By Tim Ferrill
Today’s credential-based attacks are much more sophisticated. Whether it’s advanced phishing techniques, credential stuffing, or even credentials compromised through social engineering or breaches of a third-party service, credentials are easily the most vulnerable point in defending corporate systems. All these attacks key on traditional credentials, usernames and passwords, which are past their expiration date as a legitimate security measure. An obvious way forward in enhancing access security is multifactor authentication (MFA).
[ Learn the 10 identity management metrics that matter. | Get the latest from CSO by signing up for our newsletters. ]
Security professionals need control. In physical security this is often accomplished by limiting the points of entry, which allows security personnel to check IDs or have individuals walk through metal detectors. Before the explosion of the internet and web-based apps, the single digital point of entry was the corporate directory. Employees used a single set of credentials to authenticate to corporate resources and access business apps.
Modern infrastructure and web-based business applications make maintaining this single point of entry much more difficult without specialized tools to maintain security posture. MFA offers significant enhancements to the authentication process, the first of which is the additional factor itself: a smartphone, hardware MFA token, or an SMS or email-based authentication code. The authentication process no longer relies on knowledge-based elements like a username and password, which can be compromised through phishing or other malicious techniques. Authentication attempts leveraging additional MFA factors require either interaction from a user with a registered device or a physical hardware device, minimizing the impact of a compromised username and password.
The tricky part with any security measure is keeping it convenient, or at least efficient, for end users. The worst thing you can do is ratchet up security requirements so much that users either can’t (or won’t) access corporate resources, or they find ways to bypass and compromise the security measures you’ve put in place.
MFA factors are a key feature when selecting an authentication provider. SMS and email-based security codes are the bare minimum and are better than nothing, but consider whether these factors provide the level of security you need. Both email and SMS are potentially vulnerable to compromise. MFA standards such as time-based one-time passwords (TOTP) are commonly supported by authentication apps like Google Authenticator and others, but ultimately hinge on a single authentication token that is known to both the authentication service and the user’s authentication device. Many MFA providers rely on proprietary protocols that offer both strong security and a convenient authentication flow using push notifications to a registered mobile device.
Enterprise MFA providers offer additional tools and capabilities to enhance authentication security. Properly implemented, MFA services can help you achieve a single focal point for authentication across a variety of applications and corporate resources. Having this central point for authentication traffic allows you to implement additional capabilities such as improved logging and analysis, authentication policies, and even AI and risk-based conditional access.
Another aspect to consider when selecting an MFA solution involves the sort of corporate resources you’re looking to secure. Cloud apps like Office 365, Google Workspaces, or Salesforce are obvious targets and an easy win for MFA. Corporate VPN is another common use case for MFA, and why not? Your VPN is essentially the gateway to your network and should be protected at least as well as physical access to corporate facilities. Leveraging MFA with internal or custom business apps are a bit of a tougher win and depend largely on the maturity of the app you’re looking to secure. Finally, there are solid reasons to implement MFA for authentication to corporate desktops and servers, particularly in an era where more and more users are working remotely.
Tightly intertwined with the resources you’re securing with MFA is the infrastructure needed to tie those resources together with your existing identity repository. Regardless of your use case there’s a good chance you’ll want to tie your MFA provider into your corporate identity repository. Frequently this will involve integrating with an on-premises Lightweight Directory Access Protocol (LDAP) directory. Many MFA providers do this using either a software agent that is installed on your local network or through LDAPS (LDAP over SSL).
The MFA segment is a buyer’s market. There are several very solid options, each with a comprehensive feature set and quite a bit of flexibility. This list of services below is not all-inclusive, and inclusion does not constitute an endorsement.
Duo is one of the big names in MFA. It’s offered as an integration point for competitors and features one of the more popular push-based MFA options in Duo Push. Duo also integrates tightly with biometric factors on your device, which provides additional security by confirming the registered user has possession of the device.
ESET is better known for their antimalware and endpoint protection offerings, but ESET Secure Authentication is a full-featured MFA solution with a feature set that rivals any competing solution on this list. Support for VPN and RADIUS? Check. Browser-based management console? Got that covered, too. Integration with an existing LDAP directory or cloud-based identity stores? Yes indeed. Flexible MFA factors like push notifications or hardware tokens? That too. ESET even offers an API and SDK for business looking to integrate their apps more closely with the service.
HID Global, along with RSA, is one of the more well-established entities in large enterprise and government. In fact, HID had a significant foothold even before MFA became a mainstream consideration due to its solutions for physical security (proximity/swipe cards and card readers). As enterprise authentication requirements for computer systems have matured HID was well-positioned to meet the needs of their enterprise customers.
In addition to its hardware and smartcard solutions, HID has a solid software-based MFA solution in HID Approve that allows for a rapid deployment without the need for a hardware investment. HID Approve supports push authentication and security policies, and the service features runtime application self-protection (RASP), which monitors authentication attempts and helps prevent attacks on the fly.
LastPass is best known for their password managers, but with MFA being a close cousin in the authentication security arena it makes sense that LastPass would be involved in that space as well. In fact, LastPass leverages the same LastPass authenticator mobile app for both its password managers and LastPass MFA, which is a good thing. The LastPass MFA service supports all the use cases discussed above: VPN, web apps, desktop, on-premises apps, and integrates tightly with common identity management platforms like Azure AD and Okta.
Speaking of Okta, they have been one of the hottest names in the authentication world for a while for several reasons, but the biggest may be the power it packs into its portfolio of tools. Okta Adaptive MFA starts with a secure platform that automatically protects against identity attacks using data collected from prior attacks, both those against Okta services and from third-party threat data. Okta can also leverage this threat data to score the risk involved with legitimate authentication attempts to manage the need for more robust authentication factors dynamically.
In addition to the proactive analytics-based defenses, Okta also enables simplified threat reporting by users, which can then trigger notifications to administrators or automated mitigation actions. Using Okta as your MFA service also gives you a wide range of options and flexibility for when your authentication needs inevitably mature.
RSA was another pioneer in the MFA space. RSA hardware tokens with their rotating numeric keys were one of the original MFA solutions for securing corporate VPN and remote access. That much history coupled with a security product portfolio rivaling Okta makes RSA an ideal candidate for helping secure authentication for your critical business resources. RSA SecurID not only supports mobile and hardware-based authentication factors, they also support a seamless authentication path even if you find yourself without internet service (such as on an airplane). RSA also supports dynamic risk-based authentication policies to balance the need for additional security against the need for an efficient authentication process for end users.
Silverfort is a name you may not have heard before, but their MFA offering checks quite a few boxes on the must-have list. Anomalous behavior detection, pattern-based threat detection, and step-up authentication factors based on risk scores are just a few of the features Silverfort brings to the table. My personal favorite feature Silverfort offers is the ability to enforce MFA on common administrative tools like remote PowerShell sessions, Remote Desktop and SSH.
Twilio Authy is a service that has been around for some time, though not always under the Twilio umbrella. As you might expect with an authentication service offered by Twilio, the main selling point to Authy is flexibility through a strong API backed by a wealth of documentation and community support. Authy definitely isn’t the same plug-and-play solution as some of the others on our list, but if you need a highly flexible and scalable solution for custom business apps, it may be exactly the service you need.
Tim Ferrill is an IT professional and writer living in Southern California, with a focus on Windows, Windows Phone, and Windows Server.
Copyright © 2021 IDG Communications, Inc.
Copyright © 2021 IDG Communications, Inc.
By Tim Ferrill