Multi-Factor Authentication: Requirements for MFA Solutions [Part 1]

Sign up so you don't miss the rest of our article 

Traditional password-based authentication relies entirely on user credentials (username and password) to grant access to corporate systems. This “single-factor” authentication method is neither secure nor reliable, as hackers can easily steal or compromise passwords and gain unauthorized access to user accounts or authorized devices. They can then launch various attacks such as phishing, credential stuffing, brute-force attacks, dictionary attacks, keylogger attacks, and man-in-the-middle (MitM) attacks, among others.

So, how will you protect your business from these hackers?

Multifactor authentication (MFA) is one of the best alternatives to password-based security. It does not rely solely on the user’s credentials. Instead, users must provide at least one additional authentication factor to verify their identity. Only if the system can verify all factors will it grant the user access. As a result, MFA helps ensure that users are who they claim to be. It also offers stronger and more reliable protection against cyber threats than systems that rely solely on passwords.

But there are many MFA solutions on the market. How do you choose the right one for your business?

Use the list below to guide your research and investments.

1. Multi-factor authentication: the different methods

Most modern MFA systems require users to use authentication factors from at least two or three different categories:

  • Something the user "knows" (knowledge)
  • Something the user "owns" (possession)
  • Something that the user "is" (inherent)

Your MFA solution should not make it more difficult for users to access their company’s systems. For this reason, it is essential that they be able to use factors they are already familiar with, whether those factors are based on knowledge, possession, or biometrics.

Here are a few authentication methods you can explore.

Authentication using native and push-based one-time passwords (OTP)

A native, push-based mobile authentication system using a one-time password (OTP) sends the user a text message with a numeric code that they must enter before gaining access to the account or app.

BENEFITS
An OTP is a “one-time” authentication factor. Since it can only be used once, hackers cannot use it if a user has already done so. This enhances security and makes it more difficult for malicious actors to access private accounts. Additionally, no special software needs to be installed, and most users are already familiar with text messaging, making it a convenient and user-friendly authentication method.

DRAWBACKS
The downside of a mobile OTP is that if the device is stolen, a malicious person can intercept the password to compromise accounts. The confidentiality and security of SMS messages are not guaranteed by mobile carriers, so malicious actors can intercept them for malicious purposes. Furthermore, they can also intercept OTP messages by installing malware on a user’s device, particularly if the user accesses the device over an open or unsecured network.

Offline Time-Based One-Time Passwords (TOTP)

Time-based one-time passwords (TOTP) are a type of OTP authentication in which a temporary password is generated using the current time as an authentication factor. This password expires after a set period and cannot be reused, even if it is intercepted by an unauthorized user.

BENEFITS

TOTP is fairly easy and cost-effective to implement. It does not necessarily require new hardware. All users need is an app on their device.

DRAWBACKS

Of course, the system isn’t perfect. If a user loses or misplaces their device, or if the battery dies, they cannot receive the TOTP code. Furthermore, the authentication app and the server share the same secret key. If a malicious actor manages to clone this key, they can generate new valid TOTP codes and compromise an authorized user’s account. Some TOTP systems block the user’s access if they make too many login attempts, for example because the code expires too quickly.

Multi-factor authentication: hardware tokens

A hardware token is a small physical device that allows users to access a specific account or application. The Yubico YubiKey is a type of hardware token that provides strong authentication security for various online services and applications. This keyring-shaped device plugs into the user’s device to complete the authentication process once the user has entered their password. USB tokens, Bluetooth tokens, and smart cards are other examples of hardware tokens.

BENEFITS

Most tokens combine hardware authentication with public-key encryption, making them difficult to compromise. To hack into a system, an attacker must physically steal the token, which isn’t always easy to do if the user is careful. Many hardware tokens even work without an internet connection, eliminating the possibility of attacks over the internet.

Hardware tokens can prevent remote attacks and are ideal if you need a highly secure system that requires network isolation. Some also support password managers, which is convenient for users. Additionally, users can unpair the token from their accounts to prevent unauthorized use.

DRAWBACKS

One potential drawback is that the token could be lost or stolen, in which case it must be replaced. If this happens, costs for the company increase. Similarly, if the token is used in a security breach, the breach itself could be very serious if the user uses the same token to access multiple accounts.

