Mastering MFA in multitenancy

Mastering MFA in multitenant environments.

ZeroTek Communications

December 17, 2024

Time to read: 11 min

Key Takeaways

  • Multifactor authentication (MFA) is essential to protect business of all sizes. MFA means you are 99% less likely to be hacked.
  • Your MSP customers need MFA, no matter what size or industry: 46% of all cyber breaches impact businesses with fewer than 1,000 employees.
  • MSPs need tools to deliver MFA to all their customers, standardize where possible, customize when necessary, and manage it all in an intuitive way. The solution is ZeroTek | Okta for multitenancy and MFA respectively.

Key Takeaways

  • Multifactor authentication (MFA) is essential to protect business of all sizes. MFA means you are 99% less likely to be hacked.
  • Your MSP customers need MFA, no matter what size or industry: 46% of all cyber breaches impact businesses with fewer than 1,000 employees.
  • MSPs need tools to deliver MFA to all their customers, standardize where possible, customize when necessary, and manage it all in an intuitive way. The solution is ZeroTek | Okta for multitenancy and MFA respectively.

What’s the best way to deliver MFA in a multitenant environment?

Security-conscious Managed Service Providers (MSPs) understand that multifactor authentication (MFA) provides their customers with the best protection from cyberattacks. However, implementing MFA in a multitenant environment can be challenging: educating customers about why they need MFA, and then managing each customer’s unique and complex requirements. Fortunately, delivering and managing MFA in a multitenant environment is easy with the right tools: Okta for MFA and ZeroTek for multitenant management.

MFA, which requires users to provide at least two forms of identification to access applications and resources, is a core component of Okta’s industry-leading, enterprise-class Identity and Access Management (IAM) platform. ZeroTek is a SaaS platform purpose-built for MSPs to succeed by delivering and managing Okta’s MFA in a multitenant environment. There’s no better way than the ZeroTek | Okta solution to protect all your customers with MFA.

Why is MFA essential to protect small and medium businesses?

Your small and medium-sized business (SMB) customers need to know that usernames and passwords are the number one vector for successful cyberattacks (Verizon 2024 Data Breach Investigations Report), and that MFA is one of the most effective ways to protect against these threats. According to the US Cybersecurity & Infrastructure Security Agency (CISA), using MFA on your accounts to protect your digital identity means you are 99% less likely to be hacked.

Being an SMB does not make an organization any less of a target: 46% of all cyber breaches impact businesses with fewer than 1,000 employees. (Source: SentinelOne Cyber Attacks on SMBs.) Your customers are not immune from cyberattacks, and the costs to SMBs of successful attacks can be significant, with breaches in the US costing an average of $200,000. (Source: “Current Cost of a Data Breach to an SMB,” Webcheck Security (June 2021 or 2022).) Losses are not purely financial: a successful cyberattack often involves data loss and reputational harm as well. Communicating these risks can help your customers understand the importance of MFA.

It’s clear to security experts that SMBs need MFA to protect their data and digital identities and ensure that only the right people access an organization’s apps and data. However, according to a 2024 Cyber Readiness Institute report, awareness of MFA among SMBs in the US remains low at only 55%. As your customer’s trusted IT advisor, discussing how to strengthen their security posture with MFA is an important opportunity for both of you.

Soon that conversation may be unavoidable. As identity-based cyberattacks become more sophisticated and ubiquitous, MFA will likely become mandatory in many industries. Financial and healthcare sectors and government agencies have made MFA mandatory as part of their regulatory frameworks. Even smaller businesses in regulated professions like healthcare and law often need MFA in place to comply with regulatory requirements, facing hefty fines and other serious consequences if they do not. Insurers increasingly require MFA before approving cybersecurity coverage.

Password managers are not enough

Many businesses have adopted password managers as part of their cyber-security posture, and you may have customers who wonder why they aren’t enough.
After all, users need to remember only a single password (for their password manager), making them less likely to reuse passwords across apps. This lowers the risk of multiple systems being compromised if a single system gets hacked.

