25,19 €
Mehr erfahren.
- Herausgeber: Packt Publishing
- Kategorie: Fachliteratur
- Sprache: Englisch
MFA has emerged as an essential defense strategy in the wide-ranging landscape of cybersecurity. This book is a comprehensive manual that assists you in picking, implementing, and resolving issues with various authentication products that support MFA. It will guide you to bolster application security without sacrificing the user experience.
You'll start with the fundamentals of authentication and the significance of MFA to familiarize yourself with how MFA works and the various types of solutions currently available. As you progress through the chapters, you'll learn how to choose the proper MFA setup to provide the right combination of security and user experience. The book then takes you through methods hackers use to bypass MFA and measures to safeguard your applications. After familiarizing yourself with enabling and managing leading cloud and on-premise MFA solutions, you’ll see how MFA efficiently curbs cyber threats, aided by insights from industry best practices and lessons from real-world experiences. Finally, you’ll explore the significance of innovative advancements in this domain, including behavioral biometrics and passkeys.
By the end of the book, you'll have the knowledge to secure your workforce and customers, empowering your organization to combat authentication fraud.
Das E-Book können Sie in Legimi-Apps oder einer beliebigen App lesen, die das folgende Format unterstützen:
Seitenzahl: 347
Veröffentlichungsjahr: 2023
Ähnliche
Implementing Multifactor Authentication
Protect your applications from cyberattacks with the help of MFA
Marco Fanti
BIRMINGHAM—MUMBAI
Implementing Multifactor Authentication
Copyright © 2023 Packt Publishing
All rights reserved. No part of this book may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written permission of the publisher, except in the case of brief quotations embedded in critical articles or reviews.
Every effort has been made in the preparation of this book to ensure the accuracy of the information presented. However, the information contained in this book is sold without warranty, either express or implied. Neither the author, nor Packt Publishing or its dealers and distributors, will be held liable for any damages caused or alleged to have been caused directly or indirectly by this book.
Packt Publishing has endeavored to provide trademark information about all of the companies and products mentioned in this book by the appropriate use of capitals. However, Packt Publishing cannot guarantee the accuracy of this information.
Group Product Manager: Mohd Riyan Khan
Publishing Product Manager: Prachi Sawant
Senior Editor: Runcil Rebello
Technical Editor: Arjun Varma
Copy Editor: Safis Editing
Project Coordinator: Ashwin Kharwa
Proofreader: Safis Editing
Indexer: Rekha Nair
Production Designer: Shankar Kalbhor
Marketing Coordinator: Agnes D’souza
First published: June 2023
Production reference: 1300523
Published by Packt Publishing Ltd.
Livery Place
35 Livery Street
Birmingham
B3 2PB, UK.
ISBN 978-1-80324-696-3
www.packtpub.com
To my extraordinary wife, who has always believed in me and supported my dreams. To my two daughters, who are my greatest joy. To my inspiring mother, who instilled in me the conviction that everything is possible and equipped me with the wings to soar through any challenge. And to my father, who taught me the invaluable lesson of never ceasing to learn and embracing the endless wonders of knowledge.
This book is lovingly dedicated to each of you with immeasurable gratitude and affection.
I could not have written it without your passion and support.
Thank you for everything.
– Marco Fanti
Contributors
About the author
Marco Fanti’s career skyrocketed from software engineering to cybersecurity as he discovered his passion for inventing innovative security tools. A prominent figure in the security community, he has collaborated with start-ups such as enCommerce and BehavioSec and giants such as Oracle and Accenture to create products that protect millions worldwide. A lifelong learner, Marco holds two MSc degrees (NYIT and NYU) and an MBA (UF), which enable him to craft bespoke solutions for clients by fusing the best features of various products. Originally from Brazil, Marco lives in Florida with his wife, perpetually exploring the cybersecurity frontier.
About the reviewers
Harvinder Nagpal has over 18 years of experience in workforce Identity and Access Management (IAM) within the broader cybersecurity realm. He has worked with customers of different sizes and various industry verticals to secure access to their on-premises and cloud-based applications, resources, and services on their cloud transformation journey. As a CISSP-certified cybersecurity practitioner, he has worked chiefly for product-based employers in different roles and responsibilities focused on product and customer adoption to improve customers’ information security posture.
Ameya Khankar is a highly regarded and trusted business technology and cybersecurity professional focusing on the areas of technology risk, enterprise transformations, and digital governance. He advises large global enterprises in the US and globally as an expert on enterprise technology risks with a deep focus on strategies to strengthen their cybersecurity posture. He has advised a $4 billion organization in the past in defining their business transformation enterprise security strategy. Currently, he is advising a $9 billion organization to meet complex digital transformation and cybersecurity regulatory requirements.
