At Helion, we’re big fans of multi-factor authentication (MFA). This is the process of identifying users by validating two or more “factors” that are unique to a user. Some of the different user factors that are most often used in the authentication process include:
- Something you know
- Something you have
- Something you are
For instance, something you know might be your password. Something you have could be a one-time passcode sent to your smartphone.
By implementing MFA your dealership adds an additional layer of protection against one of the most common forms of a cybersecurity breach – compromised credentials. MFA is a great way to help protect your dealership from the growing incidence of cybercrime. However, if MFA is not implemented strategically then you can get in trouble.
One way to get in trouble with an MFA roll-out is to fail to consider the state laws that govern the way in which your business must operate. For instance, state law might require your dealership to reimburse employees who use personal mobile devices for work related purposes. Since MFA involves using a mobile device to secure a one-time passcode – your employees would need to use their mobile devices for work related purposes. Therefore, if your dealership was located in California and you wanted to require all employees to use MFA to access dealership related information, then you would be required to reimburse all employees for a portion of their monthly mobile device expenses.
So, the point here isn’t to discourage use of MFA. Instead, it’s to bring to light the fact that whether it’s the implementation of MFA, a new cybersecurity measure, or a dealership IT improvement – strategic thinking, planning, and expertise is essential. With the right expertise, you might be able find a more strategic way to implement MFA. For example, if your dealership used Microsoft 365 you could leverage its conditional access capabilities.
With Microsoft’s conditional access you could establish a set of trusted networks that would then allow users from these networks to log-in without requiring MFA. Those attempting to access dealer systems and information from an untrusted network would then either be denied access or required to use MFA to log-in. This way, you could prevent employees who are not reimbursed for their mobile devices from using them for work purposes. At the same time, you could allow those who do receive mobile device reimbursement to log-in from an untrusted network by forcing them to use MFA. This is just one example of strategically rolling-out MFA and the importance of having a strategically proactive team of IT experts ensuring that your technology is optimized for your business.