What is the best MFA solution for small businesses?

Spoiler alert! In this blog, I will not be giving you a silver bullet for security or tell you the exact MFA solution you should use for your for small business. Rather, we will look at the key things you need to consider when purchasing and implementing multi-factor authentication (MFA). Before we get into the factors that will determine the best MFA solution for small businesses, we first need to make sure you have a good understanding of what MFA is, and why it is so important. Check out our recent blog for more information.

With that understanding, let’s dive into the factors that allow you to find the best MFA solution for small businesses.

Any MFA is better than no MFA

The first, and most important point in this whole article is that any MFA solution you choose is going to exponentially increase your security posture. The importance of preventing an attacker from performing password attacks, like a password spray, cannot be understated. Therefore, while this blog is about finding the best MFA for small businesses, the most important thing is to have some sort of MFA in place.

With that being said, some MFA solutions are more secure than others. For example, NIST recommends not using MFA via SMS messages. Additionally, be careful when using MFA solutions that have an email fallback option. The reason why? If I can guess your email password, I can just login and grab the verification code from there, rather than using the intended MFA solution.

Focus on Adoption and Scalability

Getting your organization to buy-in on MFA may be extremely difficult. MFA has a financial cost associated and is viewed as an impact to usability and quality of life. Because of that, you should prioritize something that will last for your organization for the foreseeable future. Although right now, you may be primarily concerned with implementing it on your VPN (if not, you should be), in the future you may want to roll it out to email, SSH, custom applications, employee workstations, etc. Therefore, when considering a solution now, the right answer may not be what will work on my VPN, but what will work on all my devices.
You also want to make sure whatever solution you come up with is easy to use and manage. It is safe to assume these days that everyone has a phone. Because of that, many SMBs are using MFA solutions that will use your cellphone as the second form of authentication.

After That, It’ll Come Down to Price

Cost is the last major factor when deciding on the best MFA option for small businesses. There are expensive solutions (RSA tokens), moderately-priced solutions (Duo/Yubikey), and free solutions (Google Authenticator) to consider.
In general, the expensive ones are not being used by SMBs (in our experience). These are primarily being used by Fortune-500s and Wall Street-type companies. The advantage of the moderately priced options is compatibility and support. You will have their support team help you roll it out and assist when things are not working. Additionally, these moderate options generally work across more devices than the free ones. My recommendation in this space would be to check out Duo or Yubikey. Finally, as far as free ones, I would check out Google Authenticator, as it is usually the most compatible with devices/applications.