By Natalie Bluhm Posted September 8, 2017
Authentication is the process of confirming someone is who they say they are, especially when it comes to digital identities. This is a process that should be taking place any time an end user accesses a resource. Authentication is absolutely critical for maintaining a secure IT infrastructure. If there are any deficiencies in your authentication process, then someone who’s not supposed to may be able to access critical components of your infrastructure.
So let’s take a look at how the authentication process takes place, and the various authentication methods that exist.
The authentication process usually begins with the user arriving at a login screen. Then, the user types in their username, password, or SSH key. These credentials are then compared to the credentials that are on file in a directory, the application, or device. If the credentials match, the user gains access, but if the credentials don’t match, then the user is denied access.
The username and password is one of the simplest authentication methods and is one of the most popular methods used for authenticating to a resource. However, advances in technology and increasingly sophisticated hacking methods have decreased the effectiveness of this method.
Users once had only a couple of passwords – one for their system and one for their email. But with the advent of web-based applications and cloud–based resources, users today need a long list of passwords to access all of their resources. Having ten different passwords and remembering each one is challenging, so end users are prone to using the same password or using really simple passwords.
The rise of social media has also made it too easy to find the right kind of information needed to crack a simple password. This has spurred organizations to mandate longer and more complex passwords, or use different authentication methods altogether like SSH keys.
For some users, their line of work requires even more secure authentication methods than what a password can provide. In these cases, SSH keys are a common method for secure authentication. SSH keys are an access credential for the SSH protocol. The SSH protocol is a secure process for remotely logging into one system from another system. For example, the SSH protocol is commonly used to connect systems to remote servers. The connection that is established between the system and remote server is highly encrypted, so the information that is passed through this connection is well protected.
For a user to open up this connection, SSH keys are used to authenticate to the resource using the SSH protocol. SSH keys come in pairs with one key being a private key and the other being a public key. The public key is stored on the virtual machine, like a remote server, and acts as a “lock”. The user hosts the private key, and this is the key that opens up the “lock” on the virtual machine. SSH keys can be up to 2048-bits, making them impossible to crack or guess and a much more secure authentication method than the password and username method.
While SSH keys are more secure than usernames and passwords, organizations are starting to implement multi-factor authentication (MFA) and are moving away from just relying on a single factor for authentication.
MFA requires the end user to authenticate with something that they know, typically their username and password, and also with something that they have, like a token generated by an authenticator app on their phone or a hardware authentication USB device. This has significantly increased authentication security because now, anyone with bad intentions will need to know your credentials and somehow obtain your token generator whether that is your phone or a small piece of hardware you keep on your keychain.
Securing the Exchange of Information
The authentication methods you employ in your environment play a major role in your infrastructure security. The other aspect to consider is securing the actual exchange of credentials between the user and the system or application. If an insecure connection is being used to authenticate to a resource, an attacker could intercept those credentials, use them to access the resources tied to those credentials and then do whatever they wanted. The worse part is that IT might not even notice until it’s too late.
Today, most authentication requests take place over the internet which can be secured using Secure Sockets Layer (SSL). Securing this exchange of information is critical in ensuring accurate authentication and protecting your IT environment.
Now, let’s take a look at how authentication has evolved over time.
In the past, authentication took place on the actual resource a user was trying to access. Then directory services were introduced and centralized the authentication process. One of the components that made directory services work well was the creation of the LDAP protocol. LDAP streamlined the communication that takes place between technology during the authentication process. Microsoft combined directory services and LDAP and built Active Directory which provided IT with secure authentication and user management. The trick was IT environments worked great with AD as long as they consisted of Microsoft endpoints and applications, and infrastructure remained on-prem. Microsoft was able to establish quite the monopoly in the workplace because of this.
Then IT environments experienced a change in resources. Users started needing access to Mac and Linux systems, web-based applications, WiFi, and data stored in the cloud. In the case of Active Directory, Microsoft wanted to keep IT within their ecosystem, so they decided to not connect AD with new authentication protocols such as SAML, RADIUS, and OAuth. The good news is a modern cloud directory is changing the game.
JumpCloud – A Multi-Protocol Solution
JumpCloud leverages LDAP, SAML, RADIUS, OAuth, and more. By incorporating a myriad of protocols, Directory-as-a-Service® allows IT admins to centralize their users’ access and provide their users with one identity that is connected to all of the resources they need. Our comprehensive identity management solution is platform agnostic, so IT can manage authentication on Windows, Mac, and Linux endpoints. With LDAP and SAML, users can gain access to their legacy and web-based applications, and connect to WiFi using RADIUS. OAuth makes it possible to smoothly integrate users that have been created in G Suite or Office 365 and connect those identities to resources like WiFi, a legacy app, or a Mac system.
We hope this post hasn’t just helped you understand what authentication is, but that it has opened your eyes to the possibility of achieving a more comprehensive and streamlined authentication strategy. For a more in depth look at how JumpCloud leverages LDAP, SAML, RADIUS, and OAuth consider watching this Cloud IAM | Protocols and Architecture whiteboard video. If you would like to learn more about how you can start leveraging a multi-protocol environment, reach out to us. We’d love to answer any questions you might have. Start experiencing our cloud based directory today by signing up for a free account. Your first ten users are free forever.