As the incidence, severity, and sophistication of today’s cyber threats continues to grow, the appropriate use of multi-factor authentication (MFA) is becoming increasingly important. Add to this that new government regulations – like the FTC Safeguards Rule – now requires that businesses implement MFA. The result is a lot of confusion, inefficiency, and quite frankly – a waste of money.
Device-Based vs Application-Based MFA
To best understand how to do MFA the right way, let’s first discuss the device-based approach. This approach to MFA is one in which the MFA process is initiated based on the device that the user logs on to instead of the dealership’s user account properties and policy settings. This is fine to protect access to a specific device – like your laptop. However, it doesn’t address protecting access to cloud-based applications – like your DMS – from unknown, unprotected devices.
To best protect consumer data – which is what the FTC Safeguards Rule requires – you need to control access at the application level. At the application level – regardless of the device – MFA can be initiated to validate user identity before the user can gain access to application data. As more and more applications move to the Cloud, application-based MFA is becoming an absolute necessity.
So, what’s the best, most cost-effective approach to implementing application-based, device agnostic, MFA? The answer is to leverage a Federated Identity Management (FIM) approach.
Federated Identity Management (FIM)
FIM relies on the exchange of information between an application vendor – like your DMS vendor – and an Identity Provider like Microsoft Active Directory. Basically, the Identity Provider is a database that stores user identities as well as their related attributes. The Identity Provider also stores security policies associated with each user.
By establishing a way for applications to communicate with a centralized identity provider you can enable authorized users can access multiple applications using a single set of credentials. And, when implementing MFA you can leverage a single authenticator solution – like Microsoft Authenticator – across multiple applications.
Today, setting up federated access across many of a dealership’s applications – like the DMS – can be done by leveraging what many dealerships already have in place – Microsoft 365 and Microsoft Active Directory. For many dealerships there is no need to spend money on purchasing a new MFA solution to protect your dealership and comply with the FTC. If you have Microsoft 365 and Microsoft Active Directory and someone is telling you that you need to purchase an additional MFA solution, then what you really need is qualified IT and cybersecurity expertise.