Identity & Access Management 101

The IAM 101 area provides free information about a variety of topics relevant to security, identity and access management, single sign-on, multi-factor authentication, provisioning, and other technologies that help businesses provide users with secure access to the applications and systems they need. We update the IAM 101 area regularly with new content, so be sure to bookmark this page.

All Topics

What’s the Difference Between OTP, TOTP and HOTP?

Providing secure access to applications and cloud-based software is a constant challenge for companies across all industries. Empowering users with simple but reliable security is critical to protecting user information and sensitive company data. One of the ways technology companies have counteracted password theft and other types of cyberattacks is through the use of one-time passwords (OTPs). OTP is a form of [multi-factor authentication (MFA)](/learn/what-is-mfa) designed to make it much harder for hackers to access protected information. MFAs require additional credentials beyond a simple password before the end user can gain access to an application or system. For example, an MFA that uses SMS will send the user a text with a numeric string that has to be entered before they are granted access. That code is a type of OTP. Both B2B and B2C companies have an incentive to protect their user and company data while maintaining a great user experience (UX), which means that whatever security solution they choose, it needs to be streamlined without drastically interfering with a user’s workflow. OTP authentication is an elegant solution to both security concerns and UX. There are two types of OTP: HOTP and TOTP. We’ll get into the differences of each below. But first, let’s dig a little deeper into OTP. ###What is OTP and How Does it Work? An OTP is like a password but it can only be used once, thus it stands for one-time password. It is often used in combination with a regular password as an additional authentication mechanism providing extra security. OTPs are exactly what they sound like: one and done. Once you’ve used that password once, it’s dumped, and the next time you need to get into that application, you will use another one. Doing this increases security and makes it a lot harder for bad actors to penetrate private accounts. Users can access an OTP for a given application or website through smartphone apps, a text message, or a proprietary token (such as a key fob). OneLogin Protect is an example of an OTP generator that you can use as an app on your phone. Any time you receive an SMS text with a code to help you get into a website or application, you’re using an OTP. There are a variety of industry standard algorithms, such as SHA-1, that generate OTPs. All of these algorithms use two inputs to generate the OTP code: a **seed** and a **moving factor**. The seed is a static value (secret key) that’s created when you establish a new account on the authentication server. While the seed doesn’t change, the moving factor does each time a new OTP is requested. How the moving factor is generated is the big differentiator between HOTP and TOTP. ###What is HOTP? The “H” in HOTP stands for Hash-based Message Authentication Code (HMAC). Put in layman’s terms, HMAC-based One-time Password algorithm (HOTP) is an event-based OTP where the moving factor in each code is based on a counter. Each time the HOTP is requested and validated, the moving factor is incremented based on a counter. The code that’s generated is valid until you actively request another one and it’s validated by the authentication server. The OTP generator and the server are synced each time the code is validated and the user gains access. Yubiko’s Yubikey is an example of an OTP generator that uses HOTP. ###What is TOTP? Time-based One-time Password (TOTP) is a time-based OTP. The seed for TOTP is static, just like in HOTP, but the moving factor in a TOTP is time-based rather than counter-based. The amount of time in which each password is valid is called a **timestep**. As a rule, timesteps tend to be 30 seconds or 60 seconds in length. If you haven’t used your password within that window, it will no longer be valid, and you’ll need to request a new one to gain access to your application. ###Limitations and Advantages While both are far more secure than not using MFA at all, there are limitations and advantages to both HOTP and TOTP. TOTP (the newer of the two technologies) is easy to use and implement, but the time-based element does have a potential for time-drift (the lag between the password creation and use). If the user doesn’t enter the TOTP right away, there’s a chance it will expire before they do. So the server has to account for that and make it easy for the user to try again without automatically locking them out. Since HOTP doesn’t have the time-based limitation, it’s a little more user-friendly, but may be more susceptible to brute force attack. That’s because of a potentially longer window in which the HOTP is valid. Some forms of HOTP have accounted for this vulnerability by adding a time-based component to their code, somewhat blurring the lines between these two types of OTP. ###A Final Word Regardless of which type of OTP you use, choosing an [OTP generator](/product/one-time-password) like an authenticator app or key fob is a safer way to use MFA than the SMS texting options. Scammers have found creative ways to intercept these SMS codes, whether it’s through SIM card fraud or some other type of hack that helps them gain access to your texts. While SMS-based MFAs might be better than no MFA at all, they’re a lot less secure than having an authenticator app on your phone or using a key fob code generator.

READ MORE

What is User Provisioning and Deprovisioning?

User provisioning and deprovisioning involves the process of creating, updating and deleting user accounts in multiple applications and systems. This access management practice can sometimes include associated information, such as user entitlements, group memberships and even the groups themselves. Many organizations have moved to automated user provisioning, which is the systematic creation and management of user data relative to users’ ability to access resources, such as applications, that are available in one or more systems. Accessible systems can be on-premises, cloud-based, or a hybrid of the two. ### User provisioning and deprovisioning key benefits Automated user provisioning is one of the main features of many identity and access management (IAM) solutions. Provisioning comes into play when an employee joins an organization, moves to a different department or division, or exits a company. This is known as the joiner/mover/leaver (JML) process. By integrating an IAM solution directly to HR and personnel systems, you connect the process of creating/updating/deleting user accounts with HR actions. Actions that result in changes to HR data, such as those related to employee onboarding and offboarding, can automatically result in changes to permissions for accessing systems and applications tied to corresponding employee accounts. User provisioning and deprovisioning provide the following key benefits: - **Easily onboard and offboard employees**: Create and maintain employees’ user attributes, such as usernames, roles, and profiles, and automatically assign access permissions and user accounts based on predefined roles and flexible entitlement rules. - **Streamline user management across applications**: Automatically import users from Active Directory (AD), Lightweight Directory Access Protocol (LDAP), and other apps. Provisioning enables you to continuously propagate user profiles to ensure that your systems have the latest updates. - **Increase security and reduce cost**: Use HR-Driven Identity Management (IM) to prevent former employees from having continued online access, to totally eliminate the possibility of zombie accounts sitting idle and at risk of being compromised. ### How do provisioning and deprovisioning work? In a basic automated provisioning workflow, you add users to apps based on specific [user roles](https://onelogin.service-now.com/kb_view_customer.do?sysparm_article=KB0010606). Whenever a user is assigned a role, that user is automatically created in the associated app and granted access permissions. In the diagram below, once a new user is provisioned, that user is added to the Sales role, and is therefore granted access to the apps associated with that role. In this example, the provisioned user can access to Salesforce, Office 365, and G Suite. When it's time to deprovision former employees from apps, you want a solution that lets you simply change the user’s status, so that the user's accounts in all apps will be deleted or suspended, depending on the configuration preferences that you set. Expanding on our example in the diagram, after deprovisioning the user, the apps associated with the employee’s role would no longer be accessible by the user. ### How do user provisioning and deprovisioning make companies more secure? The risk of costly security breaches for companies who fail to provision and deprovision, properly or quickly, is huge: the average cost of a data breach is $148 per record and $7.91 million per breach in the U.S. As a result, breached companies often underperform the market for years following a major breach, and 60% of small businesses fold within six months of a successful attack. Automated user provisioning helps keep your company secure by ensuring employees have access only to the apps they need. Automated user deprovisioning helps keep your company secure by ensuring that whenever an employee leaves, their access is automatically removed for all connected applications. In addition, all existing user sessions are removed to reduce security risk.

READ MORE

What is CIAM?

