Multifactor authentication: requirements for MFA solutions

Multi-Factor Authentication: Requirements for MFA Solutions [Part 1]

Traditional password-based authentication relies entirely on user credentials (username and password) to grant access to corporate systems. This “single-factor” authentication method is neither secure nor reliable, as hackers can easily steal or compromise passwords and gain unauthorized access to user accounts or authorized devices. They can then launch various attacks such as phishing, credential stuffing, brute-force attacks, dictionary attacks, keylogger attacks, and man-in-the-middle (MitM) attacks, among others.

So, how will you protect your business from these hackers?

Multifactor authentication (MFA) is one of the best alternatives to password-based security. It does not rely solely on the user’s credentials. Instead, users must provide at least one additional authentication factor to verify their identity. Only if the system can verify all factors will it grant the user access. As a result, MFA helps ensure that users are who they claim to be. It also offers stronger and more reliable protection against cyber threats than systems that rely solely on passwords.

But there are many MFA solutions on the market. How do you choose the right one for your business?

Use the list below to guide your research and investments.

1. Multi-factor authentication: the different methods

Most modern MFA systems require users to use authentication factors from at least two or three different categories:

Something the user "knows" (knowledge)
Something the user "owns" (possession)
Something that the user "is" (inherent)

Your MFA solution should not make it more difficult for users to access their company’s systems. For this reason, it is essential that they be able to use factors they are already familiar with, whether those factors are based on knowledge, possession, or biometrics.

Here are a few authentication methods you can explore.

Authentication using native and push-based one-time passwords (OTP)

Un système d’authentification mobile et natif de type push avec mot de passe à usage unique (OTP, pour One-time Password) envoie à l’utilisateur un message texte avec un code numérique qu’il doit saisir avant de pouvoir avoir accès au compte ou à l’application.

AVANTAGES
Un OTP est un facteur d’authentification de type « tout du premier coup ». Dans la mesure où il ne peut être utilisé qu’une seule fois, les pirates ne peuvent pas s’en servir si un utilisateur l’a déjà fait. Cela renforce la sécurité et rend plus difficile, pour les personnes malveillantes, d’accéder à des comptes privés. De plus, il n’est pas nécessaire d’installer un logiciel spécial et la plupart des utilisateurs sont déjà habitués à la messagerie textuelle, ce qui en fait une méthode d’authentification pratique et conviviale.

INCONVÉNIENTS
L’inconvénient d’un OTP par mobile est que si l’appareil est volé, une personne malintentionnée peut intercepter le mot de passe pour compromettre les comptes. La confidentialité et la sécurité des SMS ne sont pas garanties par les opérateurs mobiles, aussi les personnes malintentionnées peuvent les intercepter à des fins malveillantes. De plus, elles peuvent aussi intercepter des messages OTP en installant un logiciel malveillant sur l’appareil d’un utilisateur, en particulier si celui-ci accède à l’appareil sur un réseau ouvert ou non sécurisé.

Offline Time-Based One-Time Passwords (TOTP)

Time-based one-time passwords (TOTP) are a type of OTP authentication in which a temporary password is generated using the current time as an authentication factor. This password expires after a set period and cannot be reused, even if it is intercepted by an unauthorized user.

BENEFITS

TOTP is fairly easy and cost-effective to implement. It does not necessarily require new hardware. All users need is an app on their device.

DRAWBACKS

Of course, the system isn’t perfect. If a user loses or misplaces their device, or if the battery dies, they cannot receive the TOTP code. Furthermore, the authentication app and the server share the same secret key. If a malicious actor manages to clone this key, they can generate new valid TOTP codes and compromise an authorized user’s account. Some TOTP systems block the user’s access if they make too many login attempts, for example because the code expires too quickly.

Multi-factor authentication: hardware tokens

A hardware token is a small physical device that allows users to access a specific account or application. The Yubico YubiKey is a type of hardware token that provides strong authentication security for various online services and applications. This keyring-shaped device plugs into the user’s device to complete the authentication process once the user has entered their password. USB tokens, Bluetooth tokens, and smart cards are other examples of hardware tokens.

BENEFITS

Most tokens combine hardware authentication with public-key encryption, making them difficult to compromise. To hack into a system, an attacker must physically steal the token, which isn’t always easy to do if the user is careful. Many hardware tokens even work without an internet connection, eliminating the possibility of attacks over the internet.

