorporate the legitimate business name, but it would be placed before the actual, malicious domain to which a target would be directed. For instance, Name of Legit Domain dot Actual Dangerous Domain dot com: LegitExampleCorp.com.MaliciousDomain.com.

To an average user, simply seeing the legitimate business name anywhere in the URL would reassure them that it was safe to click through. Spoiler alert: it’s not.

4. Poor spelling and/or grammar

It’s highly unlikely that a corporate communications department would send messages to its customer base without going through at least a few rounds of spelling and grammar checks, editing and proofreading. If the email you receive is riddled with these errors, it’s a scam.

You should also be skeptical of generic greetings like, “Dear Customer” or “Dear Member.” These should both raise a red flag because most companies would use your name in their email greetings.

5. Are you threatening me?

“Urgent action required!” “Your account will be closed!” “Your account has been compromised!” These intimidation tactics are becoming more common than the promise of “instant riches”; taking advantage of your anxiety and concern to get you to provide your personal information. Don’t hesitate to call your bank or financial institution to confirm if something just doesn’t seem right.

And scammers aren’t just using banks, credit cards and email providers as cover for their scams, many are using the threat of action from government agencies like the IRS and the FBI to scare unwitting targets into giving up the goods. Here’s the thing: government agencies, especially, do not use email as their initial means of communication.

This is by no means a comprehensive list. Phishing scammers are constantly evolving, and their methods are becoming more cunning and difficult to trace. New tactics include end of the year healthcare open enrollment scams, low priced Amazon bargains, and tax season attempts. 

So, trust your gut. If an offer seems too good to be true, it probably is. If something seems even the slightest bit “off”, don’t open the email or click on links.

Learn about PathMaker Group identity management solutions here.

Identity Access Management Guidance.