With the increase of ransomware attacks, data breach, and other cyber threats the adoption of MFA (Multi-factor authentication) is having momentum, but sometimes proposing a technology that implies changes to end-user behavior and the addition of a new step to access application and infrastructure that are required in day to day activities, you might be subject to challenges and pushbacks even if it protects against identity theft. This is why upfront analysis and planning are key to achieve a successful implementation.

We need to understand the most important piece is the end-user experience, therefore you should always start backward. Is important to work on timelines and milestones, configuration best practices, employee communications, and training your support staff.

Once you have the information which is driving your organization to adopt MFA, then you need to focus on building a successful plan and work around key areas and best practices to plan the deployment, this might include identifying the applications the organization requires to protect (1), find out if the application is cloud-based or on-premises.

The next natural step would be to identify the user group (IT, HR, Finance, Sales, Call Center…etc) this is important because in some cases your organization might have groups and roles who are not allowed to use their phone during their shift, and this brings us to the next subject, which is, how you as project leader will decide the way end-users should receive the MFA requests (Duo Push, SMS, Voice Call, Passcode).

Testing and piloting your applications and endpoints before launch is key for a successful deployment, but before starting is important to read the documentation (2) and get as much information as you can from one of the DUOs specialists. Start with applications that cover a majority of users, it will help tie enrollment and go-live together. Office 365 is a great example of this—many people use email, calendaring, and other productivity tools. This way, most of your users are enrolled and familiarized with the MFA experience early on, but as a recommendation, if it is your first time leading this kind of project always try first on a non-production environment, as it will allow to identify potential issues before the end-user encounter them.

Create a disaster recovery plan, as a project leader you need to understand the DUO fail mode (3) and the integrations that support them. You need to have an emergency plan on how to remove the MFA from the authentication workflow in the event of a long service disruption and how to do it per-application basis.

Now that you have the basic cover is time to move to the interesting part which is configuring and customizing the access using Duo Policies. As a start here are some of the most popular policy controls the majority of DUO customers adopt or consider during the rollout:

• Deny Access from anonymous IPs.

• Deny Access from non-supported browsers.

• Require users to have the most up-to-date version of Duo Mobile.

• Require that mobile users enable screen lock.

• Require that users are on the latest version of iOS or have the latest patch on Android.

• Allow access only to devices that have the DUO device health application installed.

• Require that laptops and desktops are on the latest patch level of Windows 10 OS or have the latest version of MacOS.

• Require that laptops and desktops have password, firewall and/or disk encryption enable.

• Require laptops and desktops to have an anti-virus agent installed.

• Allow access to users using only Trusted Endpoints.

As you know every organization is different and might have a unique flavor or characteristics, therefore before starting is good to check the common deployment tips (4).

Try using the features DUO Beyond offers, as you might find it very useful to use it as a strong foundation to adopt zero-trust and expand later on. Among the features, device health (5) can provide a lot of value, it allows your organization to control which laptop or computer can access corporate applications based on device security, this is very useful to restrict finance and applications that manage sensitive information.

Last point, but equally important, make sure the team providing help desk function is well aware of the new MFA tool, what it can do and how it can successfully guide a user through the registration and onboarding process, and how to contact support in case of an issue.

Conclusion:

Today's needs required a network that can provide and accommodate Multifactor Authentication across applications and systems, we required a policy that gets translated from an endpoint, to the network, the wan, your DC, the Cloud, and even your SAAS application. We review in this post what DUO can bring to the table and what to consider for a successful implementation, as a summary we have:

• Planning

• Identify the pilot applications to use by choosing the well-defined applications first (1).

• Create your policy.

• Make sure you have a rollback plan in the case is needed.

• Communication to end-users.

• Help desk training.

Please comment if this was helpful (or not) for your MFA project, as I’d like to know the areas where I can provide more value to my readers.

Reference:

(1) Aplications - https://duo.com/docs/protecting-applications
(2) DUO Documentation - https://duo.com/docs
(3) Fail Mode - https://help.duo.com/s/article/2215
(4) Deployment tips - https://duo.com/docs/trusted-endpoints#deployment-setup-tips
(5) Device Health - https://duo.com/blog/available-now-duo-device-health-app-extends-security-checks-for-desktops-and-laptops