Hardware tokens can prevent remote attacks and are ideal if you need a highly secure system that requires network isolation. Some also support password managers, which is convenient for users. Additionally, users can unpair the token from their accounts to prevent unauthorized use.

DRAWBACKS

One potential drawback is that the token could be lost or stolen, in which case it must be replaced. If this happens, costs for the company increase. Similarly, if the token is used in a security breach, the breach itself could be very serious if the user uses the same token to access multiple accounts.

Multi-factor authentication: software tokens

A software token is a digital authentication key—a true work of digital art. It requires the installation of an app or software on a physical device, such as a smartphone, and either sends a one-time authentication code or accepts biometric data, such as fingerprint scans or facial recognition, to ensure secure authentication.

BENEFITS

Just like their hardware counterparts, software tokens enhance security and reduce the risk of unauthorized access. In addition, they are easy to use, require little maintenance, and are less expensive than hardware tokens. Some are even available for free—a real bargain for bargain hunters.

DRAWBACKS

However, software tokens also have some drawbacks. They can be vulnerable to remote cyberattacks, as their operation relies on an internet connection and software. If the connection is compromised, the token may be at risk when stored or transmitted. Nevertheless, despite these drawbacks, software tokens represent a significant security improvement over systems that rely solely on passwords.

Before deciding on a multi-factor authentication (MFA) solution, take the time to consider all the features, as well as the pros and cons mentioned above. Ideally, look for a system like OneLogin MFA, which offers a wide range of authentication factors to increase flexibility, including the following:

OTP
Email
Text message
Voice
WebAuthn for biometrics
Third-party options such as Google Authenticator, Yubico, Duo Security, and RSA SecurID

2. Access to the company network

Also make sure that your MFA solution integrates seamlessly with all your network access systems. For example, if you use virtual private networks (VPNs) to encrypt your data and provide remote users with a secure connection over the Internet, your MFA solution must be compatible with the VPN. It should also enhance the VPN’s security to prevent data breaches and ensure that access is restricted to authorized users only.

Similarly, if you need to use the Secure Socket Shell (SSH) protocol to access remote Linux systems or the RDP protocol to connect remotely to other computers, it is essential that your MFA solution be compatible with these systems. Furthermore, the solution must be able to prevent account hijacking on these systems.

Also make sure that your VPN supports the RADIUS (Remote Authentication Dial-In User Service) protocol and communicates directly with your MFA solution using standard RADIUS protocols. This ensures seamless and secure interaction between the VPN and your MFA solution.

Does the MFA solution support current (or future) network access systems?

3. Powerful integrations for enhanced security

If your company uses an LDAP (Lightweight Directory Access Protocol) directory, it is essential that the MFA solution be able to integrate with it. This can be achieved either by installing a software agent on your local network or via LDAP over SSL (LDAPS). Ideally, the solution should also offer tight integrations with other security products and identity management solutions to help authenticate users and simplify network security management.

It is also important to look for a solution that supports custom integrations with applications and services, whether they are hosted on-premises or in the cloud. The solution must be compatible with integrating these applications via an API, without requiring the removal and replacement of other solutions.

Make sure the MFA solution works with all of your company's mission-critical applications, including:

– Intégration avec les applications cloud.
– Intégration avec les applications hébergées sur site.
– Intégration avec les systèmes de gestion des ressources humaines (HRMS, pour Human Resource Management System).
– Intégration avec des annuaires tels que Active Directory (AD) et LDAP.
– Intégration avec d’autres solutions de gestion des identités, telles que les gestionnaires de mots de passe et les solutions de sécurité des terminaux.

4. Flexible authentication strategies

Deploy an MFA solution that allows you to configure granular policies at various levels: by user, by application, by group, and globally.

Application- and group-level policies are important because they allow you to configure specific protection rules for sensitive applications or high-risk users. With global policies, you can enforce the desired security threshold or baseline across the entire organization.

Also check what types of administrative controls are available. The solution should help administrators better control access to enterprise systems, applications, and data, particularly in a Zero Trust security environment.

Does the MFA solution allow for the implementation of flexible and sophisticated authentication strategies at a granular level?

Granular strategies for diverse identities, applications, devices, communities, and contexts
Allows you to define the factors that can be used to verify identities
Customizable authentication flow
Intuitive and user-friendly administration console
Risk-based approach
Includes documentation regarding policy configurations

HTBS helps you secure your IT infrastructure with our Silverfort Solution Extend MFA protection to all your AD-based resources without modifying them, including legacy applications, file shares, command-line interfaces, and OT systems.