What is Customer Identity & Access Management (CIAM)? Customer Identity and Access Management (CIAM) is a specific twist on identity and access management (IAM), focused on customer identities. Where traditional workforce IAM strategy is focused on security, productivity and compliance, CIAM aims to improve the customer registration and login experience, as well as reduce the risk of account takeover, which is rampant in the consumer space because of password reuse. CIAM isn’t just limited to consumers, but can also apply to other businesses, such as a company’s enterprise customers. Scale is also an important factor in CIAM. Unlike workforce identity, where you could have up to hundreds of thousands of users who are employees, customer identity use cases must support tens if not hundreds of millions of customers. Consequently, CIAM solutions must be able to scale to meet the demands of your customers. ### CIAM key benefits In the identity space there are both vendors that specialize in CIAM and vendors that handle both customer and workforce identities. Regardless of which type of vendor you choose for your CIAM project, it’s useful to keep in mind the key benefits that a CIAM solution should provide. - **Keep customer data safe from attacks**: Consumers are notorious for reusing passwords for the dozens of services they use online. CIAM protects those passwords with multi-factor authentication (MFA). Or better yet, CIAM provides adaptive MFA, which looks at various contextual factors, such as location, time of day, and device, to support even stronger security by increasing authentication requirements for high risk login attempts. - **Create seamless and trusted digital experiences for customers**: Many companies have multiple web applications and portals that each have their own identity store, which requires users to authenticate multiple times when switching between different applications. This creates additional friction during the login process. By integrating all your digital channels with a single CIAM solution, you can provide a more seamless user experience for customers without requiring yet another password. - **Quickly migrate customers without interrupting the user experience**: Many CIAM projects encounter roadblocks when faced with the challenge of migrating users off of a legacy or homegrown system. A CIAM solution should work with your existing system to quickly migrate your customers without impacting the experience. - **Customize the experience with flexible APIs**: When building applications, developers want to ensure a seamless customer experience for securing access to digital resources. APIs provide the flexibility needed to customize authentication requirements throughout the development lifecycle. ### How are IAM and CIAM similar? How are they different? IAM and CIAM requirements are similar when it comes to scalability, security, and accessibility. Both must include these three components to guarantee a great user experience, whether for internal employees or external customers. The ways in which CIAM goes beyond the traditional IAM approach are: - **Scalability**: A CIAM solution must be able to handle increased Internet traffic both in terms of volume and frequency. Unlike IAM for employee use, your customer portal must be able to support millions of users. It also has to be able to handle rapid spikes in traffic. Use of the portal is unpredictable, but there will be peak times when many people are hitting your system at the same time and your CIAM solution must be able to handle those peaks. - **Security with minimal friction**: In the past, companies only gave consumers one option for signing in: username and password. Now that MFA is commonplace, applications often require two or more factors before granting users access. To ensure that adding MFA factors is not discouraging users from creating accounts, CIAM must be implemented in smart ways so as to not slow down or block customers. To keep the barrier of entry low, companies also often lean towards using social media identity for passwordless authentication. You want to have options in how you secure authentication, so be sure your CIAM solution offers enough flexibility to support your particular business. - **Accessibility**: CIAM provides high accessibility to your company’s brand and products for existing and potential customers. Your customers should be able to get what they need on any device and at any time. A consistent login experience across many channels, whether a website, mobile app or store kiosk, creates positive user experiences that keep your customers returning time and time again. ### How does CIAM protect business customers? Companies often need to let business customers access some of their applications, such as order management or inventory systems. As increasingly more businesses have IAM solutions in place for their employees, it makes sense to just establish trust between the respective IAM solutions so that their employees can get one-click access to the inventory system instead of having to use additional credentials. This not only increases security, but also significantly improves usability. ### How does CIAM protect consumer data? Consumers have to remember a lot of passwords. Whether it’s their social media, online banking, or online streaming accounts, the number quickly adds up. As consumer services are breached around the world, hackers accumulate more and more credentials, which are sold and bought online to launch large-scale password stuffing attacks using extensive bot networks. This puts consumers who reuse passwords at particular risk. With CIAM, you can give the consumer the option to add a second authentication factor or sign in with their social identity, which provides stronger protection against account takeover. According to Gartner, CIAM is an essential component to building solid customer trust. In fact, by 2020, companies that implement digitally trustworthy customer solutions will generate 20 percent more online profit than those that do not. With a Trusted Customer Experiences™ solution, companies can build a strong foundation for customer identity, while minimizing operating costs, maximizing revenue and optimizing the customer experience.

READ MORE

Be Sure Your Zero Trust Plan Gives Complete Coverage

So, you’re moving to a Zero Trust security plan. You know the principles of Zero Trust. Great. But you also need to ensure your Zero Trust plan covers all the bases. That means three areas: what your plan covers, when, and where. ### What do your Zero Trust protocols cover? Your Zero Trust plan needs to ensure you’re managing access to and from every type of entity. That means access management from: - All devices—That means computers, including desktops and laptops, but also mobile phones and other mobile devices. - All users—Employees, contractors, vendors, and customers. - To all types of data and applications—Your Zero Trust plan needs to manage access to your cloud applications and data as well as on-prem ones. It needs to handle databases, servers, software, and everything that could put your company at risk. ### When is your access plan applied? Key to Zero Trust is the idea that you don’t trust access attempts inside the organization any more than those coming from outside of it. So, when users inside the firewall try to access an application, you manage them largely like you would those outside the firewall. In addition, Zero Trust doesn’t make exceptions. Your high-security requirements apply whenever someone attempts to access an application or data. When pretty much means always. ### Where do you enforce Zero Trust? Traditional security methods are focused on the endpoints where cyber criminals initiate their attacks. Zero Trust applies everywhere: - Data access points - Cloud applications - On-prem and legacy apps - Ideally, the desktop, laptop, or phone—so that even the device login is protected ### The tools for Zero Trust Identity and access management tools, such as Single Sign-On (SSO) and, Multi-Factor Authentication (MFA), can help you address the what, when, and where. SSO improves both security and ease-of-use, eliminating passwords and using a vetted trust relationship for safe authorization. MFA adds an important level of security by requesting additional data from users to verify they are who they say they are. Add to this a good identity management system that provides role-based access control and easy provisioning capabilities; a system to protect devices through SSO; and, preferably, risk-based authentication that accounts for contextual information such as the user’s location, IP address, and login time to create user profiles and challenge risky login attempts. These tools, on top of a secure infrastructure with micro-segmentation, will help you implement Zero Trust security in a way that isn’t burdensome to users.

READ MORE

How to Get to Zero Trust Security

The idea of Zero Trust security was first introduced by Forrester in 2010. But it’s still not as widely adopted as those in the security industry might hope. That may be changing though. With the threat from cyber criminals rising every year along with the cost of breaches to businesses, more and more organizations are seeking to implement a Zero Trust model. Here’s the core information you need to implement it in your business. ### The four principles Zero Trust involves a mind-shift more than any one technology. Once you make that mind shift, you can evaluate technical solutions for implementing Zero Trust. Here are the four principles that your company—and especially your IT organization—need to adopt: #### Threats come from inside as well as outside This is probably the biggest shift in thinking. Traditionally, IT has been focused on the perimeter of the organization, seeking to prevent entry. The idea is that those inside the organization are generally safe. So less effort is placed on verifying or detecting issues within the firewall. This is sometimes called the castle-and-moat approach to security. It’s time to change that mindset. In a Zero Trust environment, you assume that threats can come from inside as well outside. It may be because criminals have already infiltrated your organization. Or that you have a bad actor. Either way, it’s just as important to focus on what’s happening inside the organization and protecting from inside attack as outside attack. #### Use micro-segmentation Which leads to principle number two: use micro-segmentation. With this approach, even inside the firewall areas of the organization are walled off or segmented from others. For example, the marketing department gets access to the tools and data they use: customer information, apps like Salesforce, etc. But they don’t have access to financial data or tools used by accounting, nor the product IP and software that development works with. #### Least privileged access Tied to micro-segmentation is the idea of least privileged access. That means limiting users, even within a department, to the minimum information and access they need. Just because someone works in finance doesn’t mean they need access to all the customer and company financial data. Depending upon the user’s role, he or she may only need access to a select set of customers’ data—or no access to customer financials at all. By restricting access to just what’s needed, you help ensure that even if a hacker manages to impersonate a user’s identity, he or she can only do a limited amount of damage. #### Never trust, always verify To enforce all of this, an organization must flip the model and use what’s called a Zero Trust approach. You never trust that a user is who they say they are. Instead, you always verify the user’s identity and level of access. Never trust, always verify increases the chances of stopping a criminal or program that has infiltrated your organization before it can gain access to sensitive information or do damage. ### Tools for Zero Trust security If you’re looking at the four Zero Trust principles with a critical eye, you may see some challenges in the actual implementation. For example, while security requires a never trust/ always verify approach, the trick is to keep verification relatively painless for users. Going back to our castle analogy, having gates everywhere that require unlocking with a key can really impact people’s day to day productivity. Similarly, we all know that roles are not entirely clean and some users will need access to applications or data that aren’t assigned to them by default based on their role. That means you need a fast way to provision and de-provision users for apps on an as-needed basis. With that said, here are four tools central to Zero Trust security: - SSO—Single Sign-On (SSO) provides the ability for users to sign in once with their credentials, including a single password, and have access to all of their web apps. With the right tools, SSO can also provide single sign-on access to on-prem legacy apps. SSO increases security by getting rid of passwords while also increasing usability and employee satisfaction. - MFA—Multi-factor Authentication (MFA) is a critical identity and access management (IAM) tool that every organization should be using. MFA requires additional factors when users try to login. For example, they may be required to enter a PIN or authenticate from a mobile app in addition to entering their username and password. The fact is, passwords alone aren’t secure enough. You need MFA. But MFA should be combined with SSO. Otherwise, you’re adding more steps for users to login while still also requiring them to login many times per day. - Fast provisioning systems—When you move to Zero Trust, you’re going to need a system that lets you quickly provision and de-provision users for applications. Since you’re going to least privileged access, expect to have to make exceptions regularly. So, if your current system of provisioning is time-consuming, things are only going to get worse when you move to Zero Trust. - Device protection—The device the user is logging in from is the first line of defense and the focal point of attack: the endpoint. So, look for tools that protect and monitor devices so that you can offset the danger at the source. That’s it. Those are the four principles and four tools to consider first when moving to Zero Trust.

