Multi-Factor Authentication Everywhere

I am pleased to write that Centrify announced today our Multi-Factor Authentication Everywhere initiative (aka “MFA Everywhere”) that is aimed at further securing enterprise identities against today’s most prevalent source of cyber attacks — compromised credentials. With this announcement, Centrify is now delivering one of the industry’s most easy-to-use adaptive MFA solutions that supports all types of enterprise users — including employees, contractors, outsourced IT, partners and customers — across a broad range of enterprise resources — including cloud and on-premises apps, VPNs, network devices, and cloud and on-premises servers. In this blog I will talk about why you need MFA and what we are delivering.



So why MFA? Clearly the entire industry has a serious problem with passwords. The reality is that users have too many passwords that can be easily stolen via phishing attacks and/or stolen via massive hacks of popular websites’ password files. As arstechnica notes in this article, given that the “average web user maintains 25 separate accounts but uses just 6.5 passwords to them” it is not surprising users are significantly reusing their passwords. Couple this with the fact that many users use their email address as their login across multiple web properties, the end result is “once hackers have plucked login credentials from one site, they often have the means to compromise dozens of other accounts.” In an enterprise environment, as we adopt more and more cloud and mobile apps, we are now facing at work what we face at home — and identity explosion.

Ironically, the industry has known about the problems with passwords even before the explosion of the Internet. As discussed in the Wikipedia entry on this topic, two-factor (also known as multi-factor) authentication has been around for decades. Just having a single factor — e.g. a passcode — for logging into a computer account is not as secure, as it is possible that a password can be stolen or guessed. But if you were to have some other “factors” — such as something you have (e.g. an ATM card or a smartcard) and/or something that uniquely identifies you (e.g. a biometric characteristic such as a fingerprint or retina scan) — by combining these factors alongside your password it makes it harder for someone to break into your account.   A simple example of multi-factor authentication is how we access our bank account using an ATM machine: we gain access via our ATM card (something we have) and our PIN to our account (something we know).  As the Wikipedia entry notes, “without the corroborating verification of both of these factors, authentication does not succeed.”

So MFA is a really good thing, especially if you pair it with something that everyone has ― a mobile device. Which means that even if someone were to steal my password for my Concur account, if the IT team were to have required another form of authentication (such as responding to a push notification or SMS to my phone, having to enter a secure One Time Password, clicking on a link from an email, using TouchID on your Apple phone, and/or responding to a voice call), then it does not matter if my password is stolen, because you need that in combination with the other factors to actually get in.

Touch ID

[And of course if you use a single sign-on protocol such as SAML, you don’t even have a password for Concur to begin with! This is because SAML uses a single-use, expiring, digital “tokens” to exchange authentication and authorization data between an identity provider and cloud application service provider that have an established trust relationship. But I digress.]

So not surprising that in the wake of so many high-profile breaches based on stolen or brute-forced password attacks, many businesses have rushed to implement MFA to provide an extra layer of security and mitigate the risk of data breaches. Yet most companies have seen mixed results at best. MFA was either reserved for only the most sensitive or vulnerable accounts, or implemented in standalone silos for specific apps or services due to lack of platform coverage. For example, today’s IDaaS solution may offer MFA for SaaS applications, but what about MFA for VPNs? Or MFA for accessing on-premise apps? Or utilizing MFA for logging into a mission-critical server? etc. What’s more, MFA was either “on” or “off,” which resulted in the constant prompting for MFA, and the cumbersome nature of physical tokens annoyed users who were simply trying to get work done.

The great news is Centrify now changes that paradigm. Effective today, we offer a single turnkey platform that provides flexible options for authentication factors, for seamless, adaptive MFA across enterprise identities and enterprise assets — without frustrating users. The Centrify Identity Platform supports a broad range of enterprise resources, including thousands of Software-as-a-Service (SaaS) applications, dozens of on-premises applications, hundreds of server operating systems as well as leading VPNs and network devices. Additionally, it supports MFA for privileged command execution and Secure Shell (SSH) access to servers deployed both on-premises and in an Infrastructure-as-a-Service (IaaS) environment.

The bottom line is that unlike other vendors that deliver islands of MFA for a subset of users and resources, we are proud to embark and deliver on an expansive MFA Everywhere vision.

What this means is that Centrify supports simple, flexible authentication for all types of users. Whether its systems administrators logging on to, or executing privileged commands on servers, or end users accessing cloud, mobile, or on-premises apps, Centrify can bolster security with additional factors including:

  • Push notification
  • Voice call
  • Text message
  • Soft token OTP
  • Mobile biometric
  • OATH-compliant tokens

But that’s not where we stop vis a vis MFA. Centrify also delivers MFA support via robust Smart Card integration. For example, Centrify was one of the first vendors to support CAC and PIV Smart Cards for both Apple’s Mac OS and Red Hat’s Enterprise Linux environments. We were also the first Identity-as-a-Service (IDaaS) vendor to enable Smart Card-based authentication for access to SaaS applications.   And last but not least, last week at Mobile World Congress we announced that we implemented derived credentials for secure mobile access to apps, sites and services that require Smart Card authentication.

As an industry we need to move beyond just using passwords. MFA is the way to go, and the good news is that Centrify provides a consistent MFA experience for all types of users and across all types of IT resources.   And expect to hear more from us regarding our MFA Everywhere vision in the coming months.