Multi-factor authentication: software tokens

A software token is a digital authentication key—a true work of digital art. It requires the installation of an app or software on a physical device, such as a smartphone, and either sends a one-time authentication code or accepts biometric data, such as fingerprint scans or facial recognition, to ensure secure authentication.

BENEFITS

Just like their hardware counterparts, software tokens enhance security and reduce the risk of unauthorized access. In addition, they are easy to use, require little maintenance, and are less expensive than hardware tokens. Some are even available for free—a real bargain for bargain hunters.

DRAWBACKS

However, software tokens also have some drawbacks. They can be vulnerable to remote cyberattacks, as their operation relies on an internet connection and software. If the connection is compromised, the token may be at risk when stored or transmitted. Nevertheless, despite these drawbacks, software tokens represent a significant security improvement over systems that rely solely on passwords.

Before deciding on a multi-factor authentication (MFA) solution, take the time to consider all the features, as well as the pros and cons mentioned above. Ideally, look for a system like OneLogin MFA, which offers a wide range of authentication factors to increase flexibility, including the following:

  • OTP
  • Email
  • Text message
  • Voice
  • WebAuthn for biometrics
  • Third-party options such as Google Authenticator, Yubico, Duo Security, and RSA SecurID

2. Access to the company network

Also make sure that your MFA solution integrates seamlessly with all your network access systems. For example, if you use virtual private networks (VPNs) to encrypt your data and provide remote users with a secure connection over the Internet, your MFA solution must be compatible with the VPN. It should also enhance the VPN’s security to prevent data breaches and ensure that access is restricted to authorized users only.

Similarly, if you need to use the Secure Socket Shell (SSH) protocol to access remote Linux systems or the RDP protocol to connect remotely to other computers, it is essential that your MFA solution be compatible with these systems. Furthermore, the solution must be able to prevent account hijacking on these systems.

Also make sure that your VPN supports the RADIUS (Remote Authentication Dial-In User Service) protocol and communicates directly with your MFA solution using standard RADIUS protocols. This ensures seamless and secure interaction between the VPN and your MFA solution.

Does the MFA solution support current (or future) network access systems?

  • VPN Access
  • SSH/RDP Access
  • Wi-Fi access
  • RADIUS Integration

3. Powerful integrations for enhanced security

If your company uses an LDAP (Lightweight Directory Access Protocol) directory, it is essential that the MFA solution be able to integrate with it. This can be achieved either by installing a software agent on your local network or via LDAP over SSL (LDAPS). Ideally, the solution should also offer tight integrations with other security products and identity management solutions to help authenticate users and simplify network security management.

It is also important to look for a solution that supports custom integrations with applications and services, whether they are hosted on-premises or in the cloud. The solution must be compatible with integrating these applications via an API, without requiring the removal and replacement of other solutions.

Make sure the MFA solution works with all of your company's mission-critical applications, including:

– Integration with cloud applications.
– Integration with on-premises applications.
– Integration with human resource management systems (HRMS).
– Integration with directories such as Active Directory (AD) and LDAP.
– Integration with other identity management solutions, such as password managers and endpoint security solutions.

4. Flexible authentication strategies

Deploy an MFA solution that allows you to configure granular policies at various levels: by user, by application, by group, and globally.

Application- and group-level policies are important because they allow you to configure specific protection rules for sensitive applications or high-risk users. With global policies, you can enforce the desired security threshold or baseline across the entire organization.

Also check what types of administrative controls are available. The solution should help administrators better control access to enterprise systems, applications, and data, particularly in a Zero Trust security environment.

Does the MFA solution allow for the implementation of flexible and sophisticated authentication strategies at a granular level?

  • Granular strategies for diverse identities, applications, devices, communities, and contexts
  • Allows you to define the factors that can be used to verify identities
  • Customizable authentication flow
  • Intuitive and user-friendly administration console
  • Risk-based approach
  • Includes documentation regarding policy configurations

HTBS helps you secure your IT infrastructure with our  Silverfort Solution  Extend MFA protection to all your AD-based resources without modifying them, including legacy applications, file shares, command-line interfaces, and OT systems.

Source: onelogin

Sign up so you don't miss the rest of our article 

Share on: 

Share: