MFA Dashboard

It is often difficult for organizations to understand the full picture around their end users' Multi-factor (MFA) behavior. Collecting and analyzing MFA data across multiple identity sources to identify gaps in coverage, unintended user behaviors, and to report on internal MFA rollouts or initiatives can be a difficult process, that is sometimes needed on a recurring basis. Identity teams are then left gluing together different reports in a very time consuming and manual way, just to make simple reports and visualizations that can be used to share updates with different internal stakeholders.

The MFA tab in the Identity Intelligence Dashboard aims to make this type of tracking and reporting easier with some pre-made widgets that provide insight into the MFA and Passwordless enrollment and usage activity across your connected identity sources, allowing you to quickly identify gaps and trends in adoption, which can contribute to potential security risks.

The MFA Dashboard displays metrics and visualizations on areas of interest including:

• MFA Hygiene and Threats

• Factor Usage and Enrollment

• Passwordless Usage and Enrollment

For information on functionality that exists across all Dashboard tabs, please refer back to our Dashboard documentation.

MFA Metrics

Purpose & Benefit: All organizations have an urgent need to understand their MFA posture across their various IAM platforms. These widgets provide current stats on coverage and trends of key MFA metrics.

There are 3 widgets, separated by them, that provide key metrics around MFA hygiene and threats

• Priority Accounts - allows you to better understand the MFA adoption gaps for critical accounts (Admins and VIPs) in your organization that should be addressed immediately. Read more about priority accounts in our documentation

• MFA Hygiene - highlights key MFA posture issues across your entire environment to help you prioritize and identify users to take action on so that you can reduce the risk of account compromise

• MFA Threats - surfaces risky behavior related to MFA adoption that should be investigated and remediated

Selecting any of these numbers will take you to the corresponding Check Details page or to a pre-filtered Users page for further investigation on the specific users making up each value.

Factor Usage and Enrollment

When it comes to MFA Adoption, it is crucial to understand both enrollment AND usage patterns within your organization to be able to tell the full story.

Enrollment is Step 1, but it is not enough for a user to simply enroll an MFA factor. They also need to get to Step 2 - using their factors regularly to ensure they are securely authenticating into your environment.

Many organizations can have near perfect MFA enrollment across their user base, but when they look into it, they see that the MFA usage numbers do not match. Other organizations will swear that they have completely blocked the use of weak MFA factors like SMS and Phone calls, but when they look into it, they see that there are still users actively utilizing these factors regularly. These examples, and many others like it, often indicate a configuration issue that must be addressed which is why it is important to look at the holistic picture of enrollment and usage to get the most accurate sense of an organization's MFA adoption.

The MFA Dashboard tab has a few widgets to help understand current usage, as well as enrollment trends over time.

Factor usage by NIST assurance levels

This pie chart displays a break down of all factor usage per user, categorized by NIST Assurance Level, over the last 30 days. For example, in the screenshot below, we can see that 29 users have used a Medium assurance factor at least 1 time over the last 30 days.

Hovering over a segment in the pie chart will display a tool tip with the given assurance level and the count of users making up that segment.

MFA Enrollment

This bar graph provides a look into MFA Enrollment trends over time, categorized by NIST Assurance Level. A user must enroll an MFA method to be reflected in this graph.

Hovering over any item in the graph will display a tool tip with the month and the count of users who enrolled a factor for each assurance level.

By default, this graph will show the MFA Enrollment metrics for the last 6 months, but you can modify the timeframe to also look at the last 2, 3, or 12 months if needed. Note: you may see blank months in the past, which reflects that Identity Intelligence was not yet collecting data for these months (ex: newly created tenants or tenants that existed before this feature was released)

MFA Factors: In Use vs Unused

Purpose & Benefit: Quickly assess and compare the status of enrolled and in-use MFA factors and track migrations to stronger factors or other MFA usage anomalies.

An enabled factor is one that is available on a user's account and could be used (ie: user has enrolled this factor in their account) but is not necessarily being used. In use factors are those that have been used in the last 30 days. All In-use factors are enabled factors, but not all enabled factors are in use.

The MFA Factors: In Use vs Unused graph provides a visualization of the total count users per MFA Factor, broken down by factors enabled versus in use, and color coded by factor assurance level, to help you better understand which MFA factor types are most frequently configured and used across your organization, identify any unexpected behavior, and highlight users who could be utilizing more secure methods but are not.

Hovering over any item in the graph will display a tool tip with the factor name, assurance level, count of users using a given factor, count of users enabled but not using a given factor, and the total count of users enabled with this factor (ie: in use + unused users) Selecting a given segment (enabled but unused or in use) of one of the bars in this visualization will take you to the Users page, pre-filtered for that specific factor type and usage type.

By default, this widget is filtered to show In use and Enabled but unused Factor data. However, you can also use the available filter to change the graph to see either In Use factors only or Enabled but unused factors only. Selecting a value in the legend below the graph will remove the corresponding data points from the visualization entirely. Select the removed value in the legend to re-add it to the visualization.

Passwordless Usage and Enrollment

The MFA Dashboard also has widgets that look specifically at passwordless Adoption trends to help organization's understand the progress made, as well as an areas that are lagging behind expected adoption levels. Passwordless MFA methods are considered the most secure method for authentication as they are much more difficult for bad actors to compromise.

Like with general MFA Adoption, for a successful passwordless rollout, organizations need to compare passwordless factor enrollment rates to passwordless usage rates to get a full understanding of their organization's adoption and progress. If users have enrolled these more secure factors but continue to utilize weaker factors to authenticate, the organization has not successfully deployed passwordless.

Passwordless Enrollment

Similar to the general MFA Enrollment widget, the Passwordless Enrollment widget helps visualize the first step of any passwordless rollout project - user enrollment - and how the numbers change over time throughout the rollout. A user must enroll a passwordless authentication factor to be reflected in this graph.

Hovering over any item in the graph will display a tool tip with the month the count of users who enrolled a passwordless factor and the count of users who did not enroll a passwordless factor.

By default, this widget is filtered to show the number of users who have enrolled in any factor that is considered passwordless. However, you can also use the available filter to change the graph to see the enrollment numbers for specific passwordless factors that your users have enrolled in.

Selecting on a value in the legend below the graph will remove the corresponding data points from the visualization entirely. Select the removed value in the legend to re-add it to the visualization.

By default, this graph will show the Passwordless Enrollment metrics for the last 6 months, but you can modify the timeframe to also look at the last 2, 3, or 12 months if needed. Note: you may see blank months in the past, which reflects that Identity Intelligence was not yet collecting data for these months (ex: newly created tenants or tenants that existed before this feature was released)

Passwordless Adoption

The Passwordless Adoption widget helps visualize the second step of any passwordless rollout project - passwordless usage - and how the numbers change over time throughout the rollout. It is important to understand the volume of authentications that utilize a passwordless method compared to non-passwordless methods to identify if users are actually adopting the new, more secure methods, or if they continue to utilize old methods out of habit or because they are not being forced to move over.

Passwordless auths refers to active authentications done by an end user, utilizing a passwordless method. Non-Passwordless auths refers to all other active authentications done by an end user using other factors that are not passwordless. Non-active authentications done where the user is NOT prompted to authenticate are not included in either category (for ex: Auths via remembered devices or sessions)

Hovering over any item in the graph will display a tool tip with the month the percentage of active authentications that used a passwordless factor and the percentage of active authentications that used a non-passwordless factor.

Selecting on a value in the legend below the graph will remove the corresponding data points from the visualization entirely. Select the removed value in the legend to re-add it to the visualization.

By default, this graph will show the Passwordless Adoption metrics for the last 6 months, but you can modify the timeframe to also look at the last 2, 3, or 12 months if needed. Note: you may see months in the past which show 100% for non-passwordless auths, which may reflect that Identity Intelligence was not yet collecting data for these months (ex: newly created tenants or tenants that existed before this feature was released)

Sensitive App Authentication

When going through passwordless deployments, many organizations choose to start by enforcing these factor methods on the applications that are most critical to the business to ensure that the applications are well protected.

With the Sensitive App Authentication widget, it is now much easier to understand how often these applications are being accessed using passwordless methods and how often they are not, so that you can track adoption progress and remediate any gaps that are allowing non-passwordless authentications.

This widget shows authentication data for these apps over the last 30 days. It uses the same definitions for passwordless auths and non-passwordless auths as the Passwordless Adoption widget. Please refer to the documentation above for that widget to read the definitions.

Hovering over any item in the graph will display a tool tip with the application name, the count of active passwordless authentications and the count of active non-passwordless authentications.

Selecting on a value in the legend below the graph will remove the corresponding data points from the visualization entirely. Select the removed value in the legend to re-add it to the visualization.

Note: This widget only displays a maximum of 10 sensitive applications. If there are more than 10 sensitive apps configured for your organization, the widget will display the 10 applications that have the highest number of total authentications.