Simple and cost-effective MFA deployment with TOTP

Eddi FreiterEddi Freiter
3 min read

Written by Eddi Freiter in collaboration with Will Neumann

Organizations of all sizes are increasingly using productivity tools and applications hosted in the cloud. However, providing secure access to user information and sensitive data remains a significant challenge. Delivering a security solution that is easy to use, simple, low-friction, and cost-effective is critical.

Data protection and privacy laws such as HIPAA, GDPR, PIPEDA, and cybersecurity insurance policies require securing sensitive information and data.

One straightforward way to enhance security is by implementing multi-factor authentication (MFA). Yubikeys, or other FIDO2 methods, are well know in the industry but they can be a costlier solution in larger deployments. In this article, I will discuss the use of one-time passwords (OTP), focusing specifically on time-based one-time passwords (TOTP).

Why MFA?

Cybercriminals have access to over 15 billion stolen credentials. Using passwords alone is no longer sufficient. Additional layers of authentication, such as MFA, add complexity to the authentication process. This additional complexity may discourage cybercriminals, causing them to target less secure systems instead. OTP, and more specifically TOTP, is a simple and widely supported method of adding this extra layer of security.

A simple solution

TOTP tokens use a static seed and a time step, typically 30 or 60 seconds, to generate a new OTP code. For organizations, using an app installed on employees’ smartphones to generate TOTP codes might seem like the simplest solution, as most employees already have smartphones. However, this approach introduces several challenges, such as employee privacy concerns or union objections. Employees may have the right to refuse the use of personal devices for work-related purposes.

Alternatively, organizations could issue smartphones to employees, but this quickly becomes prohibitively expensive.

This is where hardware OTP tokens provide a practical solution. These tokens are available in various formats, such as key fobs or credit card-sized display cards and are significantly more economical than other hardware-based options. Additionally, platforms like EntraID/M365 natively support TOTP, offering tools to facilitate deployment to large numbers of users.

Use Case

Consider a large healthcare provider that purchases a cybersecurity insurance policy requiring all user accounts to be protected by MFA. The organization’s employees are union members, making the use of personal smartphones or issuing company-owned devices impractical.

After evaluating their options, the IT department decides to issue TOTP key fobs to all employees. This decision is both economical and practical. The low purchase price of hardware tokens and the straightforward implementation of TOTP within EntraID/M365 enable the organization to comply with its cybersecurity policy efficiently.

Conclusion

TOTP hardware tokens offer a simple and effective solution for implementing MFA within an organization. These devices are easy to deploy, and integrating them with platforms like EntraID/M365 requires minimal effort. Additionally, maintaining hardware tokens is cost-effective and time efficient. Given the growing prevalence of cybercrime, MFA should no longer be considered optional—it is a necessity.

Resources

Token vendors: Token2, FEITIAN, Protectimus and more.
How to MFA - Manage OATH tokens
How to MFA - Upload OATH tokens
Why MFA is everywhere
Difference between TOTP and HOTP

0
Subscribe to my newsletter

Read articles from Eddi Freiter directly inside your inbox. Subscribe to the newsletter, and don't miss out.

MFAMulti Factor AuthenticationTime-based One Time PasswordOTPtotpData securityHIPAA#gdprPIPEDA#fido2

Written by

Eddi Freiter
Eddi Freiter

I love everything computers. I self-host in my own 'datacenter' and my goal is to write about it on this blog. I also write software for fun and $$$. My favourite language is python.