READ MORE

SAML SSO Solution: Secure Logins, Fast Roll Outs

You may have heard of SAML. It stands for Security Assertion Markup Language. SAML is a standard protocol used by web browsers to enable Single Sign-On (SSO) through secure tokens. The great thing about SAML? It completely eliminates the need for passwords. It does so by using standard cryptography and digital signatures to pass a secure sign-in token from an identity provider to an SaaS application. SAML is an XML-based open standard. It’s the product of the OASIS Security Services Technical Committee. Most common SaaS vendors, such as Salesforce, Google and Microsoft already support SAML. SAML-enabling apps using other vendors can cost hundreds of thousands of dollars a year in fees, but is free as part of the OneLogin community. ### Secure, Password-free Login SAML uses secure tokens which are digitally signed and encrypted messages with authentication and authorization data. For example, a user’s email and company role. It passes these tokens from an identity provider to a cloud application using an established trust relationship. The standards-based nature of SAML delivers interoperability across identity providers and a common way for apps to sign-in users based on trusted information without managing credentials. ### How does SAML help? If you’re an IT administrator, SAML can help you securely get rid of passwords and deploy applications faster. If you’re an app vendor, SAML can help you secure your applications, reduce development costs, and gain wider, faster adoption. For IT, SAML lets you secure user logins and roll out application access faster and more securely. ### Phishing Prevention SAML helps with security by eliminating passwords. If you don’t have a password for an app, you can’t be tricked into entering it on a fake login page. It also makes for more satisfied users, because it provides streamlined, one-click access from portals or the intranet, deep linking, password elimination, and automatically renewed sessions. One browser redirect is all it takes for a user to securely login to an application. ### How does SAML help IT? SAML simplifies life for IT because it centralizes authentication, provides greater visibility and makes directory integration easier. These are just some of the reasons why enterprises love SAML. And if you’re a B2B cloud vendor, you should support it, too, because businesses love it. ### OneLogin and SAML SSO OneLogin provides single sign-on through SAML for web apps. SAML-based applications work perfectly with OneLogin’s Zero-Config Active Directory Connector, which allows users to sign into applications with their Windows credentials. In addition, it is easy to SAML-enable internal or custom web apps in as little as a few hours using one of OneLogin’s open source SAML Toolkits. Of course, it’s always a good idea to add multi-factor authentication (MFA), as well, to protect the one SSO password. MFA adds an additional factor for the log in, so that even if a hacker gains access to the user’s credentials, the criminal won’t have that other factor and so won’t gain access. SSO and MFA together make for a winning team. .inline-wrapped { max-width: 2em; margin: 0 1em 0 0; }

READ MORE

Is Your Enterprise Password Manager Good Enough?

An enterprise password manager or password vault is often the first step that companies take as they try to wrangle passwords and make them secure while also ensuring ease-of-use for employees. But not all enterprise password managers are the same. Here are the features that any such tool should have and extras that only some tools have but that your business might need. ### The basic enterprise password manager Any of the main enterprise password managers on the market does the basic task of storing user passwords in a secure password database, usually in the cloud. Quality password managers encrypt the data securely using ciphers like AES-256. Most of these tools also have built-in random password generators, making it easy to create secure passwords. When picking a business password vault, you’ll want to make sure you choose a tool that supports employee access across devices and syncs across them. That’s because employees typically use their phones as well as work machines, and may also use personal laptops. The top enterprise password managers will support all the common browsers and mobile operating systems. Now, for the extras. ### Enterprise password managers: extra security options Two items to look for in a password manager are the ability for automatic password resets and the ability to enforce password rules through the tool. Both will aid in security while also avoiding the burden on IT or your helpdesk. For security, it’s important that the enterprise password manager supports two-factor or multi-factor authentication (MFA). A password manager is a good first step in improving password security. But it’s rarely enough by itself. Password managers have been hacked and various types of attacks can still intercept and capture the password being entered. Make sure the enterprise password vault works with your MFA solution (or includes MFA) to require that users provide additional authentication factors when logging in, such as a pin from a phone app, a fingerprint, or facial recognition. ### Enterprise password managers: usability extras For the enterprise password manager to work, employees have to use it. For them to use it, it has to be easy. Look for these capabilities: - **Fill-in web forms**—Most enterprise password managers include the ability to detect a website and automatically fetch and fill in the login dialog for it. They don’t all do a great job or detect all sites equally well, though. - **App passwords**—Websites aren’t enough. Employees don’t distinguish between a website and an app—they are all just tools to get the job done. Not all password managers support apps. Look for ones that do. It’ll cut down on employee complaints and increase adoption. - **On-prem application support**—Even fewer enterprise password managers support on-prem applications. But, again, user’s don’t make a big distinction between web and on-prem systems. They just want to quickly login and get their work done. A password manager that doesn’t support your on-prem apps is only a partial solution to the password problem. ### What you probably won’t find in enterprise password managers Enterprise password managers may provide some basic reports but they rarely provide the kind of auditing tools needed for compliance with standards like PCI or SOX. They won’t give you the information you need to identify attack attempts, either. Enterprise password managers offer only basic synchronization with directories like Active Directory (AD). If you’re looking to implement security policies based on role, location, etc. with granular permissions using identity and access management (IAM), you’ll need a true single sign-on (SSO) system instead of a password manager. Similarly, if you onboard and offboard through AD, Workday, or other directories—or even multiple directories as in many organizations—a password manager is likely to prove unwieldy and become just another system you have to maintain. The right enterprise password manager can be a good first step to increase security for your company. But to maintain password security and keep employees happy, you’ll probably want to move to an IAM solution with SSO. That will enable users to log in just once and then easily access all their work websites and apps—whether cloud-based or on-prem—without having to login again. It means truly using just one password. And an IAM solution with SSO will integrate with your directories to provide the granular level of permissions and control that is the reason you use a directory like AD in the first place. So, consider an enterprise password manager as a first step on the path to greater security, but don’t expect it to be your last.

READ MORE

6 Types of Password Attacks & How to Stop Them

Here are six types of common password security attacks and steps you can take to prevent them or at least reduce the likelihood of success. ### Dictionary attack An attack that takes advantage of the fact people tend to use common words and short passwords. The hacker uses a list of common words, the dictionary, and tries them, often with numbers before and/or after the words, against accounts in a company for each username. (Usernames are generally pretty easy to determine as they are almost universally based on the names of the employees.) ### Brute force Using a program to generate likely passwords or even random character sets. These attacks start with commonly used, weak passwords like Password123 and move on from there. The programs running these attacks usually try variations on upper and lowercase characters, as well. ### Traffic interception In this attack, the cyber criminal uses software such as packet sniffers to monitor network traffic and capture passwords as they’re passed. Similar to eavesdropping or tapping a phone line, the software monitors and captures critical information. Obviously, if that information—such as passwords—is unencrypted, the task is easier. But even encrypted information may be decryptable, depending on the strength of the encryption method used. ### Man In the Middle In this attack, the hacker’s program doesn’t just monitor information being passed but actively inserts itself in the middle of the interaction, usually by impersonating a website or app. This allows the program to capture the user’s credentials and other sensitive information, such as account numbers, social security numbers, etc. Man in the middle (MITM) attacks are often facilitated by social engineering attacks which lure the user to a fake site. ### Key logger attack A cyber criminal manages to install software that tracks the user’s keystrokes, enabling the criminal to gather not only the username and password for an account but exactly which website or app the user was logging into with the credentials. This type of attack generally relies on the user first falling prey to another attack that installs the malicious key logger software on their machine. ### Social engineering attacks Social engineering attacks refers to a broad range of methods to obtain information from users. Among the tactics used are: - **Phishing**—Emails, texts, etc. sent to fool users into providing their credentials, clicking a link that installs malicious software, or going to a fake website. - **Spear phishing**—Similar to phishing but with better crafted, tailored emails/texts which rely on information already gathered about the users. For example, the hacker may know that the user has a particular type of insurance account and reference it in the email or use the company’s logo and layout to make the email seem more legitimate. - **Baiting**—Attackers leave infected USBs or other devices in public or employer locations in the hopes they will be picked up and used by employees. - **Quid quo pro**—The cyber criminal impersonates someone, like a helpdesk employee, and interacts with a user in a way that requires getting information from them. ### Thwarting password attacks Strong passwords are usually the first defense against password attacks. The latest NIST guidelines recommend easy to remember/hard to guess passwords. A good mix of upper and lowercase characters, numbers, and special characters can help. Even better, avoid use of common words and common phrases. Definitely avoid site-specific words (including the name of the app you’re logging into in the password, for instance). NIST also recommends checking passwords against a dictionary of known poor passwords. Employee education is also important. One of the best defenses against social engineering tactics is teaching users the techniques hackers use and how to recognize them. Strong passwords and education really aren’t enough these days, though. Computing power allows cyber criminals to run sophisticated programs to obtain or try massive numbers of credentials. That’s why NIST also recommends not relying on passwords alone. Specifically, companies should adopt tools like single sign-on (SSO) and multi-factor authentication (MFA), also known as two-factor authentication. SSO helps eliminate passwords by letting employees login to all their apps and sites with just one set of credentials. Users only need remember one, strong password. MFA requires an additional piece of information when the user logs in, such as a pin generated by an application like OneLogin Protect or fingerprint authentication. This additional piece of information makes it far more difficult for cyber criminals to impersonate a user.

