Multi-factor authentication: requirements for MFA solutions [part 1].

Sign up to receive the rest of our article 

Traditional password-based authentication relies entirely on user credentials (username and password) to provide access to corporate systems. This "single-factor" authentication method is neither secure nor reliable, as hackers can easily steal or compromise passwords and gain unauthorized access to user accounts or authorized devices. They can then launch a variety of attacks such as phishing, credential stuffing, brute force attacks, dictionary attacks, keylogger attacks and man-in-the-middle (MitM) attacks, among others.

So how will you protect your business from these hackers?

Multi-factor authentication (MFA) is one of the best alternatives to password security. It does not rely solely on user credentials. Instead, users must provide at least one additional authentication factor to verify their identity. Only if the system can verify all factors will it grant access to the user. MFA therefore ensures that users are who they claim to be. It also offers stronger, more reliable security against cyberthreats than systems that only use passwords.

But there are many MFA solutions on the market. How do you choose the right solution for your company?

Use the list below to guide your research and investments.

1. Multi-factor authentication: the different methods

Most modern MFA systems require users to employ authentication factors from at least two or three different categories:

  • Something the user "knows" (knowledge)
  • Something the user "owns" (possession)
  • Something the user "is" (inherence)

Your MFA solution shouldn't make it difficult for users to access their company's solutions. For this reason, it's essential that they can use factors that are already familiar to them, whether these are based on knowledge, possession or inherence.

Here are a few authentication methods you can explore.

Mobile one-time password (OTP) authentication, native and push type

A mobile, native push authentication system with single-use password (OTP, for One-time Password) sends the user a text message with a numerical code that must be entered before access to the account or application is granted.

ADVANTAGES
An OTP is a "one time, every time" authentication factor. Since it can only be used once, hackers can't use it if a user has already done so. This strengthens security and makes it more difficult for malicious parties to gain access to private accounts. What's more, there's no need to install special software, and most users are already used to text messaging, making it a convenient and user-friendly authentication method.

DISADVANTAGES
The disadvantage of a mobile OTP is that if the device is stolen, a malicious person can intercept the password to compromise accounts. The confidentiality and security of SMS messages are not guaranteed by mobile operators, so malicious people can intercept them for malicious purposes. What's more, they can also intercept OTP messages by installing malware on a user's device, particularly if the user accesses the device over an open or unsecured network.

Offline time verification codes (TOTP)

Time-based OTP (TOTP) is a type of OTP authentication in which a temporary password is generated using the current time as the authentication factor. This password expires after a set period and cannot be reused, even if intercepted by an authorized user.

ADVANTAGES

TOTP is fairly easy and cost-effective to implement. It doesn't necessarily require new hardware. All users need is an application on their device.

DISADVANTAGES

Of course, the system isn't perfect. If the user loses or misplaces their device, or if the battery is flat, they cannot receive the TOTP code. What's more, the authentication application and the server have the same secret key. If a malicious person manages to clone this key, he or she can generate new, valid TOTP codes and compromise an authorized user's account. Some TOTP systems block users' access if they attempt to log in more than once, for example because the code expires too quickly.

Multi-factor authentication: hardware tokens

A hardware token is a small physical device that enables users to access a specific account or application. The Yubico YubiKey is a type of hardware token that offers strong authentication security for various online services and applications. This key-shaped fob plugs into the user's device to finalize authentication once the user has entered their password. USB tokens, Bluetooth tokens and smart cards are other examples of hardware tokens.

ADVANTAGES

Most tokens combine hardware authentication with public key encryption, making them difficult to compromise. To hack into a system, a malicious person has to physically steal the token, which is not always easy to do if the user is careful. Many hardware tokens even work without an Internet connection, eliminating the possibility of attacks via the Internet.

Hardware tokens can prevent remote attacks, and are suitable if you need a highly secure system that requires network isolation. Some also support password managers, which is convenient for the user. In addition, users can dissociate the token from their accounts to prevent unauthorized use.

DISADVANTAGES

One possible drawback is that the token may be lost or stolen, in which case it has to be replaced. If this happens, costs increase for the company. Similarly, if the token is used for a breach, the breach itself can be very serious if the user uses the same token to access several accounts.

