By Vince Lujan Posted September 10, 2019
Multi-Factor Authentication (MFA) might be the best way to secure user access to IT resources. With so many applications in use today, either on-prem or in the cloud, having MFA for applications enabled is a dramatic step-up in security.
The challenge is that it can be difficult to keep track of which applications have MFA enabled on an individual basis. Fortunately, by leveraging a cloud identity provider (IdP), it is possible to manage MFA across all of the applications that a given user has been provisioned with ease.
MFA in Action
MFA works by leveraging an additional authentication factor rather than just a user’s password, which is why MFA is also known as Two-Factor Authentication (2FA). In most use cases, the first factor is the core user identity (username and password) and the second factor is usually a numerical code sent to the user’s smartphone or app, for example, or perhaps a hardware token such as a YubiKey.
In practice, a user is challenged to provide their core username and password in addition to their secure MFA token at login. Essentially, if the username, password, and MFA token are valid, the user gains access. Otherwise, user access is denied. By leveraging something that the user knows (i.e., their password) and something that they have (e.g., their phone), user access remains secure even if the core identity has been compromised.
It’s important to understand that MFA solutions generally require a core identity provider (IdP) or directory services solution acting as the single source of truth for user identities and MFA tokens.
Historically, MFA solutions have generally been an add-on expense to an existing directory service such as the on-prem Microsoft® Active Directory® (AD) or OpenLDAP™ platforms. IT admins would implement an on-prem directory service and identity management infrastructure, then purchase and integrate a third-party MFA add-on utility.
While effective at providing MFA functionality, this approach requires heavy investment into on-prem identity management infrastructure and third-party tools. Many organizations end up with MFA on a per application basis, which can be enticing. However, IT admins have found that as more users, applications, and complexity enters the network, managing MFA at such a granular level can be challenging without a centralized control center.
If you can’t manage MFA effectively, then you’re less likely to use it, and your users become more vulnerable. So, how can you streamline MFA management?
The Future of MFA
Fortunately, the JumpCloud® Directory-as-a-Service® (DaaS) platform can secure user access to applications via MFA from the cloud. With this approach, IT admins can leverage a secure SAML 2.0 connection to integrate a wide array of applications with the DaaS platform.
IT admins can then enforce MFA at the JumpCloud User Portal login—where users go to gain SSO access to their applications. The end result is that users must authenticate via MFA before they can gain SSO access to any of their applications.
JumpCloud also offers MFA for systems, RADIUS, and VPNs, with more IT resources being covered with MFA on the way. The Directory-as-a-Service platform can also integrate with a wide variety of your existing solutions to extend user identities to a wider range of IT resources.
The end result is that you can add additional layers of security throughout your environment via MFA—but without the heavy lifting of implementing and maintaining a complicated identity management system on-prem that requires third-party tools.