READ MORE

Business Use of Cloud Password Managers

Password managers, password vaults, single sign-on—they’re all terms you’ve probably heard as a way to create and manage secure passwords using identity and access management technologies. But what are they and how do they differ? ### Password managers vs. password vaults Password managers and password vaults are just two terms for the same kind of product. These products are secure storage systems that encrypt and store user passwords for different websites or apps. Usually, an employee logs into the password manager with one password and then can access all the passwords they’ve created for their work apps and websites. Modern password managers do more than this, though. Most will generate strong, random passwords for the employee to use on websites or apps. And most now offer browser extensions that will fetch the credentials for the site the user is logging into, populating the login dialog to make it easier to login without having to remember all those passwords. ### Single sign-on vs. password managers Single sign-on (SSO) is a different technology that lets users securely authenticate to websites and apps by logging in just once a day with one password. After that, the user is automatically logged into any work app or site without having to re-enter credentials. SSO doesn’t rely on looking up the user’s password in a database. Instead, it relies on standards like SAML or OpenID Connect to log in using trust relationships. That means the third-party site (an app or website) trusts the SSO tool to verify that the user is who he or she says she is. ### Cloud password managers Most password managers these days are cloud-based. Of course, you can use a password manager that stores the database on the employee’s local machine, but that makes it hard to access passwords when the employee logs into a website from their phone or a different machine. That said, many password managers require that you install browser extensions or mobile apps in order to have access from every device and browser. A cloud-based password manager also helps ensure you don’t lose your passwords if there is an event on a server or machine. ### Is a cloud password manager the solution you need? For individuals trying to keep their personal passwords secure, a cloud password manager makes sense. It’s better than a spreadsheet or using the same password for every site (which is the most common tactic). When you’re looking for a solution to password challenges for your business, though, a cloud password manager may not be best. Password managers for businesses often store all the organization’s users’ passwords in one database. The password manager then just becomes another attack surface for hackers. That makes the recent news from ISE even more alarming. It showed that some major password managers expose user credentials in memory, even in a locked state. The master password for the password manager may even be exposed. One way to add to the security of password vaults or managers is to require multi-factor authentication (MFA). This ensures that cybercriminals who gain an account’s username and password still can’t log in. Unfortunately, not all password managers support MFA or support it in a seamless fashion. And password managers just don’t provide the level of security that single sign-on (SSO) does. They don’t let you manage role or location-based access rights within an application. They don’t let you refine access by, for instance, restricting access to confidential data or requiring more frequent authentication for apps with confidential access. They don’t let you implement smart authentication, such as restricting access to some apps or sites when users are logging in from locations deemed less secure. Unlike SSO, most password managers don’t synchronize with your cloud directory or your Active Directory system for role-based access to provide a seamless experience for IT and users. They also usually don’t provide the fine-grained control and auditing functionality that many standards require for compliance. SSO, on the other hand, lets you see who has logged in and where they’ve logged in from, even down to the IP. Lastly, most cloud password managers only work on websites and web apps. They don’t enable easy login on the desktop or on-prem applications. SSO tools, using LDAP and products like OneLogin Desktop, can give employees a single login experience that works the same across all their applications and devices. The result is greater employee satisfaction and productivity. Cloud password managers supplemented by MFA are a good first start for smaller businesses that aren’t ready to invest in single sign-on. But rapidly growing businesses and mid-size to larger companies will find they outgrow their cloud password manager quickly and need to look at more robust single sign-on tools to meet their evolving security and ease-of-use requirements.

READ MORE

Helpdesk Password Reset Best Practices

If your organization has a helpdesk or other staff handle password resets, remember that password reset tickets are an opportunity for hackers. When an employee, vendor, or customer forgets a password, their account is vulnerable. Your helpdesk processes can create more vulnerability if you aren’t following password management, and ultimately, identity and access management, best practices. So, don’t open the door to hackers. Make sure your helpdesk and its password reset processes are secure. ### Start with the password reset call or ticket First, make sure your helpdesk is secure. Helpdesks are often a target of attack. So be sure you have your own security house in order. That means secure machines, security training, and [NIST-compliant](/compliance/nist-cybersecurity-framework) processes. Then, when users call or email to say they’ve forgotten their password, start with user verification. I.e., verify that the user is the owner of the account. And make sure your verification process is hard for hackers to infiltrate. That means don’t use common security questions. Traditional questions like mother’s maiden name, the user’s high school, or the employee’s hire date—that’s information that can easily be discovered online by cyber criminals. Ideally, use [multi-factor authentication](/learn/what-is-mfa) (MFA) to verify users. MFA that requires a card key or that requires the user to respond to an email or text, i.e. device in hand, is preferred for efficient identity and access management. If that’s not possible, ask a series of questions that rely on personal information that’s not easy for a hacker to find. ### Helpdesk temporary passwords Some helpdesks respond to password reset requests by providing a temporary password. This isn’t the preferred approach because it means at least two people know the password and it requires conveying a temporary password, which opens an opportunity for infiltration. If you must use this approach, follow these guidelines: - Always use a unique password for each user. **Don’t** use the same temporary password for everyone—which would mean that a single mistake opens the door to multiple accounts. - Use long passwords, ideally sixteen characters or more. - Randomly generate the passwords. They should consist of random characters, not words. And nothing predictable like HiredateName. - Use a mix of uppercase, lowercase, numbers, and special characters. Avoid obvious and common substitutions like zero for the letter 0 or three for the letter E. If you do send a temporary password, you need a way to verify that the user changed his or her password from the temporary one that you provided. And your password requirements should ensure that whatever new password the user comes up with is also a strong one. ### Password reset emails If you respond to requests with an email, you still need a verification process to ensure that the reset request isn’t coming from a hacker. To be safe, make sure that you separately email or otherwise notify the user that there was a password reset request and/or that the password was reset. And include a way for the person to contact your helpdesk if he or she didn’t request that reset, so you can thwart any attack. In your response email, never send the new or temporary password. Don’t even send the account holder’s username in the email. Doing so provides an opportunity for hackers to intercept the email and gain half of the credential pair. Ideally, you will send a password reset link so that no temporary password is necessary and the user can reset his or her own password. When you do: - Make sure your email doesn’t look like a phishing email. The spelling should be correct and the email professionally formatted. - Set an expiration on the reset link and make it a one-time use link. That closes another potential door to cyber criminals. - Make sure you include instructions for how to contact support if the user needs more help or didn’t request the reset. For the reset link itself, be careful that the redirect or thank you page you go to after the reset doesn’t give away information about the user or the types of accounts that the user has. For example, don’t redirect to an administrator login or to a portfolio account login, revealing information to potential hackers about the person’s privileges or what they own. Lastly, use the reset as an opportunity to educate employees and customers. The more employees understand and work to increase security, the safer you are. Make sure they know why strong passwords, though harder to remember, are important and what might be at risk if their account is breached. ### A better way If you’re still doing password resets manually, you know it’s an expensive process. Today, there are many tools that make password resets easier. The best ones [remove IT/helpdesk from the password reset process](/resource-center/topics/password-reset-it-middle-guy) entirely, by enabling users to do automatic password resets. Automatic password reset tools can still require multi-factor authentication and can enforce strong password requirements, but they eliminate the delays that frustrate users and many of the vulnerabilities inherent in a manual process.

READ MORE

What is Two-Factor Authentication (2FA)?

Cyber attackers are relentless. They hunt, phish, scam, and social-engineer everybody including privileged users to infiltrate your organization. Once inside, they look for opportunities to elevate privilege and appropriate resources. Every app is vulnerable. Without controlling cloud and on-prem application access, organizations are at risk of a security breach. Two-factor authentication helps thwart attacks and protect corporate data, as a key identity and access management (IAM) solution ### What is two-factor authentication? Two-factor authentication (2FA) adds an additional layer of security when users login to apps. Without additional authentication, users are asked to prove their identity by providing simple credentials such as an email address and a password. With 2FA, they are asked for a second factor (2F), usually by prompting the user to provide information via a physical token (i.e. a card) or a security question whose answer only they know. US Federal regulations recognize the following authentication factor options: ### How does 2FA make companies more secure? Having an additional authentication factor prevents someone from signing into a user’s account—even if they know the user’s password. Other factors are needed because passwords, by themselves, just aren’t safe. They can be compromised in a number of ways: - Most individuals choose an easy-to-remember password which is therefore easy to hack. For example, they use discoverable information such as a pet’s name, a birthplace, or an important date like their anniversary. - Most individuals reuse the same password for several applications. So, once a cyber criminal gets the password, he or she has access to more than one application. - Cyber criminals themselves use many different and increasingly sophisticated techniques to [compromise login credentials](/learn/what-is-cyber-security). That’s why more factors help. If authentication requires both a password and, say, a USB token with a digital certificate on it, a criminal would need to know the user’s credentials and be in possession of the USB token in order to sign into the user’s account. Without being in possession of both, any unauthorized access would fail and trigger a security event to let the admin know of a suspicious login attempt. Authentication can be made even stronger by combining additional identity and access management (IAM) factors to achieve [multi-factor authentication](/learn/what-is-mfa) (MFA). Multi-factor authentication allows you to add factors like a PKI certificate in the user’s browser or require a mobile app for authentication. And products like OneLogin Desktop increase security via an on-laptop certificate that delivers a second factor of authentication in the form of a trusted device. ### Strong authentication factors for 2FA There are a variety of second authentication factors that can be used for 2FA to secure application access. Here are some examples: - One-time password (OTP) – A unique password which can only be used once. This is typically a short string of numbers generated based on a secret stored in a physical device such as a USB token or a smartphone. Upon authentication, the one-time password is verified against the OTP vendor’s service in the cloud. Even if someone manages to steal the password, it cannot be used to login successfully without the OTP. - Time-based PIN – A sequence of digits which have to be entered within a short window, typically 30 to 60 seconds. The PIN can be generated by a software application or hardware device with a very precise clock. The security lies in the fact that the PIN is only valid for a short period of time. - Digital (PKI) certificates – A digital certificate, issued by a trusted certificate authority, is installed on the device or in the user’s browser. The identity provider can check for the presence of valid certificates as well as revoke them at any time. Only a browser with a valid certificate will be allowed to sign in. .diagram.desktop { display: block; }

