Setting up MFA in Centrify Identity Service – Part I
This blog series aims to educate the reader on MFA (multifactor authentication), to talk about the benefits and challenges of implementing MFA, and to illustrate how to get started with MFA using Centrify’s Identity Service. Note that you may have also heard MFA described as 2FA (two factor authentication) or “strong” authentication. Part I covers the basics so readers unfamiliar with MFA can understand why it’s becoming an important tool for businesses and individuals in the cybersecurity landscape. At the end of Part I we will show how to get started with your own Centrify tenant to test this capability out for yourself.
What is MFA
You may already be familiar with MFA. In that case, you may want to skip ahead to one of the next sections that describe the benefits of using MFA and where you can get started. For those that want a brief overview, MFA, or multifactor authentication has been around for a long time. For example, an MFA transaction routinely occurs at your ATM or cash machine. To get cash, you need to know your pin and have possession of your bank’s debit card (when you slide it into the reader) to get cash. You are using multiple “factors” of authentication. In other words, you are entering your bank card pin (which is one factor) and you can prove possession of your bank card by sliding it in the reader (another factor). With those two pieces of data the cash machine can authenticate you successfully because it knows, with a high level of confidence, that its you taking cash out of your account.
A factor, as it relates to MFA, is either something you know, something you have, or something you are. Something “you know” is something you can memorize (i.e. your debit card pin). Something “you have” is something you typically have in your possession. It can be a software credential (PKI authentication key) or something more tangible (i.e. a Bank card). Something “you are” is usually a biometric, which is some physical trait that can uniquely identify you. For example, you may have seen a fingerprint reader (nowadays they are on some smartphones) identify someone at their workstation. Or you may have had your picture taken for your driver’s license. The DMV may have requested you not to smile because not only will the picture on your driver’s license enable someone to verify your identity visually, but your picture can also be used for computer based facial recognition, which works better when you are not smiling in the reference photograph. So “multi” factor authentication just means using 2 or more of the factors just described in a simultaneous fashion to authenticate (prove that you are who you claim to be) to a server, an application, or a perhaps a building.
Why should I use MFA
Security professionals will agree that passwords, no matter how complex, are not enough to thwart attackers. Industry reports tell us that the majority of successful attacks involve some form of stealing credentials (typically passwords) through a clever mechanism like social engineering or spear phishing. Sometimes people have trouble understanding why a password that is more than 10 characters, has no dictionary words, cant be repeated, and is changed every 90 days is not good enough. Unfortunately, much of the time the password doesnt have to even be cracked, it can simply be stolen.
Firstly, consider that the more complex a password, the higher the likelihood that someone will write it down somewhere (a post it under the keyboard is a classic example). Secondly, since there are so many applications we use daily, many of which have their own password schemes and requirements, we tend to start reusing our complex passwords in different places. This is troublesome because if my password is stolen in one place (maybe my public library account) then it could be used in a more secure transaction (my banking application). There is an entire black market for stolen passwords that operates on the premise that people reuse the same passwords in many places.
If a password is stolen, it can be difficult to change it without affecting the business. What if you have a handful of system admins sharing a root account password for a revenue generating system (by the way this is not best practice) and someone leaves the company? Changing the password can be difficult because now you’re relying on several people being able to remember a new complex password and you may have trouble changing the passwords without risking the uptime for critical applications. The problem only gets worse as you add more systems and more people.
Due to the many data breaches we have seen in the news, the government is now enforcing that companies require a stronger level of authentication for their end users and employees for critical applications. The goal is to reduce the threat of a stolen password. This is being enforced through compliance audits. We have also seen instances where companies are being held liable for the breach of consumer data if they haven’t done their due diligence in protecting it. Multifactor authentication is one of the first steps to securing your environments. It’s much more difficult for someone to masquerade as a legitimate user if they need more than a password to prove their identity.
When you start researching MFA, you will find that there are many options. You can use SMS, phone call, biometric recognition (face, fingerprint, iris, voice, etc), PKI credentials, one time passcode tokens, soft tokens, mobile authenticator applications, and more. NIST has published Special Publication 800-63, which is a very helpful guide to determining what level of authentication can be achieved with different authentication factors. In order to decide what factors you should use, the organization should conduct a risk assessment to help determine how critical the data is that you’re protecting, and use an appropriate level of authenication. The end users also play a major role in this because their environment may dictate what MFA options you can implement. For example, if they are authenticating from a location where smartphones are not allowed, you may have to use something other than SMS, phone call, or mobile authentication applications.
No matter which authentication factor you choose, Centrify makes it easy to deploy single sign on to your applications and increase the security for sensitive applications with MFA using a variety of different factors.
