Finding Value in a Single Source for MFA and SSO
In a previous blog post, we talked about how companies have mistakenly viewed MFA and SSO as an either-or solution when in reality the combination of the two gives enterprises a convenient AND secure means to thwart cyber criminals.
Enterprises looking for the strongest one-two punch should consider providers that offer a single source for MFA and SSO. However, “buyer beware” often applies. Many providers indicate they offer both, but specifics can often be hard to find. For example, one current vendor in the marketplace offers MFA that is included with SSO but it’s a very basic, undefined, single option. If a company wants more advanced options, then the cost increases (as much as $3 to $6 per user per month) on top of the base SSO rate. Additionally, it is unclear who owns and provides those options. Most other vendors are vague or silent about their MFA option, except that some offer “integrated” solutions provided by third parties. Outsourced MFA services reduce the amount of control companies have and tend to drive prices higher.
The main advantages of having a single provider for MFA and SSO services are:
- The ability to maintain appropriate control of the user experience. For example, if a third party is involved and a problem is encountered, who do you go to fix the issue? Can it be resolved by one or the other provider…or does it need both?
- A better purchasing experience with only one point of contact, one agreement, and one price.
- Easier deployment that involves a single process versus multiple vendors that will need to be integrated and coordinated.
- Lower costs. If a third party is used, your costs will probably at least double or maybe trend even higher.
Here’s one scenario that highlights some of the risks previously discussed. Your company sets up SSO with Vendor A and gets MFA from Vendor B. This will probably require two set-up portals to establish SSO credentials in one and establish MFA options in the other. If a user resets a password, then you’ll need to determine how it’s shared with both providers. It will be the same with a password recovery for a user who has forgotten his or her user ID or password. You’ll also need to define where the user rights and permissions are established. There are also other questions that surface here. When the SSO portion receives a login and passes it off to the MFA vendor, how long does the handoff take to complete? How are the authentication steps being completed along with the return to the SSO vendor? Slow processing and latency negatively impacts the overall user experience.
While some vendors may be good at MFA, and others at SSO, below are four things to keep in mind for companies that “say” they offer both:
- Be able to differentiate between providers that “offer” and “own” both components versus those that work with another vendor to provide both services.
- Determine exactly what MFA options are provided as well as any premium prices to get what you want. Desirable options include the ability to communicate with the end user by landline, email or text message and perhaps using an app to support the use of biometrics.
- Ensure that behavioral monitoring and analytics are available to keep the process smooth (i.e., having the ability to recognize a user and match key items in the login path with the current access profile).
- Ask for a free, full proof of concept for combined services to back up what vendors tell you they can do.
Working with a vendor that provides a single source for MFA and SSO will give your company the strongest security option while preserving a smooth experience for legitimate users.