Re: Best Practices for MFA

gaius · ‎01-12-2024

Good morning team, hope everyone is well. What would we consider to be some best practices around the use of MFA? For me, a key concern is avoiding "MFA fatigue", requiring users to do the MFA steps many times per day, such as on a single website. Particularly if the devices are known to be trusted and there are additional controls in place such as keycard access, one MFA per day in an SSO environment should be sufficient. In the cases where devices are even more controlled, such as residing in homes or in pockets, one MFA per week should be sufficient - some serious players such as Amazon seem to only require MFA very occasionally, or on a new device, creating a seamless experience. The bigger risk in my opinion is MFA fatigue setting in and users with the option to do so simply disabling the use of it. Keen to hear the thoughts of the community.

ericgeater · ‎01-12-2024

Depends on your vertical. "MFA fatigue" means nothing to enterprises which require better-than-adequate security, because it's just something that's required by everyone, period, end of story.

In a previous life, I worked with a private company that had no compliance requirements. Asking them to do MFA would have been a significant culture change. In public sector, once per day is a requirement, and no one bats an eye.

I would be curious to hear any responses from higher security details myself.

-----------
A claim is as good as its veracity.

denbesten · ‎01-12-2024

My suggestion, follow NIST 800-63B , both the current version and the upcoming version.

From rev4,

Periodic reauthentication of subscriber sessions SHALL be performed as described in Sec. 7.2. At AAL2, authentication of the subscriber SHALL be repeated at least once per 12 hours during an extended usage session, regardless of user activity. Reauthentication of the subscriber SHALL be repeated following any period of inactivity lasting 30 minutes or longer.

Also notable for avoiding user-fatigue is passwordless logins. Just like you can face-ID on your iPhone, Windows Hello does the same for your PC, and "Device Authentication" does it with Azure SSO.

Also, check to see if your SSO provider can share a single "authentication session" across multiple different apps. Every morning, I login to 5 SAAS apps only mfa'ing once. The subsequent ones happen silently, with the IdP saying "yea, I know that is @denbesten; let him through".

And, at least with Azure, I can configure individual apps to require MFA if the most-recent MFA is over N-hours old. So, one can redo MFA after 168 hours for email; 12 hours for business apps and 2 hours for admin access.

dhouser · ‎01-13-2024

The concerns to balance are MFA fatigue and user experience, as you point out, with stolen session hijacking, known as the "Golden SAML" attack. Absolute timeout of 12 hours should, I'd think, be an absolute outer-bounds... and really only makes sense if you have people working 12 hour shifts.

I've found 4 hours to be a reasonable absolute timeout for non-privileged access, which, from users' perspectives, are going to typically be 2 authentications per day. As @denbesten points out, the SSO platform should provide for session management sharing that authentication within that security context. However, if there are multiple SSO technologies in play then federation across those security contexts would be the only reasonable way to have single MFA provide for SSO.

Culture and history definitely plays into this, as well as risk, and there's no "right" answer as to where that balance should fall.

-ddh__________
Dan Houser, CISSP-ISSAP-ISSMP CSSLP CCSP
#20889