What are the benefits
There are obvious advantages to enforcing MFA from a regulatory and compliance standpoint. There is a financial gain to being able to pass audits without incurring any fines. There are also several benefits to the end users and the business. For the end users, you enable many more capabilities with MFA because your increased level of assurance that it’s the right person on the other end. For example, you can enable self service password reset, enable users to modify personal financial information for a banking application, or update/modify benefits information in an HR portal. The sky is the limit for the services you can provide over the web/mobile channel once you can safely identify the person making the transaction. The other benefit is increased productivity. For example, if I can leverage MFA to reset my login password, I can get back to work much faster. I don’t need to track down an administrator or call a helpdesk or wait for someone to call me back. I can update my password from just about anywhere. As a consumer, I can conduct secure transactions without visiting a branch because the bank can identify me without me being there in person. This is a major convenience because waiting in line to deposit a check is a thing of the past. MFA is critical to enabling this convenience because if you can’t be sure it’s the right person on both sides of the transaction, then there may be too much risk to the business and end user to provide these services online.
From an enterprise perspective, MFA can drive cost savings and additional revenue through added services. Enabling self service password reset with MFA can save significant time and expense for the helpdesk. As mentioned before, you don’t need admins to handle password reset, or coordinate resets with end users, or give out any temporary passwords. Enabling new services for employees, like self-service HR benefits, can make employees more productive and provide business value by making their administrative functions more streamlined. From a consumer perspective, if you cannot provide secure transactions for your customers, you cannot participate in the “digital transformation” trend which means your business could suffer.
What are the challenges
So, MFA seems like a no brainer. It adds security for critical systems, it reduces audit findings and expensive breaches, and (if implemented correctly) it opens up many more capabilities for employees and customers. Why hasn’t everyone deployed MFA everywhere?
One of the reasons is overall cost and effectiveness. Traditional MFA meant you had to stand up an infrastructure on your premise to act as the authentication server. This server had to be cared for and fed, you had to maintain it, patch it, make it highly available, perform backups, and much more. This was problematic because if one target application changed, or if one new patch caused an issue, your organization might accidentally lock people out of important applications. The “factors” themselves were also expensive to obtain and maintain. Adding MFA to existing applications was challenging and integrating MFA with existing single sign on vendors required consulting from the vendor or a contractor. The result was that many organizations only enforced MFA for their most critical applications, and continued using username/password in most other places today.
Things have changed quite a bit in the last few years. Companies like Centrify now offer MFA “as a service”, as well as single sign on, mobile device management, privilege identity management, and many more security offerings. All the systems that you had to traditionally install and maintain to support these activities are now available as a service. The different features are typically setup as highly available micro services that can be upgraded and patched in a modular fashion so there’s less risk of breaking existing functionality. This results in a high resiliency solution with monthly feature additions without the risks associated with a major upgrade every 2-3 years. Not only that, but the industry is rapidly evolving to adopt standards like SAML 2.0, OATH OTP, and OAUTH 2.0 so the applications that you want to add security to are becoming easier to service with very little or no integration.
The result is that you are now able to quickly take advantage of MFA services without standing infrastructure yourself. You can enforce MFA at application logon, server logon (Unix and Windows), and mobile application logon. This makes it much easier for organizations to quickly adopt an “MFA Everywhere” philosophy. The context awareness in the Centrify Identity Service helps ensure that user experience remains excellent, even with MFA in place.
Where can I get started
If you’re ready to get started and want to see where you can go to setup a tenant and start trying MFA, I am going to provide those initial steps here. The first thing you need to do is go to https://www.centrify.com/ and find the “Try it Now” Button and click on it like below.
On the next screen, you have 4 options. As I mentioned before Centrify’s MFA solution is provided at the platform level, so you can leverage MFA functionality in several places. You can enforce MFA to check out a privileged account password managed by Centrify Privilege service, and you could leverage MFA for “step up” authentication to web applications you are protecting with single sign on. You can even use MFA for server/workstation level login to Windows and Unix systems and setup policies granular enough that you can require MFA for executing specific Linux/Unix commands or running specific Windows applications/commands. Because its built at the platform level, all of Centrify’s offerings leverage the same authentication mechanism, which makes it easy to get deployed no matter where you start. For our example, I am going to click on the “Start Trial” link within the Identity service for Apps solution area.
You will then be directed to the next screen where you can enter in your contact information, accept the terms of the EULA, and request the free trial.
Once your free trial has been approved and registered by Centrify, you will receive an email like the below image. Save this email because it has important information you will need to login to the Centrify service to begin setting up your users and MFA configuration.
When you first login to the system, you may be prompted to change your password. Keep the email above, your initial username and password safe because if you happen to get locked out of your tenant, it helps to have this information to securely get your access back. Also, you should note that the initial user created on your system is a system administrator with the highest level of access on the system. If you want to add different users with more granular privileges you have the capability to do this.
Congratulations, you have created a Centrify tenant, and you are ready to begin setting up MFA. In the next post, I will cover the policy model within the Centrify Identity Service, the different MFA options that are available, and how you can begin testing with MFA capabilities.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.