Multifactor Authentication for Cloud and SaaS Applications

In this blog post I want to discuss a new feature we added recently to the Centrify Cloud Service: Multifactor Authentication (“MFA”). This makes our Centrify for SaaS solution — our cloud-based service that makes end users happy with single sign-on to 1000s of SaaS apps and personalized self-service and makes IT even happier with its ease of deployment and management — even more powerful a solution. But before I drill down on our new MFA support I want to provide some context around what MFA is and why it is important.

As I discussed in one of my Forbes blog posts last year, the entire industry has a serious problem with passwords, namely with users having too many passwords on the Internet that can be easily stolen via phishing attacks and/or stolen via massive hacks of popular websites’ password files. As arstechnica notes in this article, given that the “average web user maintains 25 separate accounts but uses just 6.5 passwords to them” it is not surprising users are significantly reusing their passwords. Couple this with the fact that many users use their email address as their login across multiple web properties, the end result is “once hackers have plucked login credentials from one site, they often have the means to compromise dozens of other accounts.”

Ironically, the industry has known has known about the problems with passwords even before the explosion of the Internet. As discussed in the Wikipedia entry on this topic, two-factor (also known as multi-factor) authentication has been around for decades. Just having a single factor — e.g. a passcode — for logging into a computer account is not as secure as it is possible that a password can be stolen or guessed. But if you were to have some other “factors” — such as something you have (e.g. an ATM card or a smartcard) and/or something that uniquely identifies you (e.g. a biometric characteristic such as a fingerprint or retina scan) — by combining these factors alongside your password it makes it harder for someone to break into your account. A simple example of multi-factor authentication is how we access our bank account using an ATM machine: we gain access via our ATM card (something we have) and our PIN to our account (something we know). As the Wikipedia entry notes, “without the corroborating verification of both of these factors, authentication does not succeed.”

Which brings us to the Centrify offering. By supporting SSO standards such as SAML, OpenID, etc. and by providing a centralized portal (MyCentrify) to launch all their SaaS apps, we firstly get people out of having to know and remember a plethora of passwords — they just need to know the one password to get into the portal.

In addition, when an end user logs into the MyCentrify portal they actually connect to a system called the IDP (Identity Provider) which is the Centrify Cloud Service. For end users, this system is managed by their admin; this is the only place they need to log in. Now when a user wants to use a service the IDP issues a token to the user and user’s systems present this token to the service. Note the end user does not see any of this; it all happens ‘by magic’. Note how each person’s experience is improved:

  • Users only have to login to one service. In many cases this login is automatic; in the case of the MyCentrify portal it automatically connects users if the user is on site or asks the user for their AD user and password if they are not. No more passwords to remember – woo hoo!
  • The corporate admin controls the IDP and so he has a single point of control over what his users are doing
  • The service administrators no longer have to worry about maintaining user / password databases

This hacked up diagram below tries to tell this story below:

So that’s coolness of the having a centralized portal and supporting SAML etc.

BUT … as a SSO as a Service offering, it makes perfect sense that you would want to be as cautious as is reasonable in allowing access to so many applications protected only by a username and password. So with an update to our cloud service released in early September 2013, we now support the first of several capabilities to enforce more than a single username/password authentication factor.

[Side note: thanks to Corey Williams for providing me with the content below.]

From an end user perspective of folks using our MyCentrify portal, they will notice only a minor change in the way users log in until you configure MFA. Instead of being prompted for your username and password, you will be prompted first for your username (so that we can see what authentication factors you need to supply) then you will be prompted for your password (the only factor required by default.)

To configure MFA within the Centrify Cloud Service, IT admins will log into cloud.centrify.com/manage and navigate to Settings ==> Authentication. Here you will see a configuration screen for MFA:

Let’s take a look at the options:

By default, no MFA is required. This is referred to as the Normal MFA policy. If you want all users to use more than just their username and password, regardless of what device or network they are using, you can select additional Authentication Mechanisms which I will discuss a bit further down. In the same place under the High Column, you can specify which authentication mechanisms you require when a higher level of assurance is required.

The High level of assurance is invoked when either of the first two conditions are checked and encountered. The first condition is New Endpoint Connections. When a user is accessing either the MyCentrify or Cloud Manager portal for the first time from a device/browser, this option will require the High auth MFA policy be in place. For example, if a user is logging into MyCentrify for the first time from a browser that has never logged in before, the High auth mechanisms will be required. Once they successfully log in however, the Normal auth mechanisms will apply thereafter.

The second condition that can be enabled is Outside IP Addresses. In a nutshell, if you access either portal from outside the company network, then the High policy will be enabled. In order to configure the IP range(s) for the corporate network, you can navigate to Settings ==> Corporate IP Range:

Corporate IP Range”/>

Regardless of whether the Normal or High auth policy is applied, the login experience for the end user will consist of one or more of the following authentication mechanisms:

  • Username and Password — this is as it sounds. While it is possible to use the other authentication mechanisms, Centrify recommends that you keep using a username and password and add one of the following factors (something you know — username/password, something you have — a mobile phone for a code or phone call).
  • Phone Call Factor — this is really cool — the user will be called on their mobile device and be prompted by a voice to press a key to complete the authentication. Combined with the username/password the user is using more than one factor to authenticate
  • Text Message (SMS) / Email Message — This option will send a one time code to SMS (if a mobile phone is associated with the user in the directory) or to their email address. You can set the preference between SMS and email, with one failing over to the next if the first is not available. The user must then enter this one time password (OTP) into the login prompt

Let’s take a look that the user authentication experience when MFA is involved:

1) The user navigates to cloud.centrify.com/my (ie logins into their MyCentrify portal) and enters their username and clicks next:

2) Centrify will determine the authentication factors that are required based on the policy set earlier, in this example the users Active Directory password and an OTP sent to a mobile device is required:

3a) Once my password is entered correctly, the next step will send an OTP code to my mobile device:

3b) I simply enter this OTP code into the log in form and click next:

4) Now I am allowed access to the MyCentrify portal with an added layer of security.

Many SaaS ISVs such as Dropbox, Google and many others are adding 2-step/MFA experiences to their individual applications. Each of these experiences are different and must be individually configured and maintained. Most of them are not applied when an SSO solution is being used.

Centrify for SaaS provides a single policy management location for applying MFA across thousands of applications exposing a very straightforward experience for the end user. We are excited about this release and the MFA feature set is an area of significant interest for us moving forward.