At Helion, we’re big fans of multi-factor authentication (MFA). This is the process of identifying users by validating two or more “factors” that are unique to a user. Some of the different user factors that are most often used in the authentication process include:
- Something you know (such as a password or PIN)
- Something you have (like a code sent to your smartphone)
- Something you are (fingerprint, facial recognition or voice recognition)
By implementing MFA your dealership adds an additional layer of protection against one of the most common forms of a cybersecurity breach – compromised credentials. MFA is a great way to help protect your dealership from the growing incidence of cybercrime. However, if MFA is not implemented strategically then you can get in trouble.
Rolling out MFA without considering the state laws that govern your business could create problems for your organization. As technology evolves so do the laws associated with them. For instance, state law might require your dealership to reimburse employees who use personal mobile devices for work related purposes. Since MFA involves using a mobile device to secure a one-time passcode – your employees would need to use their mobile devices for work related purposes. Therefore, if your dealership was located in California and you wanted to require all employees to use MFA to access dealership related information, then you would be required to reimburse all employees for a portion of their monthly mobile device expenses.
So, the point here isn’t to discourage use of MFA. Instead, it’s to bring to light the fact that whether it’s the implementation of MFA, a new cybersecurity measure, or a dealership IT improvement – strategic thinking, planning, and expertise is essential. With the right expertise, you might be able find a more strategic way to implement MFA. For example, perhaps leveraging Microsoft 365 conditional access capabilities in lieu of a mobile device requirement works better for your dealership.
With Microsoft’s conditional access you could establish a set of trusted networks that would then allow users from these networks to log-in without requiring MFA. Those attempting to access dealer systems and information from an untrusted network would then either be denied access or required to use MFA to log-in. This way, you could prevent employees who are not reimbursed for their mobile devices from using them for work purposes. At the same time, you could allow those who have a dealership provided mobile device or receive mobile device reimbursement to log-in from an untrusted network by forcing them to use MFA. This is just one example of strategically rolling-out MFA and the importance of having a strategically proactive team of IT experts ensuring that your technology is optimized for your business.