Multi-factor authentication: software tokens

A software token is a digital authentication key, a true work of digital art. It requires the installation of an application or software on a physical device, such as a smartphone, and sends a one-time authentication code or accepts biometric data, such as fingerprint or facial recognition, to guarantee secure authentication.

ADVANTAGES

Like their hardware counterparts, software tokens enhance security and limit the risk of unauthorized access. What's more, they're easy to use, require little maintenance and cost less than hardware tokens. Some are even available free of charge, a godsend for bargain hunters.

DISADVANTAGES

However, software tokens also have a few drawbacks. They can be vulnerable to remote cyber-attacks, as their operation depends on an Internet connection and software. If the connection is compromised, the token may be at risk when stored or transmitted. However, despite these drawbacks, software tokens represent a significant advance in terms of security over password-only systems.

Before making your choice when it comes to multi-factor authentication (MFA), take the time to consider all the features as well as the advantages and disadvantages mentioned above. Ideally, find a system such as MFA OneLogin, which offers a multitude of authentication factors to increase flexibility, including these:

  • OTP
  • E-mail
  • SMS
  • Voices
  • WebAuthn for biometrics
  • Third-party options such as Google Authenticator, Yubico, Duo Security and RSA SecurID

2. Access to company network

Make sure, too, that your MFA solution integrates seamlessly with all your network access systems. For example, if you use virtual private networks (VPNs) to encrypt your data and offer remote users a secure connection via the Internet, your MFA solution must be VPN-compatible. It must also reinforce VPN security to prevent data breaches, and guarantee access for authorized users only.

Similarly, if you need to use the Secure Socket Shell (SSH) protocol to access remote Linux systems, or the RDP protocol to connect remotely to other computers, it's essential that your MFA solution can be used with these systems. What's more, the solution must be able to prevent account hacking on these systems.

You should also ensure that your VPN supports RADIUS (Remote Authentication Dial-In User Service) and communicates directly with your MFA solution using standard RADIUS protocols. This ensures smooth, secure interaction between the VPN and your MFA solution.

Does the MFA solution support current (or future) network access systems?

  • VPN access
  • SSH/RDP access
  • Wi-Fi access
  • RADIUS integration

3. Powerful integrations for enhanced safety

If your company has an LDAP (Lightweight Directory Access Protocol) directory, it's essential that the MFA solution can integrate with it. This can be achieved either by installing a software agent on your local network, or via LDAP over SSL (LDAPS). Ideally, the solution should also offer tight integrations with other security products and identity management solutions, to help authenticate users and simplify network security management.

It's also important to look for a solution that supports custom integrations with applications and services, whether hosted locally or in the cloud. The solution must be compatible with the integration of these applications via an API, without requiring the extraction and replacement of other solutions.

Ensure that the MFA solution works with all your company's strategic applications, including :

- Integration with cloud applications.
- Integration with on-premise applications.
- Integration with Human Resource Management Systems (HRMS).
- Integration with directories such as Active Directory (AD) and LDAP.
- Integration with other identity management solutions, such as password managers and terminal security solutions.

4. Flexible authentication strategies

Deploy an MFA solution that lets you configure granular policies at different levels: by user, by application, by group, but also globally.

Application- and group-level policies are important, as they enable you to configure specific protection rules for sensitive applications or high-risk users. With global policies, you can apply the desired security threshold or benchmark across the entire enterprise.

Also check what kind of administrative controls are available. The solution must help administrators better control access to corporate systems, applications and data, especially in a Zero Trust security environment.

Does the MFA solution enable flexible and sophisticated authentication strategies at a granular level?

  • Granular strategies for diverse identities, applications, devices, communities and contexts
  • Allows definition of factors that can be used to verify identities
  • Customizable authentication workflow
  • Intuitive, user-friendly administration console
  • Risk-based flow
  • Includes documentation on strategy configurations

HTBS helps you secure your IS infrastructure with our Silverfort solution Extend MFA protection to all your AD-based resources without modifying them, including legacy applications, file shares, command-line interfaces and OT systems.

Source : onelogin

Sign up to receive the rest of our article 

Share on : 

Share :