IAM Pulse Ep1

IAM Pulse Episode 1: Deploying MFA: How can I make this go smoothly

While multi-factor authentication has become one of the best defenses for organizations to protect against cyberattacks, if it's not properly implemented & configured it can create frustration for your users. In this episode of IAM Pulse, we discuss strategy and how to deploy the MFA method and increase user adoption in a smooth way, making it easier for your users to adopt new security measures without causing frustration or security workarounds.


Listen to the podcast:

Spotify | Anchor.FM | Apple Podcasts

Transcript:

Hello everyone, welcome to the first episode of IAM Pulse, a podcast dedicated to discussing IAM topics brought to you by BIO-key International. Today, we’re talking about deploying Multi-Factor Authentication or MFA, into your organization and how make it go smoothly.  

On the panel today we have three members of the BIO-key team, Kim Johnson, VP of Product Marketing, Christopher Perry, Sr. Technical Support Engineer, and Kevin Wiser, our Solutions Architect.  

Let’s switch over to our panel and see what they’re talking about.  


Kimberly Johnson 

But we are going to get kicked off with a couple of the questions that when I met with Christopher and Kevin and said, okay, what do customers mainly want to know or ask about, especially when it goes to deploying MFA. And even in that question, right? How can I make this go smoothly would probably imply it doesn't always go that smoothly. Right. and so, Christopher, I'm going to start with you. we've talked about kind of, the first question quite a bit, but what are those common mistakes, right? Those gotchas, that seen organizations, hit when they're trying to implement MFA, either for a portion of their users or maybe its customers as well. 

Christopher Perry 

I don't think so. Honestly, the biggest thing to keep in mind is these things tend to be semi unique for everybody. But if you had to boil it right down to things that happen more often than they should pretty much the biggest gotcha. I ever come across is a lot of customers of ours. They try to do too much too fast. And I know it's a little vague, so boil it down a little bit further, but it basically comes down to the idea is, Hey, we need multi-factor. And then too often people say, okay, let's just turn it on. And when you do that, you skip a whole lot of steps that make things run a little bit fluidly, and you have to start stumbling over things as you discover them, which in the best of scenarios is never fun. But especially with multifactor, when you've got a whole user base, that's actually reacting to this new system that can be kind of a technical nightmare. So that's really the biggest gotcha. That I'm always handling is trying to walk people through. Okay. Before we make any changes, let's take a step back, look at the big picture and see exactly what needs to be done and then when we need to do it. So that's kind of my introduction. I'll leave it there for anybody who wants to kick in before I dive into some more gotchas. 

Kimberly Johnson 

Go ahead, Kevin. I was just about to field it over to you to see kind of your high level gotchas you got out there. 

Kevin Wiser 

I would, I would totally echo, Chris’s first statement there and I would maybe even expand upon it a little bit, but, I think a mistake, a lot of prospective customers make is, is that they rush this and they decide to do it, after a breach in the right time to have multifactor authentication and security in place is before you have a breach, not after the fact. that probably seems obvious, but we wouldn't have so many of these problems if, if it wasn't, you know, a common COVID thread. Right. so, you know, where did that go slow is, is a lot of times, customers make a decision in a rush. They don't really look at all the options available to them. They don't lay out a firm plan, for what types of users they're going to want to, you know, implement this to. 

Christopher Perry 

I mean, I would recommend everybody, every user is a critical user potentially, right? Not just your VIP using your, in your execs, every user is critical because every user has some type of data that you probably want to protect, whether that's IP or that's PII. you know, I give almost guarantee that almost every single user in your environment has access to something that you probably would prefer a hacker not have access to. but you know, as part of that, you, you, you want to lay out a good plan. You want to look at all the options available to you. What types of different methods work, look at all your kind of like your weird users, you know, and, and make a plan based off of that, because, you know, everybody's got that weird user, the, that works out in the field, you know, they're, they're the, the engineer who works on a pumping, you know, rig or something like that. And, you know, maybe, maybe you figure freight biometrics. Is it really awesome for them? Or maybe they're out on an oil rig somewhere in the middle of the Gulf and cell phone service is a great, so maybe SMS is not a good choice for them. so you really got to look at this from all angles and not rush into it. 

Kimberly Johnson  

Excellent. Yeah. And I I've seen that where they blanket. Right. And sometimes it's picking one method and then applying that across every single user. 

Christopher Perry 

That's a great choice. I mean, he can be for the right organization, but it doesn't necessarily have to be 

Kimberly Johnson 

Right. and Christopher, you hit on a really good, you hit a kinda two mistakes, right. So one is the technical implementation. and then one is more of like the user adoption. It seems like right. Or the education. So what kind of like the technical or maybe policy type. Gotcha. have both of you seen, Christopher, we can start with you on that one. 

Christopher Perry 

Sure. I think this does tie nicely into what both Kevin and I were saying, but it really kind of comes down to knowing the scope.  so the first stage is always knowing, okay, who shouldn't be doing, what, like Kevin said, sometimes that's as easy as saying, Hey, everybody's going to be using biometrics because everybody can, and that's the easy way to do it.  but from a user perspective, a lot of the gotchas are really just not having other options. So sometimes having biometrics is great, but just like Kevin said, I might not be able to use it. And is that really the only way I can get in from an end-user and does it have to be, so a lot of those gaps is really understanding not only who is doing multi-factor, but their specific use cases because not planning around the user really ends up in the long run of just causing way more calls to the help desk saying, Hey, I know I have to use this thing, but I don't have it. 

Christopher Perry 

So what do I have to drive all the way home to get my reader? it kind of puts them in that position where they're going to end up calling you and taking up your helped us time because, you know, nobody really thought to say, Hey, what if they don't have their reader? Is there another way we can still access this resource securely and give them an option to get in? So that's really kind of a low level one, but one that's often overlooked is just addressing the how of it and looking at it from a person perspective, not just a technical perspective. 

Kimberly Johnson 

Right. And I would add in there too. I think, you know, I'm always looking at market trends, what people are, you know, best practices, compliance standards. and it's been phenomenal to watch where the message out there is phone-based, phone-based, phone-based phone-based right. Like if you go out a lot of the conversations and everything else are around these phone-based methods and so well, that's, you know, somewhat convenient, right. We all carrying around these smart phones with us, and everything else, recent stats show, 15% of your employees and 50% of customers are not able to use it, whether it's cell phone service, whether it's, accessibility. And now there's actually been requirements that you have to pay for employee SMS plans. Right. So if you're doing text-based one-time passwords, that's something that you're now going to have to pay for. so sounds like, you know, without looking at not only where the users are, the requirements of the users, and having a good plan for that, you also have to be careful of what costs and, and kind of those limitations are, right? 

Kevin Wiser 

Yeah. No, I think that's, that's really, really accurate Kim. those are all important things to look at. I, it's a real common thing that we run across when we talk to, sled customers. So, state local education, customers, just in case anybody's familiar with sled, you know, it's real common that, that, you know, you talk to, a government agency and they say, yeah, we've got these employees, we're going to roll out.  we're going to tell them, we're going to use Google authenticator as an example, or offi or some other, Photoshop service, not just the SMS. Right. And, you know, somebody puts you back and says, well, wait a minute. Now you, you want me to use my private phone for, you know, work purposes you should pay for my cell phone plan and all of a sudden, you know, the costs that they were thinking to themselves, well, this is free less, you know, the licensing that I'm purchasing from bio key or, or whomever, you know, in mind from, well, all of a sudden now I'm paying for, you know, 50 users phone plans at $50 a month, and this is a lot more per user than I thought it was going to be. 

Kevin Wiser 

Right. you know, and usually they don't do that. Obviously what they do is they back off and they pick another method at that point because, you know, but that really does go back to that kind of planning thing. you know, have you talked to any of your user base, have you, have you planned for what this is going to look like? I can give a really, really good example about, you know, of MFA being deployed in a, in a, in an environment. and, and the admins just really didn't think this through. So we did a deployment a few years ago, with a police department in Ohio, the big city police department. and they really liked biometrics, which I'm a big fan of. I'm a big fan of the fingerprint biometrics, as a methodology. but they wanted to implement this in SWAT cars, right? 

