How FusionAuth Simplifies Compliance with MFA Requirements

By Jura Gorohovsky

How FusionAuth Simplifies Compliance with MFA Requirements

Multifactor authentication, or MFA, is an approach to application security that requires a user to present two or more credentials (“factors”) to log in to an application. Factors are normally selected from different categories:

  • Something the user knows (PIN or password)

  • Something the user is (fingerprint or facial recognition)

  • Something the user has (smart card, one-time password, or push notification)

Although MFA introduces some friction to the login experience, the trade-off is that it makes applications drastically more secure. According to Microsoft, MFA can block over 99.9 percent of account compromise attacks.

Read on to learn why using MFA is becoming a requirement for many organizations and how FusionAuth can streamline implementing MFA in a compliant manner while staying on budget---without sacrificing user experience.

Why Compliance with MFA Standards Is No Longer Optional

MFA is so commonplace that it’s become a de facto standard for application security.

Implementing MFA makes a lot of sense to drastically step up your security. But even if you wouldn’t have chosen to implement MFA, the evolving regulatory landscape makes MFA almost inevitable for many companies.

Regulators in various countries and industries have established rules and recommendations for MFA usage.

Here are a few examples:

  • Since 2019, payment service providers in the EU and the European Economic Area have been subject to the Payment Services Directive (PSD2), which requires “strong customer authentication” (SCA) to be used in processing online payments. By definition, MFA meets the requirements of SCA.

  • The ENISA guidelines for GDPR compliance recommend using MFA for accessing systems in the EU that process personal data.

  • Since 2022, the Payment Card Industry Data Security Standard (PCI-DSS) requires MFA to be implemented by all US merchants, processors, and other payment service providers involved in payment card processing.

  • The NIST Cybersecurity Framework, which is mandatory for US federal agencies, will soon require the use of MFA.

  • Federal government contractors in the US must comply with a substantial set of security requirements, including NIST SP 800-171, which includes using MFA when handling government information.

  • In India, the Central Bank requires using MFA for all online card transactions over Rs 2000.

If you’re a US business with a history of data breaches, the Federal Trade Commission may order you to implement MFA with other security measures. This is what happened to Drizly following a data breach exposing the personal information of roughly 2.5 million customers.

The FusionAuth Advantage: What Sets FusionAuth Apart in MFA Compliance

MFA---and identity management as a whole---is not trivial to implement in-house. Customer identity and access management products like FusionAuth offer you the freedom to focus on providing business value while the product just makes identity management work.

Choosing FusionAuth to comply with MFA requirements makes sense for several reasons.

FusionAuth supports a wide range of factors for MFA, including authenticator apps with time-based one-time passwords (TOTP), email, SMS, or biometric authentication. MFA with TOTP via authenticator apps is available on the Community plan, which is free for unlimited users. MFA with email or SMS as a second factor is available in all paid plans, including the lightest Starter plan, regardless of the number of your active users.

As part of your MFA workflow, you can use step-up authentication to make users verify their identity before they take sensitive actions, such as sending money, deleting their account, or changing permissions.

On the Enterprise plan, you can even set up different MFA configuration settings across several applications in your FusionAuth instance. For example, if one of your applications needs to process government data, you can configure MFA according to NIST requirements. In other applications where you prefer the ease of onboarding over additional security (think free trials or the free tier in consumer apps), you can have MFA turned off or configured with a different flow.

You can also choose between cloud hosting and self-hosting your FusionAuth instance. Cloud hosting is easier to set up and allows delegating infrastructure management to us. However, self-hosting is generally better for compliance as you have full control over your infrastructure, including the location of your user data.

Single Tenancy: The Power of Single-Tenant Solutions in Streamlining MFA Compliance

An important trait of FusionAuth architecture is single tenancy---that is, a single instance of FusionAuth will only serve one customer (tenant). Properly isolating each tenant from everyone else simplifies handling safety and privacy requirements, including industry- and country-specific MFA requirements.

Multitenant solutions don’t work well if your company policy or applicable regulations (such as GDPR) don’t allow user data to be stored outside of the user’s country. But with a single-tenant solution, it’s easy: just install the software on a server located in a particular country. PCI and HIPAA compliance becomes easier, too, because data is protected separately for each tenant.

Broadening the Horizon: FusionAuth’s Support for Various Identity Providers

Whenever an application or website suggests you log in with your Google, Facebook, or LinkedIn account, those are identity providers in action. FusionAuth can delegate authentication decisions to these identity providers to provide a smoother sign-in experience for your users.