Table of Contents
Preface
Part 1: Introduction
1
On the Internet, Nobody Knows You’re a Dog
Identity and digital identity
Workforce identity
Customer identity
Additional authentication and security controls
What are authentication factors?
Summary
2
When to Use Different Types of MFA
Not all MFA is created equal – when to use different types of MFA
Why use MFA then?
Different types of MFA
SIM swap and why SMSs and voice messages are the weakest authenticator factor types to use
What can the service provider do?
What can the user do?
MFA fatigue – also known as MFA push spam
What can the service provider do?
Phishing-resistant MFA
Keeping up with bad actors – good sources for up-to-date information on MFA and related topics
Cybersecurity and Infrastructure Security Agency
National Institute of Standards and Technology
National Security Agency
Summary
Part 2: Implementing Multifactor Authentication
3
Preventing 99.9% of Attacks – MFA with Azure AD and Duo
Technical requirements
Azure AD setup
Enabling SAML-based SSO for enterprise applications
Adding an enterprise application
Assigning a user account to the Acme’s Azure AD SAML Toolkit application
Enabling SAML-based SSO for the Acme’s Azure AD SAML Toolkit application
Configuring SSO for the Acme’s Azure AD SAML Toolkit application
Testing SSO in the Acme’s Azure AD SAML Toolkit application
MFA on Azure AD
Disabling default security
CA policies
Configuring the conditions for MFA
Testing Azure AD MFA
Enabling combined security information registration in Azure AD
What is Duo and why use it?
Integrating Duo and Microsoft Azure AD
Using the Duo custom control
Testing Duo
Summary
4
Implementing Workforce and Customer Authentication Using Okta
Technical requirements
Workforce Identity with Okta
Creating a Workforce Identity account
Signing into your Workforce Identity account for the first time
Configuring Okta
The essentials
Configuring authenticators
Requiring MFA to access Okta Workforce Identity apps
Customer Identity with Okta
Customer Identity administration
Testing Okta’s Customer Identity solution
Requiring MFA to access Okta Customer Identity apps
Summary
5
Access Management with ForgeRock and Behavioral Biometrics
Technical requirements
Experiencing ForgeRock
Creating a ForgeRock software platform account
Signing into your backstage account for the first time
Installing ForgeRock Access Manager
Configuring ForgeRock’s Access Manager (openam)
Using openam
Protecting a Java application using openam
Installing the Tomcat Java Agent
Protecting a web application
Testing the Java Agent
Introducing Authentication Trees
Installing a Duo authentication node
Configuring authentication with a Duo authentication node
Configuring self-registration in openam
Testing self-registration and MFA
What are behavioral biometrics?
Installing BehavioSec
Configuring authentication with BehavioSec
Testing authentication with BehavioSec and Duo
Summary
6
Federated SSO with PingFederate and 1Kosmos
Technical requirements
Experiencing Ping Identity’s PingFederate
Installing PingFederate
Configuring Ping Identity’s PingFederate
Deploying sample applications in PingFederate
What is passwordless MFA?
Integrating BlockID and PingFederate
Testing authentication with BlockID
Summary
7
MFA and the Cloud – Using MFA with Amazon Web Services
Technical requirements
AWS IAM
An AWS account is not a user account
Workforce identities on AWS
AWS IAM Identity Center (successor to AWS Single Sign-on)
Customer Identity and Access Management on AWS
AWS Cognito
Summary
8
Google Cloud Platform and MFA
Technical requirements
Google Cloud Identity
Setting up Cloud Identity
Managing user accounts and administrative functions
Setting up MFA in Cloud Identity
Testing MFA enforcement in Cloud Identity
Google Cloud Identity Platform
BeyondCorp
Summary
9
MFA without Commercial Products – Doing it All Yourself with Keycloak
Technical requirements
What is Keycloak?
Running Keycloak using Docker
Running Keycloak using Java
Keycloak administration
Using Keycloak for SSO
Creating and deploying sample applications in Keycloak
Keycloak and MFA
MFA with required OTP
MFA with OTP or passwordless WebAuthn
Summary
Part 3: Proven Implementation Strategies and Deploying Cutting-Edge Technologies
10
Implementing MFA in the Real World
Technical requirements
Understanding the business side of cybersecurity
Cybersecurity policy
Strengthening cybersecurity
Cybersecurity is a never-ending process
Are password managers a solution for password risks?
Identifying alternatives to passwords
Strategies for implementing MFA
Eliminating passwords should be the goal
Get the right people
Focus on three use cases
Summary
11
The Future of (Multifactor) Authentication
Technical requirements
Introducing the Web3 ecosystem
Exploring digital identity in Web3
Understanding login mechanisms
Implementing decentralized solutions
Product trends
Verifiable Credentials and Microsoft Entra Verified ID
Identity management convergence in ForgeRock Identity Cloud
Are passkeys (almost) the perfect phishing-resistant MFA?
