How do you implement multi-factor authentication without annoying your users?

由人工智能和领英社区提供技术支持

Multi-factor authentication (MFA) is a security practice that requires users to provide more than one piece of evidence to verify their identity when logging in to an online service. MFA can enhance the protection of sensitive data and accounts from unauthorized access, phishing, and hacking. However, MFA can also be a source of frustration and inconvenience for users, especially if it is poorly implemented or too intrusive. How can you implement MFA without annoying your users? Here are some tips to balance security and user experience.

此文章中的业界达人

由社区从 4 条内容中精选。了解更多

1 Choose the right factors

MFA typically involves two or more of the following factors: something you know (such as a password or a PIN), something you have (such as a smartphone or a token), and something you are (such as a fingerprint or a face scan). The choice of factors should depend on the level of risk and the context of the service. For example, a banking app may require a stronger combination of factors than a social media platform. You should also consider the availability and accessibility of the factors for your users. For example, if your users are in areas with poor network coverage, SMS or email verification may not be reliable.

添加您的观点

David Mahdi

CSO | CIO | CPO | Digital Identity | Cybersecurity | CISO Advisor | Category Creator | Author | Keynote Speaker | Board Member | M&A | Co-Creator of Machine Identity Management (NHI)
举报内容
In addition to previous… 1. List all systems/apps & use cases in the environment 2. Risk-based prioritization: Determine the risk and/or compliance/corporate drivers that align to #1. EX: a DB with sensitive data, must have strong authentication + other controls (I.e. behavioural biometrics, etc.) 3. List all possible authentication methods; determine alignment to 1, and 2 above (Use NIST 800-63). Note systems that may not support new methods (I.e. Passkeys); if risky systems, you will need to seek compensating controls. 4. Phased rollout, engage LOB leaders to understand requirements, tolerance, triangulate risk/UX to align a best fit approach. Engage LOB from 1-4 so you have all of their needs accounted for.

已翻译

赞
Randy Hall

??? CEO | Trusted Leader in Cybersecurity for SMBs | ?? 2024 Most Trusted MSP in North America (Soteria Award)
举报内容
Implementing multi-factor authentication (MFA) effectively starts with balancing security and user experience. Offer flexible options like biometrics, authenticator apps, or push notifications, which are more convenient than SMS codes. Allow users to set their preferred methods and enable "remember this device" features for trusted devices to reduce repetitive prompts. Incorporate adaptive authentication to assess risk levels, triggering MFA only for unusual activities like logins from new locations or devices.

已翻译

赞

加载更多内容

2 Make it easy and flexible

One of the main complaints about MFA is that it adds extra steps and time to the login process. To minimize the hassle and friction, you should make the MFA process as easy and flexible as possible. For example, you can use intuitive and user-friendly interfaces, such as buttons, QR codes, or biometrics, instead of complex codes or passwords. You can also offer multiple options for users to choose their preferred factor or method, such as SMS, email, phone call, or app. You can also allow users to remember trusted devices or locations, so they don't have to repeat the MFA process every time they log in.

添加您的观点

3 Educate and communicate

Another common issue with MFA is that users may not understand why it is necessary or how it works. This can lead to confusion, frustration, or resistance. To overcome this challenge, you should educate and communicate with your users about the benefits and importance of MFA, as well as the best practices and tips to use it effectively. For example, you can provide clear and concise instructions, FAQs, or tutorials on your website or app. You can also send notifications or reminders to your users when they need to update or verify their factors, or when there are any changes or issues with the MFA system.

添加您的观点

4 Monitor and improve

Finally, you should monitor and improve your MFA system regularly, based on user feedback and data. You should track and measure the performance and impact of your MFA system, such as the login success rate, the error rate, the user satisfaction, and the security incidents. You should also solicit and listen to user feedback, such as surveys, reviews, or comments, to identify any problems or areas for improvement. You should then implement and test any changes or enhancements to your MFA system, and inform your users about them.

添加您的观点

5 Here’s what else to consider

This is a space to share examples, stories, or insights that don’t fit into any of the previous sections. What else would you like to add?

添加您的观点

Mai Aba Limane

Service Delivery Specialist at OISE
举报内容
In case an MFA user is traveling should be able to add an email instead of a phone number to receive the token and being authenticated. Having MFA for authentication with local phone number is very costly for travellers and forcing to enable roaming data which is very expensive.

已翻译

赞

Authentication

+ 关注

给文章评分

我们借助人工智能创建了此文章。您认为这篇文章怎么样？

很棒不太好

举报此文章

查看全部

How do you implement multi-factor authentication without annoying your users?

1

2

3

4

5

1 Choose the right factors

2 Make it easy and flexible

3 Educate and communicate

4 Monitor and improve

5 Here’s what else to consider

Authentication

给文章评分

感谢您的反馈

更多Authentication相关文章

更多相关阅读内容