Kevin Wiser 

So the problem that they ran into, as I got everything deployed, they put all these readers in the squad cars everything's going groovy and then winter hits. And what happened is all the officers in the cars don't like taking their gloves off. So if you're going to do fingerprint biometrics, you know, wearing a heavy duty winter glove doesn't really work with that. Right. And so where we had, you know, where they were tracking approval and usage and, and, and, you know, amongst the user base, cause they had a, a portal where, you know, they were kind of like keeping track of this early, you know, early stages of deployment. If you looked at the summer months, everybody was really happy with the system. They really liked it. And then they got into late fall and into winter and in the early spring where it was really cold out and all of a sudden that uptake and that usage and that approval rating, you know, internally tanked and it's like, okay, well we need a different option here. 

Kevin Wiser  

So in that scenario, we, we implemented a different MFA option. We actually implemented, key cards, with that, which we can do with web keys as one of the things we can do, we can do card access badges, as a, as an MFA method. but you know, we, we issued those to the squad cars instead that were out on a patrol, that kind of thing. And so those users, you know, that's relatively easy to do with a pair of gloves, whereas actually removing them to do a fingerprint swipe wasn't. So, you know, again, that's that kind of thing about thinking about my weird users, my, my kind of all OD you know, scenarios and, and thinking, I don't want to use that cliche outside the box, but just looking at the box from a very, very distant view and then looking very, very closely at the box, you know, as in a second review, where are my outliers? What are, what are, who are my weirdos for lack of better words. 

Kimberly Johnson 

Right, right. And I think that's, and I, you know, I've have a lot of healthcare background. and I think that's just so important, you know, back office staff, people that are necessarily maybe at a machine all the time, or they have that type of access, or I don't know, not wearing gloves, you know, is, is definitely, good to maybe use a biometric solution for them. And then you have doctors that are going around rounding around the hospital. And a lot of them, if they're surgeons don't even have necessarily a fingerprint left, so it's really important that you give them another option or something, they don't have to touch any device. So like a foot push token for somebody like that is an excellent way to provide them with a more secure method, but that doesn't impede what they're trying to do, because you also have to take into consideration what's that user trying to accomplish. If they're trying to save a life, or if they're trying to, you know, process maybe medical records in an office, those are very, very different situations. so we do have a question that came in.  thank you, Craig. So, do you have an us, do we have a popular non phone option that is used well with portal guard? Preferably low cost Kevin. 

Kevin Wiser 

Oh, okay. I'll take the first crack at it. I mean, I would actually, you know, if you're going to say, well, I want a $20, per item. Okay. Are we talking about per user or are we talking, you know, like per device, because if I have users that utilize a shared computer environment, you know, if I've got two or three users on a computer potentially, then I only really need to buy one biometric device for that computer and all three users can use it. So if I wanted to do fingerprints there, I mean that, you know, would lower that cost per user for the hardware below that $20 threshold right now, if I need to buy one for every single user at every single desk that's different. in those scenarios, we have a couple of different, MFA, options, you know, there's of course the, SMS, which is kind of quickly becoming my least favorite and is, you know, because of the security reasons of it. there's email, which we do.  we also do printed OTP codes, which is kind of interesting. and you know, you, 

Christopher Perry 

You basically run a report off of a portal guard and it gives you 10, nine digit OTP codes and you can use those in sequence they're event-based instead of time-based. and so a user can keep that little piece of paper or their wallet or whatever, and dig it out and do that. you know, that's a real common scenario where, if I have a group of users who are, let's use a casino as an example, they're on the floor. And a lot of times they're not allowed to have a phone device, even, you know, much less, you know, anything else that can take pictures or that kind of thing. you know, printed OTP may not be a bad scenario they're right. For, for people in the pit, you know, in the casino pit. so yeah, there's a couple of different ways to do that. 

Christopher Perry 

I mean, I'll turn it over to Christopher and see if, I’ve overlooked one. I'm sure I have, I overlook. It's a hard, hard thing, but, with so many options, you definitely have some choice, especially in vendors.  one of the things, just because the question mentioned your kind of non-phone options, I do want to kind of bridge that by saying the authenticator is probably one of the more popular options and it's technically not phone specific. You could put an authenticator on your browser, refusing Chrome, you can put one on your tablet and those are free apps that you can utilize. But as far as actual, you know, out of band, not on a phone method, you're really limited to, like you said, Kevin, the printed options, letting the user call the help desk to get a code that's generated in PG something. 