Passkey management
Continuous authentication
What lies ahead
Summary
Appendix A
Installing the Java Software Development Kit
Installing the Java SDK on Windows
Using the installer on Windows
Installing the Java SDK manually on Windows
Installing the Java SDK on a Mac
Using Homebrew to install OpenJDK 11 on a Mac
Installing the Java SDK manually on a Mac (or Linux)
Testing the install of the Java JDK
Summary
Appendix B
Custom App Integration with Azure AD
Technical requirements
Enabling SSO for custom web applications
Add a non-gallery enterprise application
Assign a user account to the SAML Springtest application
Enabling SSO for Acme’s Azure AD SAML Toolkit application
Configure SSO in the SAML Springtest app
Testing the new custom app
Testing SSO with Acme’s Azure AD SAML Toolkit application and the Springtest app
Summary
Appendix C
Installing Apache Tomcat Software
Installing Apache Tomcat
Installing Apache Tomcat on Windows using the installer
Installing Apache Tomcat 9 on a Mac
Using Homebrew to install Apache Tomcat 9 on a Mac
Installing Apache Tomcat 9 manually on a Mac (or a Linux server)
Summary
Index
Other Books You May Enjoy
Preface
Unlock the full potential of Multifactor Authentication (MFA) with this dynamic, hands-on guide! Immerse yourself in a practical, engaging learning experience that will have you mastering multiple authentication products in no time. Then, prepare to enhance your applications’ security and reduce the risk of cyber threats.
Embark on an adventure with Acme Software, a fictional company navigating the complex world of authentication products and mechanisms. Witness its pursuit of the perfect balance between security, risks, costs, and user experience. Learn from its journey and make empowered decisions to fortify your digital fortress.
This book offers step-by-step explanations, practical examples, and hands-on implementations of MFA concepts and technologies. Curious about Identity and Access Management (IAM)? We’ve got you covered! The book delves into IAM products with crystal-clear explanations that will help turn you into an expert.
Explore a diverse array of IAM products and enable secure Single Sign-On (SSO) for your enterprise and your customer-facing applications.
Witness as Acme Software explores the ideal products for its users, partners, and customers. To help you with your own learning experience, we provide instructions on obtaining free trial versions of the products used in the examples and how to build SaaS applications that use the security provided by the solutions demonstrated in each chapter!
By the end of this thrilling guide, you’ll have the power to choose, deploy, and maintain an MFA solution that slashes the risk of successful malicious attacks during user authentication. So, join the ranks of cybersecurity champions and protect your digital realm with confidence!
Who this book is for
The target audience for this book includes the following:
IT professionals: System administrators, network administrators, security engineers, and other IT staff responsible for implementing and maintaining secure authentication systems would benefit from a comprehensive understanding of MFACybersecurity experts: Professionals working in the cybersecurity field, including security consultants, researchers, and analysts, would find the book valuable to deepen their knowledge of MFA and stay current on best practices for protecting sensitive data and systemsDevelopers: Software developers and engineers who build applications requiring secure authentication mechanisms can benefit from understanding MFA, its best practices, and how to integrate it into their applications effectivelyBusiness decision-makers: Executives, managers, and business owners responsible for the security of their organization’s data and infrastructure can use the book to learn about MFA and make informed decisions regarding its implementationSome chapters include examples of SaaS applications built using SDKs for the different authentication products. Although detailed instructions for building and deploying the applications are covered in the book, having a foundation in programming will make it easier for readers to grasp the content and apply the knowledge to their own projects.
What this book covers
Chapter 1, On the Internet, Nobody Knows You’re a Dog
This inaugural chapter provides the fundamental groundwork for understanding the dynamic realm of digital identities and MFA. We begin with an overview of the concept of identity, both in its traditional and digital manifestations, and then delve into the nuances of two fundamental types of digital identity – workforce and customer identity. Critical in today’s digitized world, these forms of identity offer unique challenges and opportunities that businesses must navigate effectively.
Next, we focus on the foundational pillar of digital security – authentication factors. These factors, which include something you know (such as a password), something you have (such as a token or a card), and something you are (such as a biometric characteristic that you have), make up the core of MFA.
The chapter continues with an introduction to the basic concepts and terminology related to digital identity and MFA. This vocabulary is relevant for the remaining chapters and for anyone aiming to understand and work in cybersecurity.
Finally, we delve into the concept of MFA in more detail, explaining its importance in contemporary cybersecurity strategies, how it operates, and why it has become the go-to solution for businesses and individuals seeking to enhance their digital security.
Chapter 2, When to Use Different Types of MFA
In Chapter 2, we dive deeper into the multifaceted nature of MFA. Recognizing that not all MFA solutions are created equal is critical, and we explore the contexts in which different types of MFA are most effectively utilized.
