MFA Implementation Checklist

The use of multifactor authentication (MFA) is increasing across the board and is fast becoming "table stakes" for many organizations. If your security team is considering an MFA rollout, the following checklist can help save time with the implementation process.

This checklist provides a step-by-step process for implementing MFA within an organization.

Implementing MFA: Step-By-Step 

1. Document all Requirements and Use Cases

• Involve any key leadership stakeholders who may need to weigh in on authentication requirements and compliance requirements
• Document use cases and compliance requirements driving the need for MFA
• Document the organization’s desired standards/methods for MFA, if known (also consider user workflows and devices)
• Agree on known exceptions to the MFA standard, knowing stakeholders assume the risk

2. How to Choose an MFA Solution 

• Identify if any MFA solutions are already in place inside the organization
• Define business requirement capabilities for an MFA solution
• Define business system integration requirements for an MFA solution
  • Are there specific, critical systems that must work out of the box?
• Determine if the organization will use an MFA solution integrated into an existing IAM solution or privileged access management (PAM) solution, or if an independent MFA solution makes the most sense for the organization
• Determine if a particular form factor will be deemed most acceptable to end users (most enterprise solutions offer a variety of options)
• Agree on a common, enterprise-wide MFA solution, if possible
  

3. Inventory Authentication Systems and Use Cases 

• Inventory all authentication databases that store credentials for the organization
• Inventory all authentication use cases where users and service accounts require authentication credentials; examples of such systems may include:
  • Workstations/servers
  • Network devices
  • Web applications
  • Database systems
  • Administrative access
  • Cloud-based applications
  • DevOps pipeline deployments 
    

4. How to Enable Direct MFA 

• Consider where MFA is relatively simple and feasible, and where it may break workflows
• Prioritize privileged access
  • It should require MFA in all cases, if possible
  • Direct MFA push should be completely disabled with privileged users (if not all users), given the recent breaches with campaigns like Lapsus$ 
• Start by integrating/synchronizing wide-reaching or commodity authentication systems, such as:
  • Remote access systems
  • AD 
• Next, consider integrating more unique or proxied authentication systems, such as:
  • Third-party applications
  • Cloud-based applications
  • Line-of-business applications
  • Single sign-on (SSO) and federation portals (identity services included)
• Finally, integrate custom applications that require the development of custom code to function properly
  

5. Consider Adaptive MFA for Privileged Accounts (and any others) 

• Look at third-party options that can accommodate adaptive authentication and authorization using:
  • Time-of-day considerations
  • IP addresses and geographic locations
  • End-user and endpoint validation (certificates or other)
    

6. Implement Authentication Proxies, Where Necessary 

• Identify each authentication system/experience that does not natively integrate with the organization’s chosen MFA solution
• Identify if the organization requires a different vendor solution for:
  • IAM (SSO and federation services included)
  • PAM
  • Cloud access security brokers and other cloud brokers
    

7. Implement MFA for Nontraditional Accounts 

• Decide if contractors will follow the same authentication requirements as other workforce members
• Decide if customers will follow the same authentication requirements as workforce members
• Document a process for vendors to use to authenticate when remotely accessing systems
• Document how service accounts will use MFA to authenticate automated processes (if possible)
  

8. Regularly Report to Leadership on Progress 

• Ensure leadership stakeholders are regularly updated on progress
• Ensure leadership is responsible for regularly renewing any defined exceptions
• Agree on key performance indicators to report progress
  

Although reasonable efforts will be made to ensure the completeness and accuracy of the information contained in our blog posts, no liability can be accepted by IANS or our Faculty members for the results of any actions taken by individuals or firms in connection with such information, opinions, or advice.