Buyer's Guide for Multi-Factor Authentication - Eight Tips for Choosing the Right Solution - SecurEnvoy
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
Buyer’s Guide for Multi-Factor Authentication Eight Tips for Choosing the Right Solution
Introduction
This white paper is designed to help you choose the right multi-factor authentication
solution. It identi es the possibilities and functions of common applications and makes
recommendations on what to consider when buying, thus giving you all the important
information at your ngertips to make a purchase decision.
What is multi-factor authentication?
Multi-factor authentication (MFA) is a method of verifying a user identity. Two or more factors
are used in parallel. Most of the time, these are the factors "knowledge," for example your
password, "possession," for example, a hardware token or your mobile phone and "being",
for example, a biometric feature.
IT security experts recommend the use of MFA to prevent the pervasive threat of identity
theft and unauthorized intrusion into IT systems which are often due to the weakness or lack
of protection of a pure password-based application.
This has led in recent years to MFA appearing in many d nt areas of everyday life. Just
think of online banking. Thanks to cost- ective and easy-to-use solutions, one is hardly able
to justify forgoing the signi antly higher security as a result of using MFA. This is also
d in more and more regulations and industry standards.
On-Premise or Software as a Service
(SaaS)?
MFA solutions come in a variety of versions. As a locally installed on-premise solution, you
have complete control over data retention, network architecture, and physical access to
servers and data, including the cryptographic keys for one-time passcode generation.
However, you are also responsible for maintaining the solution, including the underlying
layers, such as the operating system.
SecurEnvoy White Paper – Multifator-Authentication
www.securenvoy.com 2Software as a Service (SaaS) An alternative to this is a SaaS solution, also called managed service. In this case, a third party provides the hosting. The responsibility for operating the server rests with a service provider, for example your system house or the manufacturer of the solution. Maintenance of the server, upgrades and changes are then either included in the license price or will be charged according to costs. Similarly, you can access the system either directly via a web-based portal or through your partner's maintenance access. Whether through a partner or the manufacturer, a managed service-based solution needs to clearly determine where the data is stored and who has access. It is also necessary to determine how users can connect to the, often local, user directory (such as an Active Directory). Tip 1 Managed services have grown in popularity in recent years, in part due to the measures taken by manufacturers and partners in terms of data security and transparency. Outsourcing means saving costs and reducing the complexity of your own infrastructure in terms of availability. These bene ts have already prompted many s to think about changing to a cloud based service. If this is not an issue for you yet, we still recommend choosing a solution that o rs not only a local installation but also the possibility of external hosting (managed services). Hardware or software token? In the early days of multi-factor authentication, the "ownership" factor was regulated exclusively by small code generators. These devices have a small display that displays an individual, numerical code that updates regularly. By entering these codes into the login mask, the user has demonstrated that he is currently in possession of the device. These hardware tokens are still available today, but for some time now have no longer been the only option. Similar technology can be provided in a smartphone app, delivered as SMS or via voice calls. Such software-based tokens are less expensive because no additional devices need to be purchased, managed and distributed to the user. SecurEnvoy White Paper – Multifator-Authentication www.securenvoy.com 3
Other bene s of software tokens When using an app on the mobile phone of the users, there is a massive advantage: Most of us jealously guard our mobile phones. What has already been proven in numerous studies can be a huge bene t for any company. Users take extra care with their mobile phones, rarely damaging or losing them. This results in fewer work interruptions caused by hardware forgotten or even lost at home. For the company, this means a huge cost saving coupled with increased e ciency. However, the use of a software token variant does not only o r advantages for the company. The user also bene ts from more comfort and exibility. For example, through a self-service portal, users can choose, modify, and manage their preferred token type. Sometimes it may be necessary to make a short term change the token type. An example of this would be a high-security area, which the employee is not allowed to enter with a mobile phone. In such a scenario, for example, even if a self-service portal exists, it can trigger a one- time delivery of a token by voice call to a landline phone. Tip 2 Choose a solution that allows your users to choose di rent types of software tokens. Rarely does a method t equally for all users. For special instances, it should also be possible to use a hardware token. When choosing a solution, make sure that there are no additional license costs for software tokens. The saving by giving up hardware tokens can otherwise be quickly undone by accruing royalties. SecurEnvoy White Paper – Multifator-Authentication www.securenvoy.com 4