Christopher Perry 

Again, that's really out of band would be the token approach. And we support a bunch of different types. Everybody knows YubiKey. And if you go to YubiKeys website, they have, you know, five, 10 different types, all priced very differently, depending on how many you buy. If you're in education, you get certain discounts. And some of them are around $20. there's other YouTube options too, that are just, you know, like 15 to $20 a piece. And as long as it's a U2 F or a Fido, two token portal guard will support that as well. And we have seen a little bit more of an increase in those methods, just because some brands do offer a lot of discounts for organizations, but I think the cheapest in the token sphere, assuming you have everything else set up is the lower tier of the RSA tokens. I think they usually run for like 15 a token for the older series. granted you have to set up the server and everything for the actual security approach to validate the tokens because it is out of band.  but those also work with portal guard and are a little bit more on the affordable side. 

Kimberly Johnson 

Yeah. And I was going to say too, the, the, em, and I guess that you did another question, so we'll answer that as well. But the other thing is if you have a little more budget for reader, fingerprint, scanner, you're going to remember what the hardware tokens, there's an overhead. So you'll hear, like if you go to, a YubiKey or RSA, they're going to recommend that you issue possibly one and then a backup. so your, your cost is already incrementally increased. and that's the nice thing where the, even though you have, let's say a fingerprint reader, a scanner, we have low-profile ones other than the USB port, for example, we have a USBC one that's going to be coming soon. and so those type you're only going to issue it right to, let's say me Kim Johnson, and it's not necessarily my identifier again, you're actually physically, you know, identifying me the individual using that reader, but that reader really, isn't the thing that you're going to have to give me two of or backup stuff, whereas a YubiKey or say, you're going to tell you, Hey, not only do you need that you need like a golden YubiKey. 

Kimberly Johnson 

Is anybody seen like the fancy, shiny gold one, which is the admin one. So hardware tokens will be cheaper. I think, you know, we could, we could probably talk cost versus convenience and, and, you know, total cost of ownership, I would say, scanner, you know, fingerprint reader, scanner to hardware tokens, potentially for user, they might actually be more so because you'll have to buy two, and ship it to them now that most people are remote. 

Kevin Wiser 

Yeah. I was going to say, smart cards are another relatively cheap. The, the, the getting up and running costs can be high, from a perspective of, if you don't have familiarity building out a PKI infrastructure, if that's redundant PKI, the, I stands for infrastructure, but building, building out that kind of, deployment, you know, like if you don't have any experience with it, it's not easy to do. It's very complex. you know, so you may be paying for consulting costs, that kind of thing, to get it up and running, but the cards themselves can run, you know, like, like couple of they're a buck or two, a card for user, the readers can be attained for as little as a, in bulk. I think I've seen some for like $5 before. It kind of depends on what you're looking for. So a smart card can, can be a good option for those, but the, the usability's a little more complex, or it can be for some users, you know, there's some, there's some gotchas there, so to speak, but I mean, if you're really looking to do this as cheap as possible, you know, at least per user, you know, that's not a bad way to go, but again, it has its caveats kind of like every single one does. 

Kimberly Johnson 

Yeah. I say every single one, and I think it also comes with a caveat of what works for the user, right. So, or also what I like the NHS to access their spine network. They're required to use smart card. I won't tell you how they cut out the doctors cut off the cards and hot glue them into the readers. So that was a whole problem, but there was a lot of you have for compliance purposes, that was needed. so Craig, you had another up follow up question, which actually, I think it would be beneficial, for everybody on the call, but, using that shared device. Right. So that's a scenario where, some people aren't thinking of, right now, or maybe there's just a subset of your users in there. but a shared device with the fingerprint reader on it. Kevin is actually probably for you because I think this is kind of what you've been working on with customers, but, what do you see customers doing and maybe an example or two of that shared kind of workstation and using fingerprint to identify people. 

