How to think of multi-factor authentication as a service model?
In this blog post, I will talk about multi-factor authentication concept, and how passwords are vulnerable to many attacks. Then I will introduce the modern multi-factor authentication solutions apart from smart cards and hardware tokens. Finally, I will introduce the concept of multi-factor authentication as a service model, to help you protect your on-premise application and your current or future cloud workloads.
The story of multi-factor authentication
Authentication usually is associated with usernames and passwords, and this was the case for long time. Most organizations are now depending on just usernames and passwords for their authentication.
While usernames and passwords provide easy and traditional way for authentication, it is known that passwords are vulnerable to many attacks. First, they can be guessed, or worst, can be a victim for social engineering.
Passwords can be shared with other people, which makes it hard to audit the activity of users if they are using shared accounts. Administrators tend to apply password complexity rules, enforce password history, and define when passwords should be changed. Making passwords too long, will make things harder to users, and they will start typing them down.
I can spend many blog posts talking about the weakness of passwords, and how using them alone will put your data and network at risk. Nowadays, you hear in news about password leaks in big enterprises and how attackers gain access to the account database of many users. We also hear that passwords are dying, and how enterprises should not depend on passwords alone to protect access to corporate data.
Multi-factor authentication is all about adding a second factor beside passwords, to help protecting your identity and ensure secure authentication. Such thing requires two or more of the following factors:
- Something you know: a password or a PIN
- Something you have: a phone, credit card or hardware token.
- Something you are: a fingerprint, retinal scan other biometric.
Multi-factor authentication is stronger when using two different channels (out of band).
Multi-Factor Authentication – the old way
We use passwords all the time, whether we are using a good authentication protocol like NTLM or a better one like Kerberos. Cryptography and digital certificates are the stronger alternatives to traditional passwords, as you will have a public and private key pair, which indeed makes things more interesting in terms of manageability and cost of implementation.
As security becomes more and more relevant to business today, people start thinking of two and three factor authentications. I can remember when smart cards were so popular due to their two factor nature. Smart cards back then used to provide some sort of prestige and sense of security. Smart cards are a good example of two factor authentication, because you need to have the physical card in addition to the PIN (something you have and something you know).
One of the big disadvantages of using smart cards is cost of management. You need to enroll smart cards, replace them, retire them, update the certificates on them, etc. Imagine that someone forgot his smart card at home and he needs to log on.
One-time password devices become common also. You get a hardware token with a number that keep changing every while. When you want to access a resource, just enter that number currently displayed in the device.
Some smart card providers are now offering smart cards with Biometrics. You should have the card itself (something you have), your thump (something you are) and perhaps a PIN (something you know). The addition of biometrics adds a difficult-to-clone token as they describe it.
The common thing between all the previous solutions, is the need to buy a hardware token, and maintaining it. If you look at the business model today, it is easily seen that everything is moving fast. Security is a top priority and a must to be deployed from day one. There is no time to get a PKI specialist and educate people to carry around physical tokens all the time, just to enable two factor authentication. People will forget their cards at airports, or at their home. Even worse, they will keep the smart card plugged in the smart card reader so that if the laptop gets stolen, the smart card is stolen too.
Multi-Factor Authentication – nowadays
Nowadays, no one can move without carrying his mobile phone, and nothing can be a better second factor of authentication than your mobile device. There is a very small chance that you will forget your mobile device at home. Even if you do so, I am sure that you will go back and get it right away.
Your phone becomes the token and the second factor, and it is by far the most cost-effective solution for businesses nowadays. No extra training for people to use their mobiles, and no extra overhead for IT administrators if the token (mobile) is lost. There is no provisioning or management of tokens, since users already managing and owning their own mobiles.
Multi-Factor Authentication market offering
If you scan the market, you will find many solutions to help you implement two-factor authentication for your on-premise applications using your mobile device. But if you look at the implementation overhead, you will realize that maintaining such solution.