However, passwords are still inherently vulnerable to phishing and brute-force attacks, the two most common—and most successful—types of identity-based attacks. With password managers, you’re ultimately still protecting passwords with a password.

SMBs are sometimes reluctant to adopt MFA

Among the businesses aware of MFA, many remain reluctant to adopt it, sometimes based on negative experiences with other solutions and often stemming from a perception that MFA will hamper rather than improve their work. One study indicated that people resist MFA because they consider it annoying (33%), too complicated (23%), too slow (23%), or unreliable (22%) (source: 40+ Multi-Factor Authentication Stats (2024)).

Organizations say that easier implementation (30%) and ongoing support (20%) would help persuade them to adopt MFA (2024 Cyber Readiness Institute report), but their number one barrier is cost (43%). Awareness of the prevalence and average cost of a successful breach typically puts the comparatively small investment in preventative measures in a favorable light. However, even if the customer can tolerate the significantly higher cost of not having MFA, they don’t have to choose between security and cost if you’re protecting them with Okta delivered through ZeroTek.

ZeroTek’s unique licensing and pricing model, offered exclusively to MSPs, significantly reduces the cost barrier and allows for month-to-month consumption-based billing, making Okta’s top-tier MFA technology accessible to all your customers.

Other common concerns about MFA (ease of use, slowness, low reliability) are entirely resolved with Okta, renowned in the industry for uniquely balancing high security with a low-friction, consistently positive user experience. Most of ZeroTek’s MSP Partners choose to use Okta too, making it easy to discuss the solution with their customers, demonstrate how it works with genuine enthusiasm, and address any remaining concerns.

ZeroTek | Okta helps MSPs bring MFA to SMBs

With ZeroTek | Okta, MSPs can deliver an intuitive MFA experience that makes sense to the end user. When combined with secure single sign-on (SSO), users log in once to their organization using MFA and can access all their apps from a single dashboard without having to log in again. Customers who may have worried about MFA hampering their productivity are delighted to experience frictionless, secure access to their apps, and end credential chaos.

Okta allows you to configure MFA at both the organization and application levels. This means that once a user is logged into their main app dashboard, Okta can prompt them to confirm their credentials again only when accessing more sensitive apps like those used for HR or accounting operations.

How do your customers benefit from Adaptive MFA?

Okta’s Adaptive MFA (AMFA) is part of how MSPs balance the highest levels of security and the best user experience for their customers.

AMFA in Okta means you can configure Okta policies and control access based on user context. Authentication challenges and permissions adapt to the level of risk a user presents when trying to log in depending on things like:

  • their location
  • the device they use
  • whether the device meets defined security requirements

For example, an accountant with access to a sensitive payroll and financial data app uses a badge to get through security at their office. Because the user is logging in from a trusted location, Okta policies might let them access most of their apps with a simple authentication process but require an additional authentication step when attempting to access the sensitive payroll app.

However, suppose Okta detects the accountant logging in from an IP address anywhere outside the office. In that case, the accountant might need to provide biometric verification using facial recognition or a fingerprint scanner. If Okta detects a login attempt from Russia or another untrusted region? Access won’t be allowed at all.

MSPs can add further layers of security by using, for example, a policy to strictly limit how long an Okta session can remain idle when outside the office and by allowing access to sensitive apps only when the session is initiated on a managed/trusted device that meets specific security requirements.

The types of authenticators required can also vary based on context. Knowledge-based authenticators, such as passwords, are inherently vulnerable to many different types of cyberattacks, but when MFA also requires an additional biometric authenticator like fingerprint or facial recognition, or a possession-based factor like a number challenge pushed to the user’s phone, the user’s login is far more secure. Of course, you may choose to implement MFA that eliminates passwords entirely, which is highly secure and that many MSPs currently offer through ZeroTek | Okta.

“ZeroTek | Okta is a big part of how we deliver a solid experience for customers in very demanding industries,” says Dan Le, Founder and CEO of Red Cup IT. “Our customers like Okta … They have secure access to their email and apps and they don’t waste time thinking about passwords anymore.” (Read more in the Red Cup IT case study.)