READ MORE

The Truth About Passwordless Authentication

Passwordless authentication is the new buzzword in secure authentication for identity and access management (IAM) solutions. With good reason. [Passwords remain a weakness](/resource-center/topics/5-reasons-passwords-disaster) for consumers and those trying to secure customer and corporate data. In fact, 81 percent of breaches involve weak or stolen passwords. And passwords are the number one target of cyber criminals. For IT departments, passwords are a burden in multiple ways. First, they have to store the passwords securely. Failure to do so risks a breach, which can have a huge impact on the bottom line, share value, and the organization’s reputation for years to come. Second, when you’re the keeper of passwords, you’re tasked with supporting them, too. That often means [handling password resets](/learn/help-desk-password-reset-best-practices) that flood the helpdesk. So, there’s good reason for organizations to want to dump passwords and move to passwordless authentication. ### How does passwordless authentication work? Passwordless authentication is a type of [multi-factor authentication](/learn/what-is-mfa) (MFA), but one that replaces passwords with a more secure authentication factor, such as a fingerprint or a PIN. With MFA, two or more factors are required for verification when logging in. Passwordless authentication relies on the same principles as digital certificates: a cryptographic key pair with a private and a public key. Although they are both called keys, think of the public key as the padlock and the private key as the actual key that unlocks that padlock. There is only one key for the padlock and only one padlock for the key. An individual wishing to create a secure account uses a tool (a mobile app, a browser extension, etc.) to generate a public-private key pair. The private key is stored on the user’s local device and is tied to an authentication factor, such as a fingerprint, PIN, or voice recognition. It can only be accessed with this gesture. The public key is provided to the website, application, browser, or other online system for which the user wants to have an account. ### Passwordless authentication brings freedom and security Today’s passwordless authentication relies on the FIDO2 standard (which encompasses the WebAuthn and the CTAP standards). Using this standard, passwordless authentication frees IT from the burden of securing passwords. Why? Because while as a service provider, you may store people’s public keys, the public keys are just that, public. Like a padlock, if a hacker gets the public key, it’s useless without the private key that unlocks it. And the private key remains in the hands of the end-user or, within an organization, the employee. Another benefit of passwordless authentication is that the user can choose what tool he or she uses to create the keys and authenticate. It might be a mobile app like OneLogin Protect. It might be a biometric or a physical device, such as YubiKey. The app or website to which the user is authenticating is agnostic. It doesn’t care how you create your key pair and authenticate. In fact, passwordless authentication relies on this. For example, browsers implementing passwordless authentication may have JavaScript that is downloaded when you visit a page and that runs on your machine, but that script is part of the website and does not store your critical information. It and the website aren’t trusted with your private key, hence they aren’t a profitable attack surface for cyber criminals. As a multi-factor authentication method, passwordless authentication will continue to evolve. Most organizations still use traditional passwords as their core authentication method. But the wide and known issues with passwords is expected to increasingly drive businesses using IAM toward MFA and toward passwordless authentication.

READ MORE

Biometric Authentication: Good, Bad, & Ugly

It seems like biometrics are everywhere in Identity and Access Management (IAM): fingerprints, facial recognition, voice recognition, and more. But are biometrics really the cure for secure authentication? Like all technologies, this one has pros and cons. In this topic, we’ll examine the good, the bad, and the ugly side of biometrics for authentication. ### The good part about biometrics for security There’s a reason biometrics are increasingly popular in identity management: they’re harder to fake. Authentication has evolved. It started with what you know, a username and password, for instance. But it’s easy to steal or trick people into giving up the information they know. So, authentication techniques moved to what you have: a cell phone in hand or a card key. This, combined with what you know, made users more secure. But, biometric authentication might not be secure enough. Cyber criminals could still obtain or fake the devices users had. What you are, demonstrated through biometrics, is the next stage for authentication. And it’s true, it’s much harder to fake someone’s voice, fingerprint, iris, etc. On top of that, biometric authentication is often easier for users: you carry you around everywhere. Putting a finger over a keypad or looking into an eye scanner isn’t tough to do. Some systems, such as facial recognition, can even authenticate without the user consciously making a gesture. Simply move into a room or sit in front of your computer and you’re authenticated via facial recognition, for instance. Best of all, users aren’t going to forget their fingers or eyes like they do passwords or physical keys. You won’t have all those password reset tickets piling up at your helpdesk with biometrics. ### The bad part about biometrics for authentication So, what’s the downside? First, while biometrics are generally more secure, they aren’t foolproof. For example, smartphone fingerprint scanners often rely on partial matches, and researchers have found that it’s possible to create “master prints” that match partials well enough to give access to a large number of user accounts. Researchers have also demonstrated the ability to create fake fingerprints from high quality prints left behind. Others have found ways to use photos or 3D prints to trick iris scanners or facial recognition systems. Sometimes the issue is that the system can be hacked as much as that it too often fails to recognize a valid user: someone wearing different makeup or new glasses, the voice of a user who is sick or has just woken up. So, it’s no surprise then that quality biometric solutions cost more. In fact, 67 percent of IT professionals cite cost as the biggest reason for not adopting biometric authentication. There are hidden costs, too, with 47% of those surveyed reporting a need to upgrade systems in order to support a shift to biometrics. This is why many companies considering adoption of biometrics are focused on using it as only one component of [multi-factor authentication](/learn/what-is-mfa) (MFA). MFA can require a biometric factor and a non-biometric one. If one authentication factor is hacked, the user’s account is still secured by the other. And with tools like risk-based authentication, MFA can adapt to challenge users when the probability of cybercrime is high and reduce the barriers to entry when it’s low. ### The ugly side of biometrics If you’ve been following developments in biometrics, you’re probably aware of the ethical concerns surrounding many forms of biometrics. One of them involves bias. Facial recognition systems may not recognize POC or non-CIS gender people as accurately. And learning systems for biometrics have too often been based primarily on white or white male photos, creating a clear bias that results in difficulty recognizing people in the broader population. Additionally, there are fears about how biometric data could be used. Who has access to images used for facial recognition, fingerprints, or voice patterns? Is it acceptable for companies to sell or provide their biometric data to others, such as law enforcement, immigration enforcement, or repressive foreign governments? For businesses, another ugly side of biometric data is the storage issue. Where biometric data is stored, it must be stored securely. Because if it’s hacked, there’s no going back—a person can’t change their fingerprint or their iris. That means losing your biometric data presents a permanent risk of hacking for the rest of your life. Companies that choose to store employees’ or customers’ biometric data are taking on a big financial and ethical responsibility. This is one reason to consider on device storage: where the biometric data is stored on the device that authenticates the user, like the user’s smartphone or computer. This gives the user control over the data and it also restricts its location to a local device, reducing the likelihood of a cyber criminal gaining access to large sets of biometric data through a single breach. While there are many sides to the biometric debate, one thing is for certain: the technology is here to stay. Despite the bad and the ugly side of biometrics, the good side is outweighing them, enough that companies are expected to continue adopting biometrics for authentication.

READ MORE

What is Identity & Access Management (IAM)?