Kevin Wiser 

Yeah, sure. so, you know, we, we sell our own branded fingerprint readers, and we have a range of different costs, different form factors. and we can always get you some information on those specifics, but, you know, we, we typically see a lot of our, I’m just going to use our example because we, we make them and brand them. but we see a lot of our eco IDs be deployed and those are about $40 a unit. now they are a very particular type of,  scanner. they're, they're a, capacitive based scanner as opposed to an optical based scanner. So the capacity of your reading capacitance of the fingerprints themselves, I can get into the technicals of that. I don't want to bore people, but the opticals are literally probably what you were imagining where, Oh, it's taking a look at optically at my fingerprint. 

Kevin Wiser  

Right. and now we're very good at that. taking those fingerprints in, so we see a lot of deployments, with those healthcare being a good example, as Kevin said earlier, you know, that's real common. We, we do a lot of deployments with fingerprint there. we actually have built into, my, I won't, I won't name names cause NDAs and stuff, but, but we have built into, certain like medicine cabinets at hospitals, our own readers and our software backing them. And so in order for a pharmacist to take out a protected or, you know, a schedule, to as an example, a substance out of those cabinets, they actually have to fingerprint into approve and verify who is taking that, that stuff out. And then, the software unlocks the cabinet and they can remove what they need to remove and they log it and close it up again. 

Kevin Wiser 

so you see a lot of deployments like that. you know, and, and, but yeah, you can totally take one fingerprint reader and install it to a computer and have five, 10 20 users utilize it. Now your one big hiccup here is, if you try to do this with windows, hello, the problem you're going to run into when does free, it's built into windows 10. That's really nice. The problem you're going to run into is, every user has to register to every device. So registration's only work on the device that I registered on. I have to, if I have to use three other computers throughout the day or throughout the work week or throughout the year, I have to go and register on each and every one of those. So that's a pain or pain point. that's one of the things we're really good at. 

Kevin Wiser 

And we actually have a shared data is not shared, but we have a centralized database that we store the users biometric data in, and you can house that on prem. So you own all of it. You own all the data. None of it has to come home to bio key or anything like that. We don't, we don't even need to have access to it if you don't want us to, you can keep that in your own lock box. but you know, we can actually centralize that. So one registration on one computer works on any other computer with the fingerprints, reader installed, to it. So that's a really kind of pain, 

Christopher Perry  

You know, an easer, where it eases that pain point. and that's one of the things we're very, very good at. We can do that, type of matching in milliseconds, in real time, or near real-time rather, on the fly. I mean, it's, it's simple. You can do things like you can touch the fingerprint reader and have it unlocked with a simple touch. You can have touch the fingerprint reader and have it require a finger or a, a pin or a password. there's all sorts of different ways to go about that. So if you want to have something physical and something knowledge-based to really truly get that two factor or multifactor approach, we support all that stuff. so I mean, obviously I'm a big proponent of it. I mean, you can probably tell by the way I talk about it, but, but yeah, I, I, I, we can totally do those kinds of deployments. 

Kimberly Johnson 

Excellent. Yeah. And I think, one of the things I found fascinating, when I rejoined portal guard came to buy Oki, is, really the, the positive identification in manufacturing. Right? So if you're getting some, if somebody is manufacturing something and you want to know for sure that Kevin is the one that made this part and signs off on this part, the real only way to know for sure that that person did that action and, and to verify and authenticate that person, is essentially using the biometric authentication type to say, okay, you know, Kevin was truly the individual, that did that. So that's really the power of biometrics. And, and as you're hearing, I think, and we can go to that next question. I don't think there's any one method. you know, I think it's, it's really based on, what each user needs. in the second question, one thing we haven't talked too much about, but I know it's a hot topic is customer I am or customer, you know, multi-factor authentication, for a lot of our, our customers out there, it could be student right. Multifactor authentication. so, what have, you know, Christopher, maybe I'll point this to you first, but what have you seen for more of the customer facing methods and how do people kind of approach that, that implementation deployment? 

Christopher Perry 

I'm trying to think how best to you're talking just like on a level of popularity kind of thing, 

Kimberly Johnson 

Kind of a popularity, right. But like the same method that's going to work for your employees, because you can necessarily like distribute hardware, tokens and things like that. do you see a method? Yeah. Maybe it is popularity. That's more popular for the customer facing. Right. based on just usability and convenience for the customer. 