Given the rapidly evolving landscape of cybersecurity, the chapter also emphasizes the importance of staying up to date. We acknowledge that cyber criminals, or bad actors, always look for vulnerabilities and continually update their strategies. Thus, we present reliable sources of information for keeping pace with these changes.
Chapter 3, Preventing 99.9% of Attacks – MFA with Azure AD and Duo
Chapter 3 comprehensively explores Azure Active Directory (Azure AD) and how Acme Software can leverage it to improve its workforce’s user management and security practices. As the cornerstone of Microsoft 365, Azure AD provides a robust, cloud-based IAM solution that caters to the company’s needs, from centralizing user and group management to enforcing advanced security measures.
We commence by establishing the foundations of Azure AD, showcasing its essential benefits such as secure authentication, SSO capabilities, conditional access (CA), and MFA. The focus then shifts to the challenges associated with traditional password-based authentication. Drawing upon Microsoft’s research, we delve into why passwords alone aren’t sufficient for securing accounts and data, underscoring the necessity of MFA in the security equation.
From there, we guide readers through configuring Azure AD, presenting diverse authentication workflows tailored to different organizational roles’ risk levels. Given the sophistication of attacks on passwords and MFA, we also demonstrate how to configure different authenticators, thereby enabling authorized individuals’ access to sensitive company resources.
In recognition of the modern work-from-anywhere culture and the increasing prevalence of BYOD policies, we describe how Acme Software can employ Azure AD to ensure consistent security across applications accessed both internally and on public networks. We also introduce Duo, a Two-Factor Authentication (2FA) product from Duo Security.
Chapter 4, Implementing Workforce and Customer Authentication Using Okta
Chapter 4 takes a deep dive into Okta, a leading cloud-based identity management system offering two distinguished IAM products: Okta Workforce Identity and Okta Customer Identity. These products bring unique benefits to businesses, from comprehensive workforce management to secure customer interactions.
The first part of the chapter focuses on Okta Workforce Identity. This solution offers businesses an efficient way to manage and protect their workforce users, such as employees, contractors, and partners, from a single platform. First, we delve into its capabilities and discuss how its use allows businesses to maintain regulatory compliance while achieving their objectives. Next, we illustrate its implementation using a case study involving Acme’s workforce applications, exploring the configuration and use of additional authenticators, with Duo as the authenticator of choice.
In the second part of the chapter, we switch focus to Okta Customer Identity. This tool enables businesses to securely manage end user identities and create frictionless application registration and login experiences. In addition, this solution provides businesses with the capacity to integrate authentication seamlessly into any cloud-based application. We delve into its features and demonstrate its use by exploring the development of MFA for customer-facing applications.
Chapter 5, Access Management with ForgeRock and Behavioral Biometrics
Chapter 5 takes us on a journey through the offerings of ForgeRock, another leading IAM solutions provider. In this chapter, we focus on how businesses such as Acme can effectively leverage ForgeRock’s solutions to enhance the customer experience for external users while securing and enabling an agile workforce.
We start the chapter by taking readers through the experience of using ForgeRock.
Our next stop is the exploration of authentication trees, a noteworthy feature in ForgeRock’s suite of solutions. Authentication trees offer a flexible and customizable approach to authentication that allows businesses to design their unique user journey, enhancing security and user experience.
Lastly, we delve into the innovative world of behavioral biometrics, a technology that brings a new level of security by studying the user’s behavior during the login process. This cutting-edge technology enables businesses to increase security and reduce friction during the authentication process, providing a seamless blend of security and user convenience.
Chapter 6, Federated SSO with PingFederate and 1Kosmos
Chapter 6 is dedicated to a comprehensive exploration of PingFederate, a versatile solution for user authentication and SSO. In this chapter, we also introduce 1Kosmos, a provider of passwordless MFA that offers an improved, frictionless, and secure experience for workforce users.
We start the chapter by providing an overview of PingFederate and its ability to facilitate federated SSO. This allows users to access multiple applications with single login credentials, significantly enhancing user convenience without compromising security.
The chapter then pivots to introduce the concept of passwordless authentication – a technology that seeks to eliminate passwords as a point of vulnerability in the security architecture. We delve into how this innovative approach can enhance user experiences while maintaining high security standards.
Finally, we introduce 1Kosmos and its unique contribution to passwordless MFA with verified identities. 1Kosmos not only removes the password from the equation but also verifies the identity of users through robust biometric checks, adding another layer of security.
Chapter 7, MFA and the Cloud – Using MFA with Amazon Web Services
Chapter 7 introduces how businesses such as Acme can leverage Amazon Web Services (AWS) for their IAM needs. Given the trend of companies increasingly adopting cloud platforms to develop and deploy their products and services, understanding AWS’s IAM services is crucial for workforce and customer enablement.
