Five things to consider before choosing an MFA solution

Image of two-factor authentication in action

Since its conception in the 1960s - when an MIT professor built a time-sharing computer with multiple users requiring their own private access - the generation of passwords for authenticating access to secure digital networks and devices has been fundamental. However, we can never rest on our laurels that passwords are 100% secure. 


Webinar screen with host image top right and centre image of man using a smartphone surrounded by brand logos including Salesforce

(Image credit: Okta)

Why MFA, why now?

A discussion with Okta and Salesforce on the new MFA requirement


Using spyware, hackers can crack passwords, or gain access to those that aren’t stored securely, and once obtained, they’re at risk of being shared among cyber criminals on the dark web. As a result, one of the most popular strategies for reducing the risk of a password attack is via the use of multi-factor authentication (MFA) to secure users’ credentials. 

According to the UK Government’s Cyber Security Breaches Survey 2022, 83% of data breaches were a result of phishing, so by introducing additional security components as part of an MFA solution, companies can add extra layers of protection for their users and their data. This can be done by combining a physical element, where usernames and passwords are paired with biometric information, for example, fingerprints or more commonly Face ID, or through one-time codes, or tokens, delivered through SMS or authenticators apps. 

 It’s a process that is becoming more and more commonplace, as we use Face ID to access our banking apps, or receive text messages with codes to confirm our online purchases. And now within our working environments, the evolution of the hybrid and remote office has led increasing numbers of organizations to adopt MFA protection, meaning MFA is mandated within certain industries, with governments implementing specific requirements

 So whether you’re required to implement a solution because of the industry you work in, or because of the partners you work with such as Salesforce, which now requires its customers to use MFA to access services, here are five factors to consider: 

1. Flexibility

Does the MFA solution apply only the required amount of security depending on the risk posed by whoever's accessing the resources? Also, does the solution offer flexible ways of authenticating users? Will it offer hardware tokens, such as a USB-based dongle, or software tokens, such as smartphone apps to NFC, to text message and push notification? Does it allow users to use biometrics, such as fingerprint scans or facial recognition/Face ID? 

2. Costs

There's a cost to implementing MFA, which is down to what option your organization chooses to implement. Hardware tokens, for example, have deployment and recurring costs, such as server infrastructure, staffing, vendor support, and hardware production and distribution. There are also costs involved with software tokens, although these tend to have fewer deployment costs, and implementation can be achieved in weeks. 

3. Security 


Whitepaper cove with image of man staring out of shot wearing headphones in front of a laptop, with bookcase behind him

(Image credit: Okta)

Pave the way towards a modern, secure, efficient, and sustainable hybrid workplace


When implementing an MFA, there are diverse levels of security that can be used. Passwords and PINs are less secure than hardware tokens or a FIDO authenticator, which can be used when an organization needs phishing-resistant authentication to roam between devices. One-time codes offer high security when users don’t have a dedicated authentication app, meanwhile. Push notifications, too, can be a good choice if your users can use a mobile authentication app. Biometric authentication, finally, is good for system logins or specific apps. 

4. Scalability

Any MFA implementation your company opts for needs to be scalable so it can be deployed across your entire organization, and develop as the business grows. This means security practices should be consistent. Deployment should cover all end-users, whether they're in the office or working remotely. MFA should also cover cloud and on-premises applications, VPN, server logins, and privilege elevation. 

5. Ease of use

MFA should not only be easy to roll out, but should be easy to use. Some users may be limited in what they have as another factor to log into resources, such as lacking a smartphone or being unable to use a hardware token. Organizations need to balance usability with cost and security to increase acceptance. 

Whatever method you opt for, MFA is a significant addition to any security infrastructure. 

Rene Millman

Rene Millman is a freelance writer and broadcaster who covers cybersecurity, AI, IoT, and the cloud. He also works as a contributing analyst at GigaOm and has previously worked as an analyst for Gartner covering the infrastructure market. He has made numerous television appearances to give his views and expertise on technology trends and companies that affect and shape our lives. You can follow Rene Millman on Twitter.