FusionAuth supports a wide range of identity providers, most of them on the free tier. They include the following:

  • Mainstream social identity providers: Google, Apple, Facebook, LinkedIn, Twitter (X)

  • Social sign-in providers popular in the entertainment industry: Epic Games, Nintendo, Sony PlayStation Network, Steam, Twitch, Xbox

  • Generic providers that implement popular standards: OpenID Connect, SAML v2, External JWT

If a social sign-in option you’re looking for isn’t available out of the box, chances are you can configure it by adding a new OpenID Connect or SAML v2 provider. For example, for developer-focused applications, you may want to allow your users to log in with their GitHub accounts. To do this, you’d simply configure OpenID Connect with GitHub.

Single Sign-On (SSO) and MFA: The FusionAuth and SSO Synergy

Combining MFA with single sign-on (SSO) adds an extra degree of protection to your business and reduces friction for your users.

SSO enables users to log in to multiple applications using a single set of credentials, which saves them time and effort. For the business, this provides additional security and simplifies access control.

SSO can also help with regulatory compliance. For example, in the healthcare industry, HIPAA requires implementing automatic log off, which is a lot easier to do when you use SSO to limit the duration of login sessions across multiple applications.

You can set up FusionAuth as an SSO identity provider to grant users access to all the software that you want them to use.

Affordable and Scalable: The FusionAuth Way

FusionAuth’s pricing model and transparency sets it apart from many of its higher-profile competitors.

First, FusionAuth is free for unlimited users if you self-host, with no strings attached. Secure authentication is so essential that developers should be able to jump on it quickly and easily without worrying about costs.

Apart from the generous free offering, FusionAuth provides scale-friendly paid plans that won’t break the bank as your business gets more active users.

FusionAuth’s pricing page lets you immediately estimate your costs for up to one million monthly active users. This is in stark contrast to some of our competitors, who will lure you into a time-consuming sales workflow before you get the chance to know how much they charge.

As great as the FusionAuth pricing approach is for everyone, it’s especially critical for businesses with seasonal usage fluctuations or a combination of always-active power users and a lot of occasional users.

Prioritizing the End User: FusionAuth’s Focus on Usability

Secure authentication doesn’t have to come at the cost of user experience. With FusionAuth, you’re free to choose an MFA workflow that works best for your users.

For mobile apps, feel free to go with SMS or biometrics. For applications primarily used on desktops, use email or SMS. To secure internal applications, consider authenticator apps and SSO for better control and a seamless user experience.

Whichever factors you choose, you can fine-tune every step on the user’s authentication journey with branded and customizable login screens, emails, and SMS messages.

If you’re serving an international audience, FusionAuth even lets you localize messages and the login UI to match every user’s preferred language.

Stepping Up Security: Passwordless Authentication

Most attacks on web applications today are performed with stolen passwords. MFA is a drastic step towards better security, and proving your identity with something that can’t be stolen makes it even more secure.

For instance, one form of passwordless authentication is magic links. Magic links are one-time, time-limited codes delivered via email, SMS, or a push notification. FusionAuth lets you easily generate magic links as the first factor of MFA or on their own. However, it’s worth noting that a second factor such as email, SMS, or TOTP would be needed in conjunction with the magic link.

FusionAuth in the Field: Use Cases and Customer Stories

Customers value FusionAuth for helping ensure compliance while staying scale-friendly.

For example, Brad Kite, CTO at Cybanetix, emphasizes how being able to self-host FusionAuth was an important consideration from the compliance perspective:

As our solutions are PCI-DSS compliant, being able to deploy on-prem and manage access within our own data center was an important factor, as the cloud-based security providers we evaluated were not able to demonstrate PCI-DSS compliance, so our solutions could not use them.

Jerry Hopper worked on a client project that needed GDPR compliance---including hosting in the EU, password strength, MFA, and data anonymization. He explains why FusionAuth was a great fit:

FusionAuth is API driven and has very complete logging, which makes it a breeze to make your applications GDPR compliant.

David Billings, CTO at Talent Funnel, appreciates FusionAuth for being reasonably priced for its use case:

We have both power users for our ATS platform as well as a very large volume of “low activity” users who may log in a couple of times a year… We tried many [FusionAuth] competitors but either the technology didn’t fit our use-case or the billing would have been astronomical for the types of users we have.

Whitney Champion, a lead architect at Recon InfoSec, notes the simplicity of implementing even the advanced authentication features with FusionAuth:

We also needed a passwordless login---the magic link feature. Few platforms make it as easy as FusionAuth does.

Conclusion: The FusionAuth Pathway to Simple, Compliant MFA

Some businesses want to use MFA because of how much more secure it makes their applications. Others just have to use it due to regulatory requirements. Whether your path to MFA is voluntary or forced upon you, FusionAuth will help make it smooth.

Enjoy support for a variety of MFA factors, transparent and scale-friendly pricing, data isolation, and deployment flexibility. Download the FusionAuth Community edition for free and see what it can do for you.