We introduce AWS IAM, explain its features and capabilities, and demonstrate how it can help businesses manage and secure access to their AWS resources effectively.
Next, we shift focus to workforce users. We discuss how AWS can be utilized to manage and protect workforce identities, ensuring secure access to necessary resources while maintaining the ease of operation for users.
Finally, we discuss Amazon Cognito, an AWS service that enables easy and secure user sign-up and sign-in. We cover how Cognito can be leveraged to authorize Acme’s customers and end users, providing a seamless and secure user experience.
Chapter 8, Google Cloud Platform and MFA
Chapter 8 concludes our exploration of the big three cloud platform service providers—AWS, Microsoft Azure, and Google Cloud Platform (GCP)—each bringing unique strengths. In this chapter, we focus on GCP, rounding out our coverage of these dominant players in the cloud computing market.
We’ve previously delved into AWS and Azure, highlighting their unique offerings and applicability to businesses such as Acme. Now, we turn our attention to GCP, which prides itself on its machine learning and data analytics capabilities among its cloud services.
This chapter discusses Google Cloud Identity, examining its features and capabilities and how it fits into the overall landscape of GCP’s cloud services. We also touch on the Google Cloud Identity Platform, GCP’s robust IAM solution, which enables businesses to manage their user identities seamlessly across their applications.
Chapter 9, MFA without Commercial Products – Doing It All Yourself with Keycloak
Chapter 9 introduces readers to Keycloak, an open source IAM solution. As Acme Software seeks to explore options beyond traditional commercial products for its expanding IAM infrastructure, Keycloak offers a viable, cost-effective, and flexible alternative. This chapter aims to help Acme and readers understand Keycloak’s potential to streamline authentication and authorization processes for the workforce and customers.
We begin by defining the Keycloak server, explaining its role in IAM, and elucidating its core features.
The chapter then explores the functionalities of Keycloak’s administration console, providing insights into the flexibility and control it offers. We delve into using Keycloak for SSO, a feature that enhances user convenience and security.
Keycloak’s MFA capabilities are also investigated, underscoring the software’s commitment to robust security. By comparing Keycloak to other commercial products, readers will gain a comprehensive perspective on its relative strengths and areas of consideration.
Chapter 10, Implementing MFA in the Real World
Chapter 10 steers the reader toward a deeper understanding of cybersecurity from a business perspective. We explore the business implications of cybersecurity, its role in safeguarding organizational assets, and the associated legal and ethical responsibilities of an organization’s leadership.
Firstly, we delve into the business side of cybersecurity, discussing the importance of authentication and the broader impact of cybersecurity on business functions. Next, we articulate how cybersecurity, far from being a mere technical concern, is intrinsically tied to a business’s viability and reputation.
Subsequently, we provide insights on how to bolster cybersecurity within organizations. This section delves into proactive measures that businesses can adopt to stay ahead of emerging cybersecurity threats.
Finally, we offer practical strategies for implementing MFA in real-world settings. By highlighting the best practices and potential pitfalls, this chapter provides a roadmap for businesses to effectively leverage MFA to enhance their cybersecurity posture.
Chapter 11, The Future of (Multifactor) Authentication
Chapter 11, our final chapter, takes you on an expedition into the future, exploring how the emergence of Web 3.0 will reshape the landscape of digital identity and authentication. As we stand on the precipice of this digital revolution, we investigate the transformation that will ensue, emphasizing the implications for security, privacy, and user experience.
First, we introduce the concept of the Web 3.0 ecosystem, explaining its decentralization philosophy and how it will influence the nature of digital identity. Then, we discuss how Personally Identifiable Information (PII) will become more significant and unique in human and machine interactions in this new world.
We then delve into product trends, analyzing emerging technologies, such as verifiable credentials and innovative authentication mechanisms powered by blockchain and smart contracts.
Our exploration continues with the future of MFA, addressing topics such as passkey management, continuous authentication, and the potential of passkeys as a phishing-resistant MFA offering.
Chapter 11 culminates by pondering what lies ahead, leaving readers with a sense of anticipation and a broader understanding of the exciting possibilities that Web 3.0 brings to digital identity and authentication. This final chapter provides a peek into the future and equips readers with the knowledge required to adapt to and embrace the transformative wave of Web 3.0.
