The Intersection of Identity and Access Management (IAM) and Multi-Factor Authentication (MFA)

Written by Kelsey Kinzer on September 14, 2021

Share This Article

Regardless of their size, the protection of data remains a key challenge for organizations. It’s imperative that the right level of access is only granted to the right users when they need it. There should never be an instance where unauthorized users from within (or outside!) the organization access systems that are meant for a select few, or authorized users access data not intended for them. 

For organizations that provide a service to businesses or the general public, data protection is an even bigger challenge. They remain vulnerable to different attack vectors as unscrupulous actors may try to gain access to customer data. Thus it’s vital for processes and policies to be in place that govern user identities and control access. These processes and policies form the foundation of Identity and Access Management. 

What Is Identity Access Management?

Identity Access Management (IAM) is a term that collectively refers to the policies, products, and processes used by an organization to manage user identities and regulate access. IAM is what makes it possible for the right people to use the right resources as and when required. 

IT administrators rely on IAM to assign a digital identity to each user. It’s through this identity that the user is authenticated and authorized to access resources. Administrators must also monitor and manage these identities for as long as may be required.

IAM is one of the most critical security assets for an enterprise. It’s the first line of defense against the common network entry points that attackers exploit to steal data.

What Are the Subcategories That Make Up IAM Holistically?

The term Identity and Access Management takes a more holistic view of all identity management solutions that may be utilized to manage IT resources and user identities. The following subcategories are chief among those that are an integral part of IAM. 

Identity Provider (IdP)

Identity Provider or IdP primarily deals with the management of core user identities. It acts as the sole source of truth for authenticating user identities. 

This is regarded as one of the most important IAM subcategories as the other subcategories are more often than not layered on top of the core IdP. Therefore, choosing the right Identity Provider is vital to the success of an IAM architecture. 

Identity-as-a-Service (IDaaS)

IDaaS is a cloud-based authentication solution that’s both built and operated by a third-party provider. This saves an organization from dealing with the technical aspect of managing authentication services on-site. 

Traditionally, IDaaS solutions really equaled web application single sign-on (SSO) and were built on top of the core IdP in an organization, often, Active Directory Domain Services. While this approach wasn’t truly IDaaS because the core identity lived in the directory service, the web SSO solution federated the identity for web application access. 

More recently, though, with the advancement of the cloud directory platform, the concept of a true cloud service for authentication, authorization, and management does exist. This modern approach to IAM effectively has eliminated several categories, or more accurately, combined them into one user access and management platform. 

By leveraging ISaaS, the organization gets an enterprise-class IAM solution without the infrastructure cost and complexity. Included in the service is the ability to scale up and down, high availability, security, backup, and more. Effectively, a modern IDaaS implementation may actually eliminate the need for multiple IAM solutions (e.g., IdP, SSO, PAM, SSO, IGA, and more). 

Privileged Identity/Access Management (PIM/PAM)

PIM and PAM take a more granular approach to IAM. Privileged Identity Management is entirely focused on the privileges that are assigned to different user identities, e.g. system administrators, for access to high criticality resources such as servers, networking equipment, storage systems, and more. Think of Privilege Access Management as the next rung on the ladder where a greater level of security and control is required.

It’s the final layer that authorizes the level of access and the type of information that a privileged user (i.e., admin) is allowed to retrieve. This subcategory works together to provide oversight on privileged identities and to ensure they don’t indulge in privilege misuse on the most important resources in an organization. This category is changing and morphing with the advent of Infrastructure-as-a-Service solutions such as AWS, Azure, and GCP.

Multi-Factor Authentication

Multi-factor authentication (MFA), also referred to as two-factor authentication (2FA), bolsters the security of the sign-in process by requiring the user to provide an additional form of identification. This could be something like a PIN or passcode, a device in their possession like a phone or hardware key, or even biometrics like a fingerprint scan.

IAM becomes more secure with the implementation of MFA. This is because the “second factor” is usually something that only the end user either knows or has. Studies by both Google and Microsoft have shown that the right type of second factor can increase security for a login to very near 100%, dramatically reducing the risk of a compromise. 

