Multi-factor authentication is a good thing today. We will show you the best solutions and tell you which criteria are important when choosing an MFA solution. […]
Cyber attacks are becoming more and more sophisticated and are increasingly targeting login data. No matter whether it is about advanced phishing techniques, credential stuffing or social engineering: access data is by far the biggest vulnerability when it comes to securing the IT systems of companies. A proven way to optimize access security is multi-factor authentication (MFA).
The tricky thing about every security measure is to make it comfortable or at least efficient for the end users. The worst thing you can do is to increase the security requirements to such an extent that users either can no longer access company resources or find ways to circumvent the measures they have imposed.
The factors of an MFA solution are an important criterion when choosing the right solution. SMS and email-based security codes represent the security minimum – they are better than nothing, but you should consider whether this offers the right level of security for your company. After all, both emails and SMS are potentially vulnerable to being compromised. MFA standards such as time-based one-time passwords (TOTP) are often supported by authentication applications such as Google Authenticator and others.
However, TOTPs ultimately depend on a single authentication token that is known to both the authentication service and the user’s authentication device. Many MFA providers rely on proprietary protocols that provide both strong security and a convenient authentication flow with push notifications to a registered mobile device.
MFA providers in the corporate environment provide additional tools and features to improve authentication security. Properly implemented, MFA services can help you create a single point of authentication across a wide range of applications and enterprise resources. This allows you to implement additional features such as improved logging and analysis, authentication policies and even AI and risk-based access controls.
Another aspect to consider when choosing an MFA solution is the type of corporate resources you want to protect. Cloud applications such as Office 365, Google Workspaces or Salesforce are attractive targets for cybercriminals. Enterprise VPNs are another common use case for MFA. Using multi-factor authentication with internal or custom enterprise applications is a little more difficult – depending on the maturity of the application you want to protect. In addition, in the remote and hybrid work age, it makes sense to also implement MFA for authentication on company computers or servers.
Closely interwoven with the resources you secure with multi-factor authentication is the infrastructure required to link these resources to your existing identity repository. This project often involves integration into a local LDAP directory (Lightweight Directory Access Protocol). Many MFA providers do this either via a software agent that is installed in their local network, or via LDAPS (LDAP over SSL).
As far as application-specific infrastructure is concerned, cloud applications are often easy to play with, as they can often be seamlessly integrated via standards such as SAML. Most VPN solutions support integration with RADIUS. This allows the authentication to be forwarded to an existing RADIUS server and then to your MFA provider.
In some cases, communication also takes place directly with your MFA provider via standard protocols. For custom or internally hosted enterprise applications, interaction with the MFA provider via an API may be required – or SAML can be used. Multi-factor authentication for desktops and servers requires software installed on each endpoint that fits into the authentication workflow.
When it comes to multi-factor authentication solutions, there are many very solid options, each with a comprehensive range of functions and a high degree of flexibility. The following products are among the best on the market:
Duo is one of the big names in the field of multi-factor authentication. The solution is offered as an integration point for competitors’ products and, with Duo Push, offers one of the most popular push-based MFA products. If necessary, Duo also includes biometric factors. This provides additional security, as it confirms that the registered user is in possession of the device.
ESET Secure Authentication
The security provider ESET is best known for its anti-malware and endpoint protection products. However, with ESET Secure Authentication, the company also offers a full-fledged MFA solution, the range of functions of which is in no way inferior to competing solutions. Secure Authentication offers support for VPN and RADIUS, a browser-based management console, integrates with existing LDAP directories and also has cloud-based identity stores on board. Push notifications and hardware tokens are also supported – ESET even offers an API and SDK for companies that want to integrate their applications more closely with the service.
In addition to RSA, HID Global is one of the most renowned providers in the field of enterprise security. Before multi-factor authentication became an issue, HID was already represented on the market with physical security solutions. In addition to its hardware and smart card solutions, HID has a solid, software-based MFA solution with HID Approve, which enables fast deployment without investing in hardware. HID Approve supports push authentication and security policies, and also has Runtime Application Self-Protection (RASP) – a technology that monitors authentication attempts and is intended to prevent attacks on the fly.
When it comes to password managers, LastPass is one of the most well-known providers. Since multi-factor authentication also comes into this area, the company also offers an MFA solution. The LastPass MFA service supports all the use cases already mentioned (VPN, web applications, desktop, local applications) and can be closely integrated with popular identity management platforms such as Azure AD and Okta.
Okta Adaptive MFA
Speaking of Okta: The security provider has been one of the hottest names in the authentication world for some time – mainly because of its tool portfolio. Okta Adaptive MFA is built on a secure platform that automatically protects against identity attacks by combining data from previous attacks with third-party threat data. Okta can also use this threat data to assess the risk potential of legitimate authentication attempts and dynamically manage the need for more robust authentication factors. In addition to proactive, analytics-based defense measures, Okta also allows users to simplify threat reporting. In an emergency, these can notify administrators or trigger automatic damage control measures.
Another pioneer in the field of multi-factor authentication is RSA. The RSA hardware tokens with their rotating numeric keys were among the first MFA solutions ever. RSA SecurID not only supports mobile and hardware–based authentication factors, but also a seamless authentication path – even if you don’t have Internet access (for example, on an airplane). RSA also supports dynamic, risk-based authentication policies to balance security and ease of use.
Chances are high that you have never heard the name Silverfort before. However, the company’s MFA offering meets a whole range of MFA must-have criteria and detects abnormal behavior, threat patterns and tiered authentication factors based on risk assessments, among other things. Silverfort also allows you to enforce multi-factor authentication for common management tools such as PowerShell, Remote Desktop and SSH.
As you would expect with an authentication service offered by Twilio, the main argument for Authy lies in the API-driven flexibility, which is supported by extensive documentation and community. Authy is definitely not a plug-and-play solution, but it is highly flexible and scalable.
This article is based on an article from our US sister publication CSO Online.
*Tim Ferrill is an IT expert and deals primarily with Windows and Windows Server. He writes for our US sister publication CSO Online.