Simplifying multitenant MFA

Implementing MFA in a multi-tenant environment has traditionally been difficult and complex. Each customer has unique authentication requirements you need to track. There is no “one-size-fits-all” MFA setup: differing industry-specific regulatory compliance requirements, travel security policies, cyber insurance, and more mean there will always be necessary customizations.

ZeroTek takes the complexity out of deploying Okta MFA in multitenant environments with a comprehensive set of field-tested best practices to help you succeed. Continually updated as technology and the threat landscape evolve, ZeroTek’s best practices are designed by Okta-Certified Consultants in dialogue with our MSP Partners and based on nearly a decade of working closely with Okta R&D. We offer step-by-step instructions to guide MSPs through a baseline configuration that establishes a strong security foundation for all the organizations you manage. With this baseline in place, it’s easy and intuitive to customize the experience for specific customers using ZeroTek.

“I refer to [ZeroTek documentation] regularly as a kind of sanity check to ensure we’re up to date with best practices, features, and processes,” says Nicholas Thomas, Founder and Principal Consultant at Ethikos Inc., a ZeroTek Partner. “They’re updated regularly as things evolve—and Okta’s always evolving. ZeroTek’s baseline configuration guide for Okta is phenomenal for that.” (Read more about Ethikos’ experience with ZeroTek | Okta.)

The more applications you can put behind MFA, the stronger the customer’s IT security posture. With some solutions, this can be a challenge, especially when you have customers in different industries and with different required apps. The Okta Integration Network (OIN) provides pre-built SSO integrations for 8,000+ cloud-based applications that make this process a breeze, with most app integrations taking about an hour.

More than 700 integrations in the OIN include support for Okta Lifecycle Management (LCM), which reduces complexity, costs, and potential security issues by automating and simplifying user provisioning and deprovisioning from Okta for those apps. For any custom applications or the rare specialty apps that are not available in the OIN, ZeroTek’s Okta-Certified Consultants can help you configure the best possible login experience for your customers.

LCM means huge time savings for MSPs, better customer security, and an improved user experience: everything a new hire needs is available on day one within an easily navigable but highly secure MFA environment. Thomas at Ethikos describes the process as “efficient, intuitive, and gratifying for end users and administrators.”

Multitenancy with ZeroTek | Okta

As a multitenant platform for Okta, ZeroTek simplifies switching among customers to perform management and support activities from a single dashboard. You can quickly and securely access tenants without requiring additional layers of authentication, as required by other platforms like Microsoft’s.

To adhere to security best practices for least-privileged access, you can leverage ZeroTek’s role-based access control and segment access for non-administrator team members by the customer.

  • ZeroTek Administrators have universal access to all customers you manage in ZeroTek. Administrators are the only users who can add, modify, view details for, or delete customers.
  • Non-administrators like ZeroTek Technicians and Help Desk users can see and access only the customers a ZeroTek Administrator assigns to them.

In ZeroTek, team members will see a list of all the customers their role and/or assignment allows them to view or manage.

“If you’re an MSP supporting multiple accounts, [ZeroTek | Okta is] kind of a no-brainer,” says Kristian Sanchez, Security Consultant at NENS. “We love the single pane of glass for simplified management and enhanced visibility. We love the level of precision and customization possible when we need it.” (Read more about NENS’ experience with ZeroTek | Okta.)

ZeroTek | Okta: better security for everyone, simplified management for you

MFA is an essential part of any professional security service offering that promises to protect against identity-based cyberattacks—and that’s what your customers need. ZeroTek | Okta is the perfect multitenant management platform to incorporate MFA into the security and service packages you already offer your customers—ensuring a great user experience and a strong security posture for your customers while making MFA easily managed in a multitenant environment built for MSPs like you.

Are you ready?

Ready to explore how ZeroTek | Okta can help your MSP deliver next-level security services to your customers?

Icon: a speech bubble

Book a call to get your questions answered, learn about our MSP pricing, and arrange a demo.

You may also like…

Ethikos case study

Ethikos case study

Ethikos is rapidly growing their IT firm using ZeroTek | Okta to deliver MFA, SSO, and identity security to SMBs.

Share This