Traditionally, MFA solutions have lived separately from these other IAM categories as an added solution and step for end users. Now however, modern cloud directory platforms and others are integrating the capability as a standard mechanism to secure an identity.

The Role of Multi-Factor Authentication in Protecting Identity Access Management

Despite its apparent simplicity, MFA plays a crucial role in protecting IAM. In an IAM environment without MFA, anyone with valid user credentials can gain access to the resources they are assigned to. These credentials could be stolen, but when checked against the database they will be verified as true and access is granted. This is one of the most prevalent attack vectors, as 61% of data breaches involve compromised credentials.

An IAM environment with MFA is significantly more secure. Even if the credentials are verified against the database, access is not granted until the MFA challenge is cleared. It could be something the end user is supposed to know or have in their possession. In both scenarios, the chances for a remote attacker to break through are drastically reduced. 

MFA protects IAM by ensuring that an IT resource is not compromised simply because the username and password combination was leaked. Passwords are notoriously unreliable when used as the only authentication factor. It’s a much more unlikely scenario that an attacker will have stolen a set of valid credentials and also have the answer to the MFA challenge.

What Are the Challenges of MFA in IAM?

MFA is sometimes an unappealing prospect for decision-makers and end users with a lack of understanding of security best practices. The time needed to log in and verify identity through either a device or token can be seen as inconvenient, especially if the second factor is a time-based numerical code. Push notification MFA can be a great, user-friendly alternative for IT admins to implement as a way to minimize pushback. However, the onus is still ultimately on IT to educate users and get them onboard for MFA.

It’s also worth noting that MFA doesn’t account for the other aspects of IAM even though it may seem like the perfect fit for web apps. MFA’s implementation across the entire organization can prove to be difficult if there is no centralized way to manage user identities and MFA, or if an additional vendor needs to be added to the IT environment to facilitate this connection. If MFA is left up to the users to implement, some may choose to not do it, which would leave an attack vector vulnerable to exploitation. 

How to Best Leverage MFA to Protect Identity Access Management

There are several MFA implementation best practices that all organizations should follow to protect IAM. For starters, multi-factor authentication should be compulsory for all instances in which an identity requests access to an IT resource that could end up compromising itself or the business if the access is unauthorized. All mission-critical IT resources, from cloud apps to on-prem apps to VPN and wireless networks and more, should be protected with MFA.

Users’ devices should absolutely be secured using multi-factor authentication. Take a system admin’s laptop for example. Unauthorized access to that machine not only compromises the local data but also has the potential to provide access to the organization’s critical IT resources. Since devices act as a conduit to all other resources, they must themselves be secured through MFA. A great MFA solution will be able to secure Linux, Mac, and Windows devices under a common approach.

When paired with conditional access policies, MFA can be even more powerful. In that case, IT admins can customize the MFA prompt to either be generated or not generated if certain conditions are met. This allows MFA to be less cumbersome for end users while still meeting security requirements. For example, admins can disable MFA prompts for employees working on a whitelisted IP, or for C-level executives working from a trusted device. 

In summary, an ideal MFA solution that effectively supports an organization’s IAM approach has the following characteristics:

  • It is not just a point solution; instead, it is tied directly to the core identity provider
  • It does not require the purchase of an additional vendor contract
  • It can extend across virtually all IT resources, not just cloud apps
  • It is system-agnostic, and can fully protect heterogeneous IT environments
  • It allows for customizable conditional access policies
  • It provides a frictionless authentication experience for end users

Yes, a solution that has all of these characteristics does exist. It’s called the JumpCloud Directory Platform with integrated MFA services. The first 10 users and 10 devices managed with our platform are free until you scale, and you’ll receive 10 days of free, 24×7 in-app chat support to help you get started. Try out the full functionality of our platform, including the cloud MFA implementation and conditional access policies, for as long as you like. Get started today.

Continue Learning with our Newsletter