Today, every application no matter on-premise or cloud based requires a specific set of username and passwords to get access. But the irony is, these traditional “username-password combo” have become one of the weakest points of defence. They are leaving businesses with an insufficient shield against cyber criminals and data breaches. Multi-factor authentication has emerged as an effective way to enforce higher security. This article explains some of the best practices to strengthen multi-factor authentication for the secure authentication on mobile apps.
Best practice #1: Start with IDaaS and SSO
Do you know, today most of the enterprise users have to manage more than 25 accounts? The single sign-on solution here eliminates the hassle by centralizing identities at a single place. Identity-as-a-service is one such solution that provides SSO solution with standards like SAML, OpenID, OAuth, etc to allow users to centralize authentication across multiple web properties and applications. All that users need to do is to log in to one application and they are automatically provided access to others as well. An IDaaS solution federated identities across all the devices and apps, no matter cloud based or on-premises.
Best practice #2: Make the credentials more robust with Multi-factor authentication
Multi-factor authentication is one method that enhances security while user authentication by introducing more than one factors while providing access to the users. These additional factors can be categorized into three parts:
- Something you know: This includes something only the user knows like a username or password or a secret question.
- Something you have: This includes something that only the user has. This can be a hardware or software based token or an OTP.
- Something you are: This includes biometric authentication like face recognition, voice recognition or fingerprint authentication.
In order to gain access to the desired resource, the user must prove his/her identity across these factors. The infamous Verizon 2015 Data Breach Analysis Report (https://iapp.org/media/pdf/resource_center/Verizon_data-breach-investigation-report-2015.pdf) considers user credentials an open door to the business kingdom. Therefore it is recommended to introduce an additional factor like OTP or Hardware token to monitor login activity. MFA solution helps to prevent access to unauthorized users while safeguarding precious data stored. Implementing the solution can reduce the chances of data breaches and keep your users safe.
Best practice #3: Make sure the MFA solution is user-friendly
No doubt, adapting multi-factor authentication is a great way to maintain enterprise identity security. But what we can’t ignore is the complications it brings along for the user. So while you are on your way to implementing the solution for your organization, you must ensure that the authentication policies and technologies being used are easy to use and customizable. You can’t expect your employees to carry around the various hardware token device to access cloud apps, right? Moreover, if all the tokens look the same, labelling them based on the accounts they are going to be used for, becomes an another headache. This is not good from security point of view as well. Any technology that you are going to adopt must balance security with user friendliness. This demands for a modern multi-factor authentication solution that can not only impose strong authentication but also balances user experience.
Best practice #4: Enhance security with strong password policies
Many individual cloud applications today support multi-factor authentication thanks to the security it brings along. But what most people don’t realize is that individualized MFS solution also has the problem of scalability. Here arises the need of an Identity-as-a-service that can integrate with Single sign-on and multifactor authentication thereby eliminating any individual app login inconsistencies. When you talk about IDaaS, the user needs to log in just once and can be able to access hundreds of cloud or in-house apps. Having an IDaaS solution allows admins to impose strong authentication policies either temporarily or for always.
Best practice #5: Impose risk based MFA for unusual activities
For many of the businesses, “normal context” can be defined as “app login request from a registered device, corporate IP”. But when users try to access the app from an unusual network or device, additional authentication policies need to be imposed. The risk based authentication also known as “step-up” authentication analyzes user’s behavior including device location, network, device type, etc. Depending on the criticality of the resource, step-up authentication can be introduced. For low-risk authentication, the traditional authentication can work while for high-risk resources one can impose step-up authentication.
For eg, a user signs into an IDaaS solution with the general username and password combination, the additional factor will be introduced if any of the following triggers occur:
- Time: If the login request is coming at an unusual time.
- Location: If the login request is coming from a country different than the one user resides in.
- Device: If the login request is coming from an unregistered device.
- Network: If the login request is coming from outside the corporate IP address.
Best practice #6: Don’t forget to add MFA on-premises too
The apps residing on-premises, impose another challenge, ie how users are going to access these apps from the internet? To do this, most of the services require users to have a VPN installed. Now even though VPNs play a significant role in protecting session traffic from prying eyes by encrypting tunnels, we can’t ignore the fact that VPN exposes your corporate network to threat from cyber criminals too. Therefore, whenever VPN is required, it must be protected with additional security layer in the form of MFA.
In short, implementing MFA around cloud as well as on-premise apps can undoubtedly enhance security and eliminate the risk associated. But if applied individually, it can lead to more inconvenience and cause more harm than good. Multi-factor authentication, combined with federated identity and single sign-on, can eliminate security vulnerabilities and improve mobile app authentication security.
Prince Kapoor is Marketing Analyst Lead at LoginRadius, A leading CIAM Provider. While not working, you can find him in gym or giving random health advises to his colleagues which no one agrees on :D. If you too want some of his advises (on health or on marketing), reach him out at Twitter at imprincekapur.