To get the most out of this book
This book assumes that readers are already familiar with at least one of the cloud platform service providers discussed – AWS, Microsoft Azure, and GCP. Therefore, we’ve made a few assumptions about your existing knowledge and experience:
Basic understanding of cloud computing: You should understand the fundamentals of cloud computing, including Software-as-a-Service (SaaS) conceptsFamiliarity with one or more cloud platforms: Experience with AWS, Azure, or GCP is helpful, as many concepts in this book build upon the services and architecture of these platformsProducts covered in the book
Requirements
Azure AD
Azure AD Premium P1
Okta Workforce Identity
An Okta Standard account
Okta Customer Identity
An Okta Developer or Enterprise account
ForgeRock – Access Manager
A ForgeRock software platform account
Ping Identity – PingFederate
A Ping Identity account
AWS
An AWS root account
Google Cloud Identity
Google Cloud Identity or Workspace account
Keycloak
The Keycloak server’s latest version (version 21.1.1 was used in this book)
Duo
A Duo Essentials account
1Kosmos – BlockID
A BlockID account
BehavioSec
A BehavioSec account
Knowing how to utilize Java and Docker for deploying applications is a helpful skill while reading this book. Some products we’ll discuss can be locally installed and run as standalone Java applications or as Docker containers:
Java Platform: Many enterprise-level applications, including some IAM products we will explore, are built with Java due to its robustness, portability, and scalability. Understanding how Java applications are deployed will give you a solid grasp of these solutions’ underlying structure and functioning.Docker containers: Docker is a popular platform that uses containerization to package an application and its dependencies into a single object. Docker can simplify the deployment process and eliminate the “but it works on my machine” problem, making it an excellent tool for deploying applications for testing and development. Understanding how to pull, run, and manage Docker containers can significantly simplify installing and running the software products discussed in this book.Running servers: Certain products, such as Keycloak, run on a server that can be initiated using Java or run inside a Docker container. Understanding how to start these servers using either of these methods is essential for installing and testing these products in a local environment.Troubleshooting and customization: Understanding Java and Docker deployment also aids in troubleshooting any issues that might arise during the installation or operation of the software. Furthermore, if the product is open source, you can customize it to suit your needs better, and understanding the deployment process will be crucial for this.Download the example code files
We have code bundles from our rich catalog of books and videos available at https://github.com/PacktPublishing/. Check them out!
Download the color images
We also provide a PDF file that has color images of the screenshots and diagrams used in this book. You can download it here: https://packt.link/b4FmL
Conventions used
There are a number of text conventions used throughout this book.
Code in text: Indicates code words in text, database table names, folder names, filenames, file extensions, pathnames, dummy URLs, user input, and Twitter handles. Here is an example: “It should look like this: https://samltoolkit.azurewebsites.net/SAML/Login/9999.”
A block of code is set as follows:
html, body, #map { height: 100%; margin: 0; padding: 0 }When we wish to draw your attention to a particular part of a code block, the relevant lines or items are set in bold:
[default] exten => s,1,Dial(Zap/1|30) exten => s,2,Voicemail(u100) exten => s,102,Voicemail(b100) exten => i,1,Voicemail(s0)Any command-line input or output is written as follows:
$ mkdir css $ cd cssBold: Indicates a new term, an important word, or words that you see onscreen. For instance, words in menus or dialog boxes appear in bold. Here is an example: “Wait for the download to finish and click File is Ready! Click here to download to save the file.”
Tips or important notes
Appear like this.
Get in touch
Feedback from our readers is always welcome.
General feedback: If you have questions about any aspect of this book, email us at [email protected] and mention the book title in the subject of your message.
Errata: Although we have taken every care to ensure the accuracy of our content, mistakes do happen. If you have found a mistake in this book, we would be grateful if you would report this to us. Please visit www.packtpub.com/support/errata and fill in the form.
Piracy: If you come across any illegal copies of our works in any form on the internet, we would be grateful if you would provide us with the location address or website name. Please contact us at [email protected] with a link to the material.
If you are interested in becoming an author: If there is a topic that you have expertise in and you are interested in either writing or contributing to a book, please visit authors.packtpub.com.
Share Your Thoughts
Once you’ve read Implementing Multifactor Authentication, we’d love to hear your thoughts! Please click here to go straight to the Amazon review page for this book and share your feedback.
Your review is important to us and the tech community and will help us make sure we’re delivering excellent quality content.
Download a free PDF copy of this book
Thanks for purchasing this book!
Do you like to read on the go but are unable to carry your print books everywhere?
Is your eBook purchase not compatible with the device of your choice?
Don’t worry, now with every Packt book you get a DRM-free PDF version of that book at no cost.
Read anywhere, any place, on any device. Search, copy, and paste code from your favorite technical books directly into your application.
The perks don’t stop there, you can get exclusive access to discounts, newsletters, and great free content in your inbox daily
Follow these simple steps to get the benefits:
Scan the QR code or visit the link belowhttps://packt.link/free-ebook/9781803246963
Submit your proof of purchaseThat’s it! We’ll send your free PDF and other benefits to your email directlyPart 1: Introduction
As our customers’, co-workers’, and partners’ lives become increasingly entwined with the digital domain, the questions of what authentication is and why it’s crucial to utilize various methods to establish one’s identity online have never been more critical. Furthermore, in a world where high-profile cyberattacks have become an all-too-common headline, the urgency to address the authentication issue has reached all organizational levels.