The mobile phone Similar to the hardware token, the smartphone app, in its simplest version, acts as a generator for one-time codes. At intervals of usually 30 seconds, it generates individual codes that the user enters into the input mask for login. This method does not require a data or cellular connection and is therefore very reliable. Some manufacturers o r advanced features in their apps, most notably authentication via push noti ation. During the login process, a noti ation is automatically sent to the user's smartphone. This noti cation appears in the form of an in-app push message and can be con d by the user by simply tapping on it. As a result, he has demonstrated possession of the device. The app sends this con ation to the login server via a data connection. For the user, this is a very comfortable alternative because he saves having to enter a code. Administrators report greatly improved acceptance of an MFA solution when this process is used. SMS In addition to the smartphone app, a code delivered via SMS would be another, software- based, method. For employees without company mobile phones or because a "zero- footprint" method is desired, SMS is still a frequently used method. SMS is also used in the retail environment, as no further data is required in addition to the customer's telephone number. As a rule, in this scenario, the user enters his username as well as password when he registers and then receives a one-time code (OTP) sent to the mobile phone via SMS. In order to avoid failed login attempts, because the user does not have su nt network coverage at the time of login and the SMS cannot be delivered, there is a so-called pre-load SMS. This method generates and sends a new code at the time of each login, which is then pre-loaded for the next login. Various experts and institutions have rated the SMS as no longer su ntly secure, as under certain conditions it may be possible to intercept SMS messages. Nevertheless, SMS is still widely used as an authentication method. SecurEnvoy White Paper – Multifator-Authentication www.securenvoy.com 5
NFC Another technology that has been waiting for its breakthrough for a long time is near- ld communication, or NFC for short. This is a radio-based short-haul communication that is already used for payments via RFID chip in many credit or bank cards. Another example of this procedure would be access control. In access cards or chips, the process has been used for quite some time to regulate access to buildings. Authentication to IT systems could also become more convenient and secure through the use of NFC. The user could touch a reader brie y with his unlocked smartphone and thus verify the login. The prerequisite for this is an NFC-enabled telephone as well as a corresponding reader. At this stage, not all mobile phones are NFC-enabled, and Apple and Microsoft currently lack support for programming interfaces. Tip 3 Smartphone users are already used to dealing with push noti cations, thanks to the fact that many applications also use some kind of push noti aton. To help ensure acceptance and a positive user experience, you should consider o ing your users this convenience when it comes to authentication as well. You should also think about the future when choosing your authentication solution. It is not only important what makes sense to you today. The demands of your systems may change as early as tomorrow, making technologies like NFC or other innovations more important. Therefore, when choosing your solution, you should also consider whether the provider has a vision and plans for technical innovations. Bio-Metrics – The 3rd Factor? In the past, biometrics was often used by lmmakers to showcase the latest technology and the highest security. In the meantime, biometrics have arrived in everyday life. You probably unlock your smartphone with ngerprint or facial recognition. The "Being" factor is therefore also an attractive attribute in multi-factor authentication. In most cases, however, an additional device is required as readers built into computers are often not available across the board or are not supported. SecurEnvoy White Paper – Multifator-Authentication www.securenvoy.com 6
From the point of view of system security, biometrics must unfortunately decide between reliability and security, as there can always be the borderline rejection of legitimate users or the acceptance of unauthorized users. The precise settings of biometric capture and subsequent pattern comparison are often not accessible for evaluation. Tip 4 Biometrics for unlocking the smartphone (or con ing a push noti ation) is a convenient feature and increases security over a PIN because it is not possible to spy. Therefore, a solution should support this functionality, ideally even within the app for cases where the user has not con gured a screen lock. However, purely biometric authentication requires major investments in devices and alignment of the solution for individual use. Check to see if this is justi le in the overall context. Location based authentication Some solutions include features that make it possible to make authentication requirements dependent on where a user is. Sometimes other contextual information is also used to assess the risk. For example, when registering from an unknown or remote location, an additional feature may be required that is otherwise not needed. This fundamentally good idea presents its challenge in the reliable determination of user location. Hardly any method is so safe and reliable that it can be used as a safety factor without restriction. Recently various content providers have tried to restrict access to certain countries via geo-fencing, prompting numerous methods and tools being made available for users trying to fake or hide their location from the system. Even the use of GPS data is not safe. Many platforms, such as Android, already provide on- board methods to change or hide user location. In addition, it can confuse the user if, for example, the system recognizes that they are in a di rent location than usual, and therefore requires another factor. In the worst case, for incomprehensible reasons, access is n ot possible and the user is negatively in uenced and hindered in his work. SecurEnvoy White Paper – Multifator-Authentication www.securenvoy.com 7
Tip 5 Con uring contextual biometric security features is complex, and user training and diagnosing problems can be di lt. Therefore, when using biometric features there is generally not a direct relationship to increased security. We recommend a reliable and convenient authentication solution that ensures a consistent, positive user experience. Contextual features should be moved to Incident Response and Privileged Access Management safety components. Databases and Active Directory For an on-premise method, some solutions may require the installation of a local database, such as a Microsoft SQL server, to store user data for authentication. This is a common procedure of many solutions that have taken this approach from the beginning. However, some manufacturers refrain from doing so and allow the user information to be stored in an existing directory, usually in a Microsoft Active Directory, which already contains the other user data. This approach reduces the installation and maintenance of the MFA solution and makes operations safer, as the existing mechanisms for resilience and load sharing will also bene t the MFA solution. However, some solutions require a change in the scheme in the Active Directory, which in turn can lead to challenges in support and compatibility with other applications. Other solutions use free and con urable elds in the standard scheme that do not lead to con icts with other applications or changes to the scheme. SecurEnvoy White Paper – Multifator-Authentication www.securenvoy.com 8
