Multi-Factor Authentication (MFA) might be the best way to secure user access to IT resources. With so many applications in use today, either on-prem or in the cloud, having MFA for applications enabled is a dramatic step-up in security.
The challenge is that it can be difficult to keep track of which applications have MFA enabled on an individual basis. Fortunately, by leveraging a cloud identity provider (IdP), it is possible to manage MFA across all of the applications that a given user has been provisioned with ease.
MFA in Action
MFA works by leveraging an additional authentication factor rather than just a user’s password, which is why MFA is also known as Two-Factor Authentication (2FA). In most use cases, the first factor is the core user identity (username and password) and the second factor is usually a numerical code sent to the user’s smartphone or app, for example, or perhaps a hardware token such as a YubiKey.
In practice, a user is challenged to provide their core username and password in addition to their secure MFA token at login. Essentially, if the username, password, and MFA token are valid, the user gains access. Otherwise, user access is denied. By leveraging something that the user knows (i.e., their password) and something that they have (e.g., their phone), user access remains secure even if the core identity has been compromised.
It’s important to understand that MFA solutions generally require a core identity provider (IdP) or directory services solution acting as the single source of truth for user identities and MFA tokens.
Historically, MFA solutions have generally been an add-on expense to an existing directory service such as the on-prem Microsoft® Active Directory® (AD) or OpenLDAP™ platforms. IT admins would implement an on-prem directory service and identity management infrastructure, then purchase and integrate a third-party MFA add-on utility.
While effective at providing MFA functionality, this approach requires heavy investment into on-prem identity management infrastructure and third-party tools. Many organizations end up with MFA on a per application basis, (Read more...)