In Part 1, we lay the groundwork by offering a clear and engaging explanation of what authentication is and why it’s an indispensable aspect of our digital existence.
As you journey through this compelling guide, you’ll encounter various types of authentication. The book provides an insightful analysis of the strengths and weaknesses of each method, as well as recommendations on when to use—or avoid—specific approaches, ensuring you have the tools to make informed decisions about your online security.
This part has the following chapters:
Chapter 1, On the Internet, Nobody Knows You’re a DogChapter 2, When to Use Different Types of MFA1
On the Internet, Nobody Knows You’re a Dog
In the ever-evolving landscape of cybersecurity, ensuring that proper access is given for the right reasons at the right time for digital identities is no longer just an optional feature – it’s an indispensable component of securing modern applications. Moreover, as digital transformation accelerates, organizations must proactively protect their sensitive data and functions against persistent cybercriminals, hackers, and even insider threats.
To bring this critical topic to life, we invite you to join us on an engaging journey with ACME Software. This fictitious start-up grapples with the complexities of securing access to its business-critical data and functions. As ACME Software grows and expands, its workforce identities (corporate employees, contingent workers, and partners) and customer identities demand increasingly sophisticated authentication mechanisms to keep their information safe and sound.
Throughout this book, we will look at ACME Software while exploring its options and navigating the intricate world of modern authentication mechanisms. As we follow the start-up’s story, you will discover not only the essentials of multifactor authentication (MFA) but also its practical applications, benefits, and potential pitfalls. By delving into real-life examples and scenarios, we aim to make this subject more engaging, accessible, and relatable, transforming what might otherwise be a dry, technical topic into a captivating learning experience.
This book will cover the following themes:
The importance of securing digital identities in today’s interconnected worldAn introduction to MFA, its principles, and its various formsA detailed examination of ACME Software’s authentication requirements and the challenges it faces as it growsA comprehensive exploration of various MFA solutions, as well as their strengths and weaknessesReal-world examples of implementing and managing MFA solutions at ACME Software, demonstrating how to optimize security while maintaining user convenienceThe future of authentication – emerging trends and technologies that will shape the next generation of identity and access managementAs we follow ACME Software’s journey, we aim to equip you with the knowledge and understanding necessary to make informed decisions about MFA for your organization, empowering you to protect your valuable digital assets in a world of ever-increasing cyber threats.
In this chapter, we are going to cover the following topics:
Identity and digital identityAdditional authentication and security controlsIdentity and digital identity
Identity is a universal concept that accompanies us throughout our lives, regardless of our cultural or national background. Immediately after birth, newborns around the world are identified in various ways. In some cultures, babies might receive bands on their wrists or ankles, while others may have different traditional identification methods. These methods often include the baby’s name, date of birth, and other crucial information that helps distinguish them from others.
Governments and communities across the globe maintain records of their citizens’ identities in various forms, such as birth certificates, family registers, or national ID systems. These records typically contain vital information such as names, birthdates, places of birth, and parentage.
Individuals from diverse cultures and nations rely on these records to establish and verify their identities. Moreover, the importance of these documents transcends geographical boundaries since people need them for various purposes, such as education, civic participation, and international travel. For example, these records may be required for enrolling in school, registering to vote, or obtaining necessary documents such as passports or driver’s licenses.
The documents used to identify a person may change, depending on the context. For example, I need documents establishing my identity and employment authorization to apply for a job. On the other hand, I may need a passport rather than a driver’s license when traveling abroad. And to open a bank account, I may require proof of residence and identification information. Collectively, these artifacts provide what is known as personally identifiable information (PII).
Let’s look at the process of opening a bank account before the internet. A customer had to drive to the bank, meet with a bank representative, and present the required documents to open an account. Only then would they be issued an account number and be allowed to make transactions via that account. After applying for and receiving an automated teller machine (ATM) or debit card in the mail, they could use it to access their account. Every time they wanted to perform a transaction, they would need to go to a branch and authenticate themselves to a teller that would verify that they were the person they claimed to be and that they were authorized to perform the transaction they wanted. With an ATM card, they no longer needed to show their picture ID to confirm who they were. Anybody with that person’s ATM card could do everything they were authorized to do at the ATM. When someone withdraws cash with an ATM card or makes a purchase with a debit card, the card reader takes information about the account from the card and sends it, along with the amount of the transaction, to the bank. To verify that the card was not stolen, the card reader requests the card’s personal identification number (PIN); once the PIN is entered correctly, the bank approves the transaction and withdraws the funds from the account.