Tip 6 Make sure that the MFA solution allows user data to be stored in the user directory to save the hassle of a separate database. Also, make sure that this does not require any scheme changes to the Active Directory to avoid compatibility and support issues. Applications and Use Cases The reason nding a suitable authentication solution is usually a speci c application to secure, such as the access solution for employees working outside the network or a web- based application. Of course, it is then crucial that the solution fully supports this application and its interfaces. Nevertheless, it makes sense to think about applications and services that may be supported in the future, in addition to the speci c requirements, and to pay attention to the universe of supported interfaces when selecting a solution. Most common applications support the RADIUS protocol to connect an authentication service. This protocol is also supported by the vast majority of MFA products. However, there are di rences in the type of support. Some products expect the separate installation of a RADIUS server, some by third-party manufacturers. nces also exist in the con urability of the interface, ideally the individual can be con gured separately for each access application, because some applications expect certain attributes or protocol behavior to interact correctly. More and more cloud-based applications also support authentication against a local user directory. This is usually used by the SAML protocol. Even if that doesn't matter to you today, that could change in the future, because more and more applications are using this method and you might want to use at least one of them in the future. The proliferation of Microsoft's O 65 is a prominent example of this technology. Other use cases such as securing desktop or terminal server logins, integrating proprietary web applications through an API, or protecting critical business applications that you purchase as managed service should be included in the selection of a MFA solution. SecurEnvoy White Paper – Multifator-Authentication www.securenvoy.com 9
Tip 7 Choose a solution that supports a wide range of interfaces and applications to help you meet upcoming needs. Consider other applications you already use and consider securing them with the same solution. Check with the manufacturer to see if there may even be integration instructions for this. Always keep thinking about the consequences for your users should you have to switch to another solution due to a lack of support for a critical application. Licensing And, of course, you need to always consider money as well. The total cost of a solution, viewed over a period of time, is always an amount that must be used as a comparison. Some manufacturers o customers with an expensive up-front solution and entice them with an additional maintenance contract with low recurring maintenance costs. Other manufacturers o r a subscription model based on the number of users, where initial investment and maintenance costs are the same. Both models have their advantages and disadvantages, the trend in the software sector goes to the subscription models, as they mean more freedom for the customer and bring recurring sales for the manufacturer. Some solutions also o an option based on the number of authentications, that is, the more the solution is used, the more costs are incurred. This variant may seem to be the best bargain, but it is di cult to calculate user costs. User behavior is a di lt indicator to calculate beforehand, so there is a risk of uncontrolled cost increases. In addition, some solutions calculate certain functions separately. This can be the case, for example, for additional interfaces to applications, functions in administration, or unlocking authentication methods. There may be surprises here, as the complete functionality is usually shown, but is not enabled in the basic license. SecurEnvoy White Paper – Multifator-Authentication www.securenvoy.com 10
Tip 8 Choose a solution that is very easy to calculate and does not include any hidden additional costs. The cost of all functions should be included in the price, or at least presented transparently. Think again of future usage options that should be possible without new investment or additional costs. Conclusion “Focus on projects that reduce the most amount of risk and have the largest business impact,” said Gartner vice president and distinguished analyst Neil MacDonald, during the 2018 Gartner Security and Risk Management Summit in National Harbor, MD. In order to be well prepared for the future, try to take as many contingencies into account as possible when choosing your authentication solution. Your SecurEnvoy partner would be happy to advise you or you can contact us directly. SecurEnvoy White Paper – Multifator-Authentication www.securenvoy.com 11
Your local contact ...
UK & IRELAND EUROPE ASIA-PAC
The Square, Basing View Freibadstr. 30 Level 40 100 Miller Street
Basingstoke, Hampshire 81543 Munich North Sydney
RG21 4EB, UK Germany NSW 2060
Sales General inquiries Sales
E sales@SecurEnvoy.com E sales-emea@SecurEnvoy.com E info@SecurEnvoy.com
T +44 845 2600011 T +49 89 4447 9200 T +612 9911 7778
Technischer Support
E support@SecurEnvoy.com
T +44 845 2600012
USA - West Coast USA - Midwest USA – East Coast
Mission Valley Business Center 1700 Park Street 373 Park Ave South
8880 Rio San Diego Drive Suite #205 New York,
8th Floor San Diego CA 92108 Naperville, IL 60563 NY 10016
General inquiries General inquiries General inquiries
E info@SecurEnvoy.com E info@SecurEnvoy.com E info@SecurEnvoy.com
T +1 866 777 6211 T +1 866 777 6211 T +1 866 777 6211
www.securenvoy.com
SecurEnvoy GmbH | Freibadstraße 30 | 81543 München | Sitz der Gesellschaft: München | USt-IdNr. DE314114548 |
Registergericht: Amtsgericht München, HRB 234792 | Geschäftsführer: Fabian GuterYou can also read