Christopher Perry 

I see what you're saying. I apologize. I kind of misinterpreted the format of what you're looking at. honestly, it's kinda funny because the, when you've got kind of customers that have yes they're employees, but then they're also got another subset of their own customers utilizing the product. It does put a little bit of a shift on, okay, what can we do? Because like I said, I can't provide YubiKeys to 500 customers using my site. So I have to be a little flexible, the different options. You might be able to get out a handful of them. And that's where the kind of popularity of these other, maybe the mobile methods, or even email tend to come in because they don't really require much else. But I will say the most popular option that I've seen at least the past couple of years is still the mobile authenticator in those scenarios because it checks off two really big boxes. 

Christopher Perry  

One, it doesn't cost really anybody, anything except for using a device that they already have. and that has its own caveats admittedly. But the second option is it is still considered a, an out of band method. So just sending a text message or even a voice call, which is kind of a legacy method is great for some users, but it's not really true MFA. So if you're looking, I mean, it is, but it's not the best MFA is a better way to phrase that. if you're looking to meet, you know, the NIST recommendations, for example, the big bold letters in one of their sub categories, SMS is not considered out of band. So a lot of people are trying to use that if it's necessary, but look for other, you know, equally easy options. And that's where the authenticators come in, especially when they can't necessarily pass along these tokens to these customers that are using on their site. 

Kimberly Johnson 

Right. Right. Kevin, anything to add on that for customer MFA or pretty much in line with what you've seen as well? 

Christopher Perry  

Yeah. I'd say that's probably pretty accurate what Christopher described. you see a lot of, SMS and email, voice call, you know, and, and I think truly the, the authenticator apps are probably the best way to go in general for that kind of scenario. you know, if you have a user base that also your customer base, it also doesn't have smart devices. I mean, you know, you, you, your hands are pretty tied there because so many of these rely on something, right? I mean, part of it, part of a two factor authentication or, and, or a multifactor, which two factor was just a subset of is something I have and something I know, so I have to have something, whether that's my fingerprint or whether that's, you know, but, but I need an associated reader with it, right. Or whether that's, a cell phone or, or a token or something, I have to have something. And so if your users, don't, your customer base, doesn't even have a cell phone, so that doesn't work for them again, it really ties your hands into, into what you're capable of providing at this point. So, 

Kimberly Johnson  

Yep. And I think that's, so first there is a webinar out there if anyone's interested, it's recorded, from our, our very valued customer. And I'm not sure if anybody's on from that, that organization, but, NASSCO, and they do a great story of how they tackle that customer identity, access management challenge and what they used, for their portal and their, their login for their plan members as they call them our plan, administrators, they use the email, methodology, the nice thing I would say about the 15 plus methods, at least from our perspective in portal guard IDASS and the platform that we provide, you can provide multiple options for users, so they can go into the user fee, Oh my gosh, the inner interface, and select, right, all this method isn't available to me. Can I try a different one right. 

Kimberly Johnson  

Based on what the admin has allowed. so that's really the flexibility there, where if you go, let's say pick a, an MFA provider that only provides the hardware tokens or only provides push, they're going to give you those options, but there's no dialogue or user experience that's going to say, okay, would you like to use a or B to, to essentially authenticate and use that MFA? so that flexibility and options is really the key there. So having all the methods to choose from, but allowing the user to choose on their own behalf also wants to do, set the policy for it. 

Kimberly Johnson 

Alright. And then, so I will, turn to the last question. I will remind everybody, please post any questions that you may have, into the dialog box. keep them coming. You know, this is, I would say the three of us could probably talk for hours. We will not, but a great subject, to go into. but I will turn it to, Kevin, so best practices.  let's pick one of your favorite best practices you would say, for someone that is sitting there, right. We had a good percentage of people on the call today, not using MFA. they're looking at a deployment plan or maybe expanding, what would you say your top best practice would be if you had to seminar? 

Kevin Wiser 

Oh, let's hop one. 