Identity and access management (IAM) refers to the policies and tools used by IT departments to ensure that people and entities have the appropriate level of access to the organization’s technical resources. IAM systems are technology solutions to securely manage digital identities and their access to various applications and systems. IAM systems manage people and also other kinds of identities, such as software (apps or programs), and hardware (such as IoT devices). IAM systems perform two key tasks: - **Authenticating** that the entity is who it purports to be. When you enter a username and password into a website, the website authenticates you by checking its database to see if your username and password matches what is in the database. This is a form of authentication, albeit a less secure method than modern authentication. - **Authorizing** the entity for the appropriate level of access to resources. Authorization is the process of checking what access the authenticated user is allowed to have to technical resources and ensuring only that access. For example, if you log into a content management system as an editor you are allowed to make changes to content, but you are not allowed to make changes to the user accounts or add new users. IAM systems are an important element of cybersecurity because they are designed to perform the key function of providing secure access to enterprise resources. ### Key IAM system functionality IAM systems provide this core functionality: Task Tools Manage user identities IAM systems manage user identities. The IAM may be the sole directory used to create, modify, and delete users (such as employees). Or it may integrate with one or more other directories, such as Microsoft Active Directory, and synchronize with them. Provisioning/deprovisioning users Once a user is in the system, IT must provision the user, which is the process of specifying which apps, resources, etc. the user has access to and what level of access (administrator, editor, viewer, etc.) the user has to each item. Since it would be time-consuming to specify every individual’s access to every resource, identity management systems generally enable provisioning via policies defined based on role-based access control (RBAC). Users are assigned one or more roles, usually based on job function, and are automatically given access as per the definitions for that role. Just as it can be time-consuming to provision users, it can be time-consuming to deprovision them from all the apps and systems to which they have access. An IAM system automates this process—which is important since ex-employees who still have access present a serious security risk. Authenticating users IAM systems perform the task of authenticating a user when the user requests access. Today, secure authentication means multi-factor authentication and, preferably, adaptive authentication. Authorizing users After authenticating the user, the IAM system authorizes the user for access, as needed, to specific apps and resources based on the user’s provisioning. Reporting IAM systems provide reports that help organizations prove compliance with regulations, identify potential security risks, and improve their IAM and security processes. Single Sign-On Single Sign-On is not a component of all identity management systems, but it is a component of the best ones. SSO adds security and makes users more productive by making it faster and easier for them to access the resources they need without having to login each time or remember many different passwords. ### Cloud versus On-Prem Systems IAM systems can be cloud-based (often called IDaaS) or on-prem. The first IAM systems were on-prem, i.e. physically located within the organization’s firewall and managed by the organization. Today, more and more organizations are moving to cloud IAM systems, with McKinsey reporting that only 38 percent of the enterprises they interviewed expect to be on-prem in three years. In three years, 60 percent will rely on a third-party IAM service that supports multiple public-cloud environments and unifies access across on-prem and public-cloud resources. The move to cloud IAM is being driven by cost savings and reliability. Using a third-party cloud IAM means savings in infrastructure and maintenance. It also reduces the risk of downtime as cloud vendors provide distributed and redundant systems with high up-time and short SLAs.

READ MORE

What is Cybersecurity & Why Do We Need It

Cybersecurity is the practice of defending technical assets and data from malicious attack. This includes protecting computers, servers, mobile devices, electronic systems, networks, and corporate data. Cybersecurity encompasses: - **Network security**, securing a computer network from intruders. - **Application security**, keeping software and devices threat-free, important because they can provide access to corporate data. - **Information security**, protecting data in storage and in transit. - **Operational security**, ensuring users have appropriate permissions when accessing a network and that data is stored and shared securely. - **Disaster recovery and business continuity**, planning for adequate response to security incidents, data losses, or outages, as well as recovery in those instances. Business continuity is the plan the organization uses to continue operating when dealing with an incident. ### What is a cyber attack? A cyber attack is an attempt to steal, alter, expose, disable, destroy, or simply gain unauthorized access to a computer system or network. Some common types of attacks include: **Distributed Denial of Service (DDOS)** In which attackers overwhelm the targeted resource (such as a website or network) with superfluous requests attempting to overload the servers in order to prevent some or all legitimate requests from being fulfilled. For example, the attacker may use many different IP addresses to send hundreds of thousands of contact us requests to a website, overwhelming the site and causing it to go down. **Phishing** In which attackers obtain a set of phone numbers/email addresses and send a compelling message to all of them hoping to get the user to click a link leading to a fake website where the user will enter his or her username and password. The attacker can then use it to log in and capture data, steal money, etc. **Spear phishing** In which attackers send carefully crafted and very believable messages to smaller groups of individuals. The messages are specifically relevant to this group of people and often include personal information the attackers have obtained (such as a colleague’s name or some event the individuals recently attended). The message than acts like a regular phishing attack. **Keylogger** In which attackers manage to install a program on the user’s machine which captures keystrokes including the usernames and passwords for specific sites, apps, etc. **Credential stuffing** In which attackers use stolen username/password pairs and try to use them on many different websites or apps, hoping the user has used the same credentials for multiple sites. (This works because users do frequently use the same credentials across websites.) **Brute force and reverse brute force attacks** In which attackers generate possible username/password combinations based on typical patterns that people use, and then programmatically try to use them on many websites/apps to try to gain access. **Man-in-the-middle (MITM) attacks** In which attackers insert a program between the user and an app or website. For example, the program might look like a public Wi-Fi login. The program then captures the user’s login credentials or hijacks the user’s session so it can take actions hidden from the user. ### What is a security incident and a security breach? A security incident is an event that violates an organization’s security policies or procedures. Verizon’s 2016 Data Breach Investigations Report defines an incident as a “security event that compromises the integrity, confidentiality, or availability of an information asset.” A security breach is an incident that meets legal definitions at the state or federal level such that it qualifies as a data breach. Many state, federal, and compliance regulations require specific notifications in the event of a data breach, such as letting affected individuals or regulatory organizations know. ### How do you implement cybersecurity? There are no cybersecurity silver bullets, but being proactive and attentive increases the chances of preventing or mitigating a security incident or breach. Protecting your business or organization from cyber attack requires coordinated activity on multiple fronts. The IT department in an organization generally “owns” cybersecurity, but every employee, vendor, supplier, and person who has access to corporate resources plays a role. Defending the organization requires efforts on at least three fronts: - **Technology**—The right technical security tools are, of course, critical. Technical solutions should be implemented to protect on-prem networks and systems, cloud systems and apps, and all endpoints, i.e. devices, internet of things (IoT), routers, and any other entry points to your networks and systems. A Privileged Access Management system and an Identity and Access Management (IAM) system are critical technologies. - **Processes**—Staying diligent and successfully addressing potential or actual cybersecurity events can only occur if you have taken the time to define and roll out processes that support cybersecurity. These processes must be verified and updated regularly. - **People**—If the people in your business ecosystem don’t implement the required processes and technology, you won’t be successful. Moreover, people are a frequent target of the most common types of cyber attacks. So educating everyone inside and who works with your organization and ensuring they follow best practices, such as around password security, is mandatory to protect your organization. These cybersecurity tools must be applied to a set of functions, as per the NIST Framework: - **Identify** potential cybersecurity risks and weak points in the organization. - **Protect** from attack using the information determined in the identify phase. - **Detect** any attacks or potential attacks in real-time. - **Respond** to attacks. - **Recover** from the impact of an event.

READ MORE

What is Identity Governance & Administration

Identity Governance and Administration (IGA) joins the list of acronyms along with IAM and PAM. The term gained acceptance in 2013 after Gartner merged two of its Magic Quadrants–one addressing Identity Governance and the other Identity Administration–into the Magic Quadrant for Identity Governance and Administration. IGA systems merge identity administration, which addresses administering accounts and credentials, provisioning, and managing entitlements, with identity governance, which addresses the segregation of duties, role management, logging, and analytics and reporting. IGA systems provide additional functionality beyond standard Identity and Access Management (IAM) systems. In particular, they help organizations meet compliance requirements and enable them to audit access for compliance reporting. They also automate workflows for tasks such as access approvals and provisioning/de-provisioning. ### Elements of IGA Systems Identity governance and administration tools help handle user identity lifecycle management. IGA systems generally include these elements for identity administration: - **Password management** Through tools like password vaults or, more often, Single Sign-On (SSO), IGAs ensure users don’t have to remember many different passwords to access applications. - **Integrations** Connectors to integrate with directories and other systems that contain information about users and the applications and systems they have access to as well as their authorization in those systems. - **Access request management** Workflows that make it easier for users to request access to applications and systems and get approvals. - **Provisioning** Automated provisioning and de-provisioning at both the user and application level. - **Entitlement management** Ability to specify and verify what people are allowed to do in various applications (such as add, edit, view, or delete data). ! IGA systems generally include these elements for governance administration: - **Segregation of duties** Create rules that prevent risky sets of access from being granted to a person. For example, the ability to both view a corporate bank account and transfer funds to outside accounts (which might enable a user to transfer money to a personal account). - **Access review** Tools that streamlines the review and verification (or revocation) of users access to different apps and resources. Some IDG tools provide discovery features that help identify entitlements that have been granted and surface them. - **Role-based management** Defining and managing access through user roles. - **Analytics and reporting** Tools that log activities, generate reports (including for compliance) and provide analytics to identify issues and optimizations.

READ MORE

What is Privileged Access Management?