Identity is a multifaceted concept encompassing the unique characteristics that define who or what a person or thing is. The amalgamation of physical, emotional, cultural, and social attributes creates the intricate tapestry of our individuality. In both the physical and digital realms, identity plays a crucial role in remembering, recognizing, and interacting with subjects, be they people or objects.
In today’s increasingly interconnected world, our identities extend beyond the tangible realm, forming an integral part of our digital presence. This digital identity is a virtual representation of our real-world selves, encompassing various elements, such as usernames, passwords, biometrics, and personal preferences. It enables us to navigate the vast expanse of the internet, engage in online transactions, and interact with digital services.
The process of authentication is vital in both physical and digital environments. By verifying the identity of a subject, we ensure that they are who they claim to be and grant them access to specific services or actions based on their authorization. This process is essential for maintaining security and trust and enabling the seamless functioning of our increasingly digital lives.
In digital transactions, the owner of a digital identity is often referred to as the security principal or simply the principal. This term highlights the significance of the individual or entity at the heart of the authentication inquiry. As we engage in various online activities, our digital identities are the foundation for creating trust and facilitating secure transactions.
Just like identity existed before the internet, two-factor authentication (2FA) and MFA existed as well. The PIN on an ATM or debit card is one example of MFA (and 2FA, which is a subset of MFA). To verify (authenticate) my identity, I need to present my ATM card (something I have) and enter my PIN (something I know). Similarly, showing my driver’s license to the bank teller is another example of MFA. The driver’s license is the first factor (again, something I have), while matching the picture on the ID to me is the second factor (something you are).
Establishing identities is also critical, if not more important, online. Even though a large number of countries have established some form of online digital ID (you can see a list at https://www.worldprivacyforum.org/2021/10/national-ids-and-biometrics/), it is still rare to encounter customer-facing applications that will accept those digital IDs outside of the country that issued the ID.
The New Yorker published a cartoon in July 1993 where a large dog was sitting in front of a computer, speaking to another dog on the floor to his side, saying, On the internet, nobody knows you’re a dog. It can be viewed here: https://i.kym-cdn.com/photos/images/original/000/427/569/bfa.jpg. Here’s Dalle-2’s interpretation of it:
Figure 1.1 – Dalle-2’s interpretation of “On the internet, nobody knows you’re a dog”
The saying quickly became popular and has been used to describe the anonymous nature of life online. As more and more applications become available online, identifying users is essential for several reasons.
For privacy reasons, users that register at a site may not want or permit their information and activities to be seen by somebody else. Therefore, companies must verify the user when they return to the site and validate their identity.
Companies that sell services need to make sure that the user registering is legitimate and that they are authorized to use those credentials. As Microsoft’s investigation of the security breach by the group LAPSUS$ shows (https://www.microsoft.com/en-us/security/blog/2022/03/22/dev-0537-criminal-actor-targeting-organizations-for-data-exfiltration-and-destruction/), cybercriminals usually buy credit card numbers and other information on criminal underground forums and will also use the Redline password stealer, Loki, and other password stealers that are bought on the dark web or available for a subscription fee. They will use that information to open new accounts and spend money they don’t intend to pay for. Companies in the financial services industry may also have other regulations they need to follow to prevent money laundering, for example.
Especially after the COVID-19 pandemic started, companies began to hire employees without ever seeing them. Onboarding employees has completely changed. It is not always possible to verify an employee’s identity by looking at their physical documents (birth certificate, social security number, driver’s license, and so on) before or when they start working. Even though identity verification is not something that affects the authentication of that user, it affects what we are fundamentally discussing in this book. If you give valid credentials to a bad actor, all the security in the world will not prevent that user from doing what those credentials allow them to do.
The process of registration is a crucial step in creating and managing a digital identity. It involves collecting and verifying information about a subject (a person or an entity) and linking it to a unique identifier in the digital realm. This identifier can be a username, email address, or any other unique attribute that distinguishes the subject from others. The relationship between a subject and their digital identity is established during the registration process, and it sets the foundation for future authentication and authorization.
The first step in the registration process is to collect relevant information about the subject. Data collection may include personal details such as name, address, date of birth, contact information, and digital credentials such as a username and password. In some cases, biometric data or other unique attributes may also be collected.
After collecting the necessary information, the next step is to verify the authenticity of the data provided by the subject. For example, data verification may involve checking the validity of an email address, confirming a phone number via SMS, or comparing the provided biometric data to a pre-existing database. This verification process ensures that the subject is who they claim to be and helps maintain the integrity of the digital identity system.
Once the data has been verified, an individual account is created for the subject. This account serves as the digital representation of the subject and is linked to their unique identifier (for example, username or email address). In addition, the account may include additional information, such as preferences, interests, and other data to help personalize the subject’s digital experience:
