***By Yiftach Keshet, Product Marketing Director at Silverfort***
Multi Factor Authentication (MFA) is a security technology that is used to validate that users who authenticate with credentials are indeed who they claim to be. MFA achieves this by requiring users to provide, on top of their credentials, an additional genuine evidence of their identity – something they know, something they have or something they are.
The need for MFA arises from the fact that credentials alone no longer suffice as a trusted identifier of legitimate users. In recent years we’ve witnessed a sharp increase in the volume of attacks that use compromised user credentials to access target resources. According to Microsoft, MFA is 99.9% effective in preventing such identity-based attacks. This is because even if a user’s credentials get compromised, MFA makes it incredibly difficult for attackers to pass the authentication requirements.
Why is Multi Factor Authentication a Necessity?
The problem is that passwords are susceptible to compromise. There are billions of compromised credentials sold at hackers’ forums and many attackers attempt to capture credentials and sell them to other threat actors that can use them to access target resources. Various industry reports state that compromised credentials are the leading cause of enterprise data breaches.
The evolution in IT landscape makes secure authentication more important than ever. Before the cloud era, in order to establish an initial foothold in the network attackers had to bypass perimeter defenses and install malware on an endpoint or server. Today, the gradual transition to the cloud places volumes of sensitive business information in the public internet – and it’s only a password away from attackers’ reach.
How does Multi Factor Authentication Work?
MFA adds additional steps to the authentication process. The number of these steps varies per configuration and context. These are the three basic MFA categories:
Something You Know
The most basic sample of this category is of course a password or any variation of memorable pieces of data that is configured by/for the user. This category also includes personal background questions which presumably only you would know to answer.
Generally speaking, this category is considered the least secure since both passwords and private information can be compromised or guessed by attackers.
Something You Have
This category is much harder to compromise and includes various physical entities only you possess – like mobile phones, physical tokens, key fobs and smart cards.
The physical entity can serve as either a carrier of the verification step – for example, a mobile phone that shows a one-time-password – or as the verifier itself such as physical token. The latter is considered more secure since it entails less data exchange in the authentication process, making it harder for an attacker to intercept.
Something You Are
This is considered the most secure factor category and includes your physical identifiers – most commonly a fingerprint on your mobile phone or hardware token, but also voice, facial recognition and any other unique biometrics.
Any combination of these three authentication-factor categories materially increases account security and reduces the likelihood of its compromise.
Examples of Traditional MFA solutions
In enterprise environments, MFA is often used in with a Single Sign On (SSO) solution to increase the security of the single password used by the workforce.
Static vs. Risk-Based MFA
Static MFA means that every time a user attempts to access a resource, it requires MFA. This can be cumbersome and disrupt operational workflows. To avoid such disruptions and align MFA with business needs, many organizations choose one or both of the following:
- Apply static MFA only to sensitive users when accessing sensitive resources. This can still be very cumbersome and disruptive for administrators who work with many sensitive resources on a daily basis.
- Apply a risk-based approach in which MFA is required only when the risk level is high. This is called Adaptive Authentication, or Risk-Based Authentication (RBA), and entails the use of a risk engine that evaluates various factors and requires the additional verification factors only when the risk level indicates that the provided credentials might be compromised.
There are various limitations with traditional MFA solutions, but this opens a longer discussion. We will write a dedicated blog about these limitations in the next few weeks.
Silverfort’s Agentless Multi-Factor Authentication – Complete Coverage for all Enterprise On-Prem and Multi-Cloud Resources
Silverfort provides a new, innovative technology that can enforce MFA on any asset, including those that were not covered until today, across on-prem and multi-cloud environments – without requiring any agents or proxies.
Silverfort achieves this by fundamentally altering the traditional MFA architecture. Instead of relying on agents on the devices, Silverfort communicates directly with the IAM (Identity and Access Management) solution itself, monitors the authentication protocols and enforces MFA on top of them. Whenever a user is attempting to access a resource, the user authenticates to an IAM solution – Active Directory, Okta, Ping Azure AD, etc. After authenticating to the IAM solution, the access request is routed to Silverfort.
Silverfort analyzes the context of each user (or service account) access request, leveraging Silverfort’s AI-driven risk engine. It then applies the appropriate access policy. For example, if the risk level is high, Silverfort can step up the authentication requirements and require the user to authentication with MFA (the authenticator can be Silverfort’s mobile MFA app or a 3rd party MFA solution). If the MFA challenge is correctly fulfilled, Silverfort instructs the IAM to grant the user access to the resource. If the MFA challenge isn’t addressed or if the access policy requires it – Silverfort can block access altogether.
You can see the full flow in this diagram:
Silverfort’s innovative architecture enables it to extend MFA to practically any resource that authenticates to the IAM solution in your environment as well as to any access interface. As long the resource you wish to access authenticates to IAM it will be subject to Silverfort MFA:
This makes Silverfort the only MFA solution that can deliver real time prevention of the various common attack scenarios such as automated ransomware propagation and on-prem lateral movement.
Learn more about Silverfort MFA here.