Privileged Access Management (PAM) refers to systems that securely manage the accounts of users who have elevated permissions to critical, corporate resources. These may be human administrators, devices, applications, and other types of users. Privileged user accounts are high value targets for cyber criminals. That’s because they have elevated permissions in systems, allowing them to access highly confidential information and/or make administrative-level changes to mission critical applications and systems. In the last year, 44 percent of data breaches involved privileged identities.1 Privileged Access Management is also sometimes referred to as Privileged Account Management or Privileged Session Management (PSM). Privileged session management is actually a component of a good PAM system. ### Why is PAM important? Privileged accounts exist everywhere. There are many types of privileged accounts and they can exist on-premises and in the cloud. They differ from other accounts in that they have elevated levels of permissions, such as the ability to change settings for large groups of users. Also, often multiple people may have access to a specific privileged account, at least on a temporary basis. For example, the root account on a Linux machine is a form of privileged account. An account owner for Amazon Web Services (AWS) is another form of privileged account. A corporate account for the official company Twitter profile is yet another form. Privileged accounts present a serious risk. Cyber criminals are more interested in stealing credentials for privileged accounts than any other type of account. Thus, they present a challenge for IT departments. Traditionally, access to these accounts has not been well managed, despite the high risk of large damage if such accounts are compromised. Common issues include many people using the same account with no clear history or accountability, and static passwords that are never changed. PAM solutions aim to address these risks. ### How do privileged access management systems work? A PAM administrator uses the PAM portal to define methods to access the privileged account across various applications and enterprise resources. The credentials of privileged accounts (such as their passwords) are stored in a special-purpose and highly secure password vault. The PAM administrator also uses the PAM portal to define the policies of who can assume access to these privileged accounts and under what conditions. Privileged users log in through the PAM and request or immediately assume access to the privileged user account. This access is logged and remains temporary for the exclusive performance of specific tasks. To ensure security, the PAM user is usually asked to provide a business justification for using the account. Sometimes manager approval is required, as well. Often, the user isn’t granted access to the actual passwords used to log into the applications but instead is provided access via the PAM. Additionally, the PAM ensures that passwords are frequently changed, often automatically, either at regular intervals or after each use. The PAM administrator can monitor user activities through the PAM portal and even manage live sessions in real time, if needed. Modern PAMs also use machine learning to identify anomalies and use risk scoring to alert the PAM Administrator in real time of risky operations. ### What are the benefits of a PAM? Increased security is the obvious benefit of implementing a PAM system. However, it’s not the only one. PAM helps: **Protect against cyber criminals** Privileged users, such as administrators, face the same challenges as other users with regard to remembering multiple passwords—and have the same tendency to use the same password across multiple accounts. Yet, these users are also more likely to be the target of cyber criminals. A PAM system can reduce the need for administrators to remember many passwords and avoid privileged users creating local/direct system passwords. Session management and alerts helps the superadmin identify potential attacks in real time. **Protect against inside attacks** Sadly, a significant number of attacks come from bad actors inside the organization. Or employees who have left but haven’t been fully de-provisioned to prevent access after departure. **Greater productivity** A PAM is a boon for privileged users. It allows them to login faster to the systems they need and relieves the cognitive burden of remembering many passwords. It also enables the superuser to easily manage privileged user access from one central location, rather than a slew of different systems and applications. **Ensure compliance** Many regulations require granular and specific management of privileged user access and the ability to audit access. You can restrict access to sensitive systems, require additional approvals, or use multi-factor authentication for privileged accounts. The auditing tools in PAM systems record activities and enable you to provide a clear audit trail. PAM helps organizations [comply](https://www.onelogin.com/blog/categories/security-and-compliance) with regulations like SOX, HIPAA, PCI DSS, GLBA, ISO 27002, ICS CERT, FDCC, FISMA. ### How is PAM Different from Identity Access Management (IAM)? Privileged access management is sometimes confused with Identity Access Management (IAM). IAM focuses on authenticating and authorizing **all** types of users for an organization, often including employees, vendors, contractors, partners, and even customers. IAM manages general access to applications and resources, including on-prem and cloud and usually integrates with directory systems such as Microsoft Active Directory. PAM focuses on **privileged users**, administrators or those with elevated privileges in the organization. PAM systems are specifically designed to manage and secure the access of these users to critical resources. Organizations need both tools if they are to protect against attacks. IAM systems cover the larger attack surface of access from the many users across the organization’s ecosystem. PAM focuses on privileged users—but PAM is important because while it covers a smaller attack surface, it’s a high-value surface and requires an additional set of controls normally not relevant or even appropriate for regular users (such as session recording). ### How can IAM improve PAM? There are multiple benefits for integrating your PAM solution with your IAM solution. Many customers choose to do this integration because it reduces security risks, is required by auditors and compliance regulations, and it improves the user experience. IAM lets you: - Add Multi-Factor-Authentication (MFA) and Adaptive Authentication for your PAM access. This can help meet compliance requirements, such as PCI DSS Requirement 8.3. Many regulations such as PCI DSS require securing administrative access with tools like MFA. - Make sure that privileged access is terminated automatically upon the employee leaving the organization. Again, this is often a compliance requirement, such as for PCI DSS. Not all PAM tools ensure this and—too often—IT departments don’t de-provision ex-employees quickly enough. When that employee has access to privileged accounts, it can spell disaster. - Ensure that administrators are productive on day one. By using your IAM with PAM, you can automatically provision administrators to the PAM and grant them appropriate access on their very first day. - Provide a single user experience. By using your IAM as the interface to the PAM, you improve the user experience for privileged users, since they access the PAM from the same place that they access other corporate resources. In conclusion, PAM has a critical role to play in securing your organization’s resources and data. The best identity management solutions involve a coordinated use of an IAM and a PAM system to ensure security and usability. 1. https://www.globalbankingandfinance.com/44-of-data-breaches-in-the-last-year-involved-privileged-identity-according-to-global-balabit-research-report/

READ MORE

SSO Checklist

It’s critical that your SSO solution meets the basic requirements to support employees and IT needs. That means a secure solution and one with high usability. But remember that SSO is only part of your identity and access management solution. Digital transformation today relies on an Identity and Access Management (IAM) platform that includes SSO as well as other tools like MFA and directory integration. Use the checklist below to make sure that your SSO system offers the protection your company needs. #### User community support Does the SSO solution support all your user communities? Workforce (employees and contractors) Partners/Vendors Customers #### Customers If your customers need access, does the SSO system support commonly-used consumer authentication methods? Facebook Google #### True SSO Does the SSO solution allow true single sign-on versus password vaulting? User only enters one username and password to access all apps/sites User only has to log in once per day or session to gain access to all corporate apps/sites #### Application integration Does the SSO solution work with your cloud and on-prem apps? SSO supports all your cloud applications SSO supports all your on-prem applications #### Open standards support Does the SSO solution support the most common, widely-used protocols that enable a trusted relationship? SAML OpenID Connect OAuth 2 WS-Federation #### Reputation for security Does the vendor meet the common, highest security standards and implement adequate internal processes? SOC 2 Type 2 ISO 27017 ISO 27018 ISO 27001 Skyhigh Enterprise-Ready CSA Star TRUSTe U.S. Privacy Shield GDPR EU Model Contract clauses Adheres to the NIST Cybersecurity Framework Vendor performs Penetration tests Vendor performs network scans Vendor has a bug bounty program #### Availability and disaster recovery Does the SSO service demonstrate consistent and high availability and the ability to recover quickly from disasters? Historical availability of over 99% Recent availability (last twelve months) of over 99% Uses multiple data centers in different regions Uses replication and redundancy across regions #### High usability Is the SSO user interface simple enough that employees will embrace it? Provides a single portal of apps Integrates with all the common browsers Streamlines the app access process Streamlines the login process Makes it easy for users to reset their own passwords #### Mobile ready Does the SSO solution provide thorough support for mobile users? Provides SSO for mobile devices (via a native mobile app) Supports a variety of devices via SAML and partnerships with MDM vendors Works with your multi-factor authentication (MFA) tool #### Flexible password rules Does the SSO system support and enforce password requirements in a usable and effective manner? Lets you set password expiration times Lets you set password complexity (length, characters, etc.) Provides expiration notifications (helping to reduce support tickets) Enforces MFA requirements for password resets if MFA is used #### Enterprise access Does the SSO solution integrate with your network access points? Integrates with VPN Integrates with Wi-Fi for app access Provides endpoints for integration with RADIUS and LDAP #### Federation Does the SSO solution allow you to use the existing, corporate identity providers you prefer? Microsoft Active Directory Amazon Active Directory LDAP Google Directory Human Resource Management Systems (HRMS), such as Workday or SuccessFactors #### Authentication Does the SSO solution provide additional security? Multi-factor authentication Adaptive authentication Automatic forced authentication for high-risk resources X.509–based certificates #### Developer support Does the SSO solution provide APIs and support so you can enable single sign-on for your custom applications and third-party systems? SSO registration and life-cycle management APIs SDK for major platforms and languages Supports OpenID Connect #### Reporting Does the SSO solution provide reports that enable you to meet compliance requirements and enhance your security based on threat data? Ability to externalize authorization events to third-party SIEM solutions Out-of-the-box reports and audit trails ### Advanced requirements Although any SSO solution should meet basic requirements, organizations making a successful digital transformation usually choose solutions that meet advanced requirements. An advanced SSO solution ensures, from the start, that you aren’t behind the curve. #### Behavioral analytics Does the SSO solution use behavioral analytics to intelligently adapt and respond? Allows blacklist and whitelist of geolocations and IPs Allows you to set responses to high-risk login attempts Allows you to set certain apps to require re-authentication (such as through MFA) #### Manage authorization Can the SSO solution manage authorization through its integration with your identity provider(s)? Supports RBAC access Supports provisioning and deprovisioning of user access in apps #### Easy integration Can you integrate the SSO solution with your custom apps and in your organization without having to replace or significantly modify existing solutions? Enables integration into your custom apps via an API Enables incorporation of SSO without the need to rip and replace other solutions

