Multi-factor authentication adds a second layer of security to an identity by essentially authenticating that identity against 2 of the 3 methods:
Something you know (e.g. Password).
Something you have (e.g. Mobile device or token).
Something you are (Biometrics).
Verifying your identity using a different factor (like your phone or another device – something you have) prevents anyone but you from logging in, even if your password is compromised.
SSO integrates with MFA extremely well. Once a user is authenticated via a process of multiple authentication, a business can confidently assume the user is who they say they are and therefore can now access all of their enterprise cloud applications securely by logging into a web portal once, saving time and increasing productivity.
We believe in a zero-trust approach when it comes to user authentication.
This means; we verify every user every time, because we have to assume that we cannot separate the “good guys” from the “bad guys.”
Traditional approaches that focused on establishing a strong perimeter to keep the bad guys out no longer work. Resources (data, applications, infrastructure, devices) are increasingly hybrid or outside of the business perimeter entirely.
With Zero Trust, no one can be trusted until they have been verified. It is a holistic, strategic approach to security that will ensure everyone and every device granted access into a business is who and what they say they are.
The 3 elements of zero trust are:
1. Verifying Every User
Making sure users are who they say they are may sound easy, but when an organisation only relies on one verification method like SSO it may improve certain aspects of a security gap, but not all. SSO is best balanced with other technologies like multi-factor authentication and behavioural analytics to ensure that the user is properly verified and the interaction with their environment has a baseline. Once there is a deviation, an employee may be blocked until they are again verified.
2. Validate Every Device
Ensuring the user has a safe device within the network can get complicated, with proliferation of different operating systems, versions, corporate owned and privately owned devices. What if a user device, irrespective of what device it is, could be validated against an adaptive MFA solution? When MFA-supported passwords are combined with a level of mobile device management, the right policies are put on the device, locked in place and the context of the device (where it’s used, what browser it has, etc.) is understood, it can be considered safe. Once confirmed as a safe device an access decision can be made.
3. Limit Access
It is important to consider a least privilege stance when granting access to different user roles. The idea is to understand what is required for that user to accomplish their job tasks. One needs to ensure from day one a user is set up with the applications and accounts access needed to fulfil job roles. When a user changes roles, the access changes to fit the new job, or if they leave, those privileges are automatically revoked. It is essential that all these capabilities are integrated and work together so they can be applied in real time without adding delays.