Kevin Wiser 

I'm looking at my list out to see if I could pick two favorites, like too, like who's your favorite child? let's see.  or who's your favorite dog in my case would probably be more, let's see.  I would say number one is, you know, I've already, well, actually I've already talked about this a lot, so I'm not going to use this as my, as funny as like, what am I too, but, but like, make sure that you're really looking at your user base, make sure that you understand all the different modalities, so your users might, might run into, you know, you need to be cognizant of different needs for different types of users. and, and that will put you in a good position to get that project off the ground. And my second one, would really be probably to, you know, I would say find an MFA provider, even if it isn't bio key, even if you know, or a portal guard or, you know, even, even if it is an us, find a provider who offers you a lot of flexibility, in terms of what you can and can't do and what your users can opt in and opt out of, what, what you find somebody who can give you a lot of options. 

Kevin Wiser 

I promise we'll give you as many options as anybody on the market, but if you don't want to go with us, that's okay. Make sure you do your due diligence, make sure you've looked all the offerings 

Christopher Perry 

And make sure you ask a lot of questions about, well, what if I can't do this? Or what about this? Or what about that? Or what about these to make sure that you've got the right solution for your organization? Cause there's, there's nothing like, I mean, it could even be the right solution, but the wrong organization, right? Like, I mean, you know, this could be really great for this, you know, this group of customers, but not for my organization, make sure you've got the right fit for your organization and the right flexibility to do what you need to accomplish. 

Kimberly Johnson 

Great. Great. And, so I limited you to, I tried to limit you to one limited you to two, because I'm worried you might steal some at Christopher's. Christopher, how about you?  either your top one or two, if you can't limit yourself. 

Christopher Perry 

yeah, I mean, honestly, I think Kevin, you did touch on what would have been my biggest one, which is know your scope, so I will leave it at that. But, it comes down to two things that I think are really overlooked and ended up being very important is one deploy. Only what you need because a lot of people say, Hey, there's 15 methods. I'm just going to deploy nine of them. But then you also have to maintain nine different methods that are available for everybody. And six of them might never be used, but one person will find it, play around with it and then something will break, but it was never really necessarily an option. And that's just the kind of stress during an MFA deployment that you and your users don't really need. So it's really a matter of what you find out what you need and deploy just that, but also just say all the methods that you pick, you have to support. 

Christopher Perry  

So that's, I mean, I was just going to echo that that's you have to be your help desk cast to be ready to support all the methodologies that you choose. That could be a big deal. Go ahead, Chris. I'm sorry. I was just, that was great point. No worries.  and then last but not least another one that tends to be overlooked, but have detailed. And I'm underscoring that in the air here and user documentation, because we're, for the most part, we're all technical folks. When I say mobile authenticator, we all know what that means. You can name four off the top of your head probably, but you know, Joe Smoe over to there and you know, HR not to pick on anybody, my not really know how I'm supposed to do that. And what does it mean to add this to my phone? 

Christopher Perry 

Where do I do this? And that kind of end user frustration can really just derail an MFA deployment that could otherwise have been going smoothly. But now I've got a whole block of users that just don't know what I'm trying to tell them to do. So really it's worth taking the time and the extra effort to go through and say, okay, we know what we need for deploying these four methods. Here's how you use these methods. Here's how you set it up and be as clear as you can be because that's only going to make things go smoother. And then the questions you have will necessarily be like, why doesn't this work? And now a whole department can't get into their resources, call it geek, speak, 

Kimberly Johnson 

Right? You got to translate that geek, speak into something that everybody can understand.  

 

 

Conclusion to the Episode 

Thanks Kim, Kevin, & Christopher for the great overview of the best practices for a successful MFA deployment. It’s not something that is straightforward but has the best practices possible for all organizations. Speaking of which I want to highlight three key ones that you mentioned:  

  1. Know your scope and look at your user base to understand the different needs for each group of users. 
  1. Deploy only what you need as all the MFA methods you select will need to be supported 
  1. Have detailed end-user documentation to provide clear instructions to your users to prevent frustration and make sure your MFA deployment goes smoothly. 

Anyways, that wraps up today’s episode of IAM Pulse. Thank you for listening to the show. If you want to hear more about making sure MFA goes smoothly in your organization, go to our website: www.bio-key.comJoin us next time to learn more about IAM and how to secure identity the way that you want. Talk to you soon.