The architecture of such solutions is to implement a server on your network, that will maintain your user profile and will send a notification or synchronize an offline PIN to the mobile app. Although this seems to be a very effective solution, it introduces another problem. The IT administrators need to install and deploy the MFA service on premise, worry about how this service can contact the user’ mobile device for second factor authentication, and to make sure this service is always available.
Also, such solutions are limited to a push notification or an offline one-time password, without self-service portal for end users to choose how they want to perform the second factor.
What is really challenging with such solutions is how they can integrate with your cloud applications. It might be an effective solution for you to maintain such on-premise server, and provide people with two-factor authentication for on-premise applications, but what if you are consuming a SaaS application, and you want your users to authentication using multi-factor authentication? You might search and find another multi-factor authentication for that cloud application, but then your users will have two different multi-factor authentication services, one for your on -premise applications, and one for your cloud applications.
The perfect Multi-Factor Authentication solution
The perfect solution when you are planning for multi-factor authentication is to gather your requirement, and then choose your vendor. It is either your infrastructure that determines your service level, or your service level determines your infrastructure. For today’s multi-factor authentication requirement, you need a solution that satisfy the following conditions:
- Works for your on-premise applications.
- Works for your current or future cloud applications.
- Uses the mobile as a second factor authentication.
- Provides multiple second factor authentication options, just remember that not everyone has a smart phone, so a mobile app might not be the perfect choice always.
- Give users self-service portal to pick their second authentication method.
- Scalable and highly available.
- Low maintainability for IT administrators.
- Flexible cost offering [pay as you go].
Multi-Factor Authentication as a service
Cloud offers a lot of advantages when it compare to on-premise solutions. Multi-factor authentication is no different. Start thinking of multi-factor authentication as a service and try to see if it work on your business model. multi-factor authentication as a service is nothing but consuming the second factor from the cloud, so that you do not worry about sending signals to the mobile phone or app, as it is taken care for you.
Instead of managing, implementing and maintaining such solution, why not to offload it to the cloud and consume it as a service. Your on-premise applications or cloud apps will prompt users for passwords, and then a call will be made to the multi-factor authentication cloud service to challenge the user for the second factor on his mobile. That’s it.
With multi-factor authentication as a service, No servers to maintain on-premise, no scalability concerns, and you pay as you go. For me, this is the best scenario I can think of when it comes to planning a multi-factor solution today.
One of my favorite multi-factor authentication as a service solutions out there is Azure Multi-Factor Authentication. It is Microsoft’s two-step verification solution that helps safeguard access to data and applications. It is offered as a cloud service and it has a flexible licensing options that fits any business needs. If you are using Office 365 or Azure Active Directory, then Azure Multi-Factor Authentication is the best choice for you.
Most likely, you already have a two-factor authentication solution on-premise. How Multi-Factor Authentication as a service will affect you? I believe that you should re-think your multi-factor authentication solution, and see if it can survive the cloud wave, and serve you for the next couple of years. You should also measure how much cost saving your will achieve with the Multi-Factor Authentication as a service model.
If you want to start implementing multi-factor authentication in your enterprise, you should think of your end users. If they do not love your solution, they are going to fight it. Your solution should be easy to use, convenient, and users love when you give them options. It is not fair in some situations to require a mobile app to complete the second factor authentication, when you have people who do not own a smart phone. It is also not convenient to use a text message always with a PIN as a second factor authentication, when your users are not sharing their mobile numbers for privacy reasons. You need to think of a comprehensive solution that gives your users a choice and a self-service portal to configure their second factor preference.
The beauty of Azure Multi-Factor offering as an example of Multi-Factor Authentication as a service, is that it gives you a complete package. You want different second-factor authentication options to cover all your user’s scenarios, then you are covered. If you are looking of one solution to protect on-premise and cloud applications, done. If you are worried about the cost and your not sure how many people will use the service, then rest assure that Azure multi-factor authentication offering provides you with pay as you go licensing model. You can pay per authentication or per user.
If you are considering multi-factor authentication or you have one in place, then I recommend that you think of Multi-Factor Authentication as a service soonest.