Password Security – MFA and SSO Explained

By Mark Foust 

Multifactor authentication is the undisputed wave of the future when it comes to identity authentication and access management. But, what does multifactor authentication entail? Here is a basic breakdown of the various MFA options.

Multifactor Authentication

What makes multifactor authentication so useful? Throughout history, those who needed to keep people or things secure would never use a single layer of security. Think of a bank, which may have locks on the doors, security guards and then a sealed vault protecting the most precious valuables. The idea behind MFA is the same.

A standard multifactor authentication system uses two of three methods of authentication, which can be classified as something you know, something you have and something you are. The old process of cybersecurity, where all that is required is a single password or PIN code, does not provide a sufficient level of security for valuable assets. This is because not only are passwords or PIN codes easy to figure out or steal, but enterprising hackers can use a brute force approach to guess such access control methods.

With multi-factor authentication, even if an unscrupulous person gets access to a working password, they will not have access to the other method(s) of authentication required to make them work.

What Are Common Multifactor Authentication Options?

As we mentioned above, there are three typical “layers” to multifactor authentication, including:

  • Something You Know: The first layer of multifactor authentication comes with what you know. Your options here include a password, a PIN, a security question or a pattern you input. The challenge with these knowledge-based authentication factors is that if they are simple enough for a user to remember, they are usually easy enough to hack. Typically, a security question or a long-form password the user has already committed to memory will be most effective.
  • Something You Have: There are two main options here; a physical token or an app. A physical object could be something like a key card or a FOB. The system could be designed with a reader primed to accept this item’s code, along with your login or password. The second option is an app, which is where the push notification comes in. An authentication app turns your smartphone or other enabled device into the second layer of authentication. Once you enter your login or password on a computer to get into the system, this type of MFA sends a notification to your enabled device. You must confirm your attempt to access the system on that device. If you don’t have the device, you can’t get in.
  • Something You Are: Many companies are also opting for a biometric verification protocol, either instead of one of the other layers or in addition to it. This segment requires you provide some physical proof of who you are to access the system. The most common biometric verification is a fingerprint. Your fingerprint is unique and simple to present in fact, most modern smartphones already have fingerprint readers. A popular alternative is a retinal or iris scan, which would essentially require you look into an eye reader for verification. Like a fingerprint, your retinal pattern and iris are unique, easy to provide and hard to steal. In the future, other biometric options may gain favor, such as voiceprints.

Why Agentless SSO?

To explain Agentless SSO, we must first understand SSO or single sign-on.

SSO is easily achieved in an environment where you are a domain-joined Windows client and access only Kerberos based resources that are a part of that same active directory (A.D.) forest. However, even domain joined resources, like SQL Server has the ability to be its own directory silo—requiring an additional login. Inside the firewall, there may exist hundreds of applications, many requiring their own user account and password. In the past, administrators and developers have compromised security by trying to enable ‘SSO’ scenarios by trying to allow the user to use their same password in disparate applications through a number of possible insecure ‘workarounds.’

To enable a more secure SSO experience inside the firewall, some software vendors would require their proprietary software agent to sit on one of the application servers (sometimes a domain controller) and intercept and channel the requests to their proprietary server/application for an SSO experience. The advent of internet web-based applications, extranet applications, and mobile apps provide a challenge to the proprietary software agent model because the applications exist outside your firewall. Each of your end-users authenticates to scores of web applications. Administration of thousands of end-users and their numerous accounts would be a prohibitory administrative burden. Decentralizing this administration burden is one of the things that Federation Services offer. Federation aware applications use a standards-based approach to enable SSO securely.

Federation basically sets up an authentication handshake between a trusted authority, usually referred to as an Identity Provider (referred to as an IdP or sometimes as a ‘broker’) and a Service Provider (SP). This allows the user to leverage a single identity against numerous federation aware and supported applications (SPs). For the most part, modern federation aware applications, like web apps and SaaS apps require no software agents.

Non-Federation aware ‘legacy’ apps require some level of ‘intervention’ to support SSO. Most legacy applications inside your firewall can be made federation aware, and offer SSO convenience to your end-users. There are a couple of ways to enable this scenario—only a few vendors support a clean, non-invasive agentless SSO solution.

Software agents in your network provide several challenges. Software agent-based solutions include additional deployment considerations, supportability ramifications to the application and the vendor of the proprietary software agents, versioning issues, the privilege model that the software agents usually need to run in, the fact that they access highly sensitive information and that they are closed solutions that you can’t see in to.

Done properly SSO, especially combined with access policies and multifactor authentication (MFA) can give you a highly secure solution that provides nearly no administrative overhead or burden as well as the most productive end-user experience that both global enterprises and small businesses can leverage.

Instead of installing a software agent on the provider environment, customers of an agentless single sign-on system rely on already established communication protocols between the application and the Federation Broker. Therefore, there are no software agents to deploy or maintain and no changes to application servers.

About The Author

Password Security – MFA and SSO ExplainedMark Foust is Director of Worldwide Technical Sales for Optimal IdM. Mark has over 20 years of experience in Identity & Directory Services. Previously, Mark spent 16 years working for Microsoft on various teams including the Active Directory Product Group, Microsoft Consulting, and Microsoft Premier Support Group. He also performed technical sales at Microsoft for the largest commercial and government accounts in the southeast of the United States. Mark has authored and co-authored 3 technical books and has contributed to numerous technical articles. Mark has also worked for American Airlines (SABRE), Delta Airlines, Whitman-Hart/marchFIRST and Novell. He holds his MCSE and CISSP certifications and is a frequent speaker at industry events.

About Optimal IdM
Optimal IdM is a global provider of innovative and affordable identity access management solutions. Optimal IdM partners with clients to provide comprehensive, fully customizable enterprise level solutions that meet the specific security and scalability needs of their organizations. Optimal IdM offers its solutions both on-premise and in the cloud as a 100% managed service offering. Optimal IdM was recently featured on the Best Identity Management Solutions list of 2018 by PC Magazine, positioned by Gartner, Inc. in the Niche Players quadrant of the Magic Quadrant for Access Management, Worldwide, named a Leader in the KuppingerCole Leadership Compass Identity as a Service: Single Sign-On to the Cloud Report, and awarded Best Multifactor Authentication Solution in the 2017 Government Security News (GSN) Homeland Security Awards (HSA) Program under the Cyber Security Products and Solutions category.

June 1, 2019

cyber defense awardsWe are in our 11th year, and Global InfoSec Awards are incredibly well received – helping build buzz, customer awareness, sales and marketing growth opportunities, investment opportunities and so much more.
Cyber Defense Awards

12th Anniversary Global InfoSec Awards for 2024 are now Open! Take advantage of co-marketing packages and enter today!