READ MORE

How Single Sign-On Works

# How does single sign-on work? ## What is single sign-on? Single sign-on (SSO) is an authentication method that enables users to securely authenticate with multiple applications and websites by using just one set of credentials. ## How does SSO work? SSO works based upon a trust relationship set up between an application, known as the service provider, and an identity provider, like OneLogin. This trust relationship is often based upon a certificate that is exchanged between the identity provider and the service provider. This certificate can be used to sign identity information that is being sent from the identity provider to the service provider so that the service provider knows it is coming from a trusted source. In SSO, this identity data takes the form of tokens which contain identifying bits of information about the user like a user’s email address or a username. The login flow usually looks like this: 1. A user browses to the application or website they want access to, aka, the Service Provider. 2. The Service Provider sends a token that contains some information about the user, like their email address, to the SSO system, aka, the Identity Provider, as part of a request to authenticate the user. 3. The Identity Provider first checks to see whether the user has already been authenticated, in which case it will grant the user access to the Service Provider application and skip to step 5. 4. If the user hasn’t logged in, they will be prompted to do so by providing the credentials required by the Identity Provider. This could simply be a username and password or it might include some other form of authentication like a [One-Time Password (OTP](https://www.onelogin.com/learn/otp-totp-hotp)). 5. Once the Identity Provider validates the credentials provided, it will send a token back to the Service Provider confirming a successful authentication. 6. This token is passed through the user’s browser to the Service Provider. 7. The token that is received by the Service Provider is validated according to the trust relationship that was set up between the Service Provider and the Identity Provider during the initial configuration. 8. The user is granted access to the Service Provider. When the user tries to access a different website, the new website would have to have a similar trust relationship configured with the SSO solution and the authentication flow would follow the same steps. ### What is an SSO token? An SSO token is a collection of data or information that is passed from one system to another during the SSO process. The data can simply be a user’s email address and information about which system is sending the token. Tokens must be digitally signed for the token receiver to verify that the token is coming from a trusted source. The certificate that is used for this digital signature is exchanged during the initial configuration process. ## Is SSO secure? The answer to this question is “It depends.” There are many reasons why SSO can improve security. A single sign-on solution can simplify username and password management for both users and administrators. Users no longer have to keep track of different sets of credentials and can simply remember a single more complex password. SSO often enables users to just get access to their applications much faster. SSO can also cut down on the amount of time the help desk has to spend on assisting users with lost passwords. Administrators can centrally control requirements like password complexity and [multi-factor authentication (MFA)](https://www.onelogin.com/learn/what-is-mfa). Administrators can also more quickly relinquish login privileges across the board when a user leaves the organization. Single Sign-On does have some drawbacks. For example, you might have applications that you want to have locked down a bit more. For this reason, it would be important to choose an SSO solution that gives you the ability to, say, require an additional authentication factor before a user logs into a particular application or that prevents users from accessing certain applications unless they are connected to a secure network. ## How is SSO implemented? The specifics on how an SSO solution is implemented will differ depending on what exact SSO solution you are working with. But no matter what the specific steps are, you need to make sure you have set clear objectives and goals for your implementation. Make sure you answer the following questions: * What different types of users are you serving and what are their different requirements? * Are you looking for an On Prem solution or a Cloud Based solution? * Will this solution be able to grow with your company and your needs? * What features are you looking for to ensure only trusted users are logging in? MFA, Adaptive Authentication, Device Trust, IP Address Whitelisting, etc.? * What systems do you need to integrate with? * Do you need API access? ## What makes a true SSO system? It’s important to understand the difference between single sign-on and [password vaulting](https://www.onelogin.com/learn/password-vaulting) or password managers, which are sometimes referred to as SSO which can mean Same Sign-on not Single Sign-on. With password vaulting, you may have the same username and password, but they need to be entered each time you move to a different application or website. The password vaulting system is simply storing your credentials for all the different applications and inserting them when necessary. There is no trust relationship set up between the applications and the password vaulting system. With SSO, meaning Single Sign-On, after you’re logged in via the SSO solution, you can access all company-approved applications and websites without having to log in again. That includes cloud applications as well as on-prem applications, often available through an SSO portal (also called a login portal). ## What is an SSO software vs an SSO solution When researching SSO options that are available, you might see them sometimes referred to as SSO software vs an SSO solution vs an SSO provider. In many cases, the difference might simply be in the way the companies have categorized themselves. A piece of software suggests something that is installed on-premise. It is usually designed to do a specific set of tasks and nothing else. A solution suggests that there is the ability to expand or customize the capabilities of the core product. A provider would be a way to refer to the company that is producing or hosting the solution. For example, OneLogin is known as an SSO solution provider. ### Are there different types of SSO? There are a lot of terms that are used when we talk about Single Sign-oOn (SSO). * Federated Identity Management (FIM) * OAuth (specifically OAuth 2.0 nowadays) * OpenID Connect (OIDC) * Security Access Markup Language (SAML) * Same Sign On (SSO) SSO is actually a part of a larger concept called Federated Identity Management, thus sometimes SSO is referred to as federated SSO. FIM just refers to a trust relationship that is created between two or more domains or identity management systems. Single Sign-on is often a feature that is available within a FIM architecture. OAuth 2.0 is a specific framework that could also be considered part of a FIM architecture. OAuth focuses on that trusted relationship allowing user identity information to be shared across the domains. [OpenID Connect (OIDC)](https://www.onelogin.com/blog/openid-connect-explained-in-plain-english) is an authentication layer that was built on top of OAuth 2.0 to provide Single Sign-on functionality. [Security Access Markup Language (SAML)](https://www.onelogin.com/learn/saml) is an open standard that is also designed to provide Single Sign-on functionality. Same Sign On which is also often referred to as SSO is actually not the same as Single Sign-on because it doesn’t involve any trust relationship between the entities that are doing the authentication. It is more dependent on credentials being duplicated between systems and simply passing in those credentials when necessary. It is not as secure as any of the Single Sign-on solutions. There are also some specific systems that commonly come up when we are discussing Single Sign-on: Active Directory, Active Directory Federation Services (ADFS) and Lightweight Directory Access Protocol (LDAP). Active Directory, which nowadays is specifically referred to as Active Directory Directory Services (ADDS), is Microsoft’s centralized directory service. Users and resources are added to the directory service for central management and ADDS works with authentication protocols like NTLM and Kerberos. Thus, users that belong to ADDS can authenticate from their machines and get access to others systems that integrate with ADDS. This is a form of Single Sign-on. Active Directory Federation Services (ADFS) is a type of Federated Identity Management system that also provides Single Sign-on capabilities. It supports both SAML and OIDC. ADFS is primarily used to set up trust between ADDS and other systems such as Azure AD or other ADDS forests. Lightweight Directory Access Protocol (LDAP) is simply an industry standard that defines a way to organize and query directory information. LDAP allows you to centrally manage resources like users and systems. LDAP, however, does not define how you log into those systems, meaning it does not define the actual protocols that are used in authentication. It is, however, often used as part of the authentication process and access control processes. For example, before a user can access a particular resource, LDAP might be used to query for that user and any groups that they belong to in order to see if the user has access to that resource. LDAP solutions like OpenLDAP do provide authentication through their support of authentication protocols like Simple Authentication and Security Layer (SASL) ## What is SSO software as a service? Just as many other applications have moved to run within the Internet, so has SSO functionality. Platforms like OneLogin that run in the cloud can then be categorized as a Software as a Service (SaaS) SSO solution. ## What is App-to-App SSO? Lastly, you might have heard of App-to-App or Application-to-Application SSO. This is not quite an industry standard yet. It is more of a term that has been used by SAPCloud to describe the process of passing a user identity from one application to another within their ecosystem. It is somewhat similar to OAuth 2.0 but again it is not a standard protocol or method and is currently specific to SAPCloud.

READ MORE

Why is SSO Important?

Single sign-on (SSO) in the enterprise refers to the ability for employees to log in just one time with one set of credentials to get access to all corporate apps, websites, and data for which they have permission. SSO solves key problems for the business by providing: - Greater security and compliance. - Improved usability and employee satisfaction. - Lower IT costs. The proliferation of cloud apps and services in the enterprise—often in addition to on-prem ones—has created a significant fragmentation problem. Fragmentation in the enterprise is a challenge for IT and users. IT must manage the many apps in the enterprise, as well as deal with shadow IT. Employees have to use more and more apps each day just to complete their work, which means logging in to and switching between multiple apps and websites. SSO helps to solve the enterprise fragmentation problem. ### Security and compliance benefits of SSO Usernames and passwords are the main target of cybercriminals. Every time a user logs in to a new application, it’s an opportunity for hackers. SSO reduces the number of attack surfaces because users only log in once each day and only use one set of credentials. Reducing login to one set of credentials improves enterprise security. When employees have to use separate passwords for each app, they usually don’t. In fact, 59% use the same or similar passwords on multiple accounts. Thus, if a hacker gets access through one poorly secured website, they are likely to be able to access other corporate systems. SSO helps with regulatory compliance, too. Regulations, such as Sarbanes-Oxley, require that IT controls are documented and that organizations prove that adequate methods are in place to protect data. SSO is a way to meet requirements around data access and antivirus protection. SSO can also help with regulations, like HIPAA, that require effective authentication of users who are accessing electronic records or who require audit controls to track activity and access. Regulations, like HIPAA, also require automatic logoff of users, which most SSO solutions enable. When SSO is part of an identity and access management (IAM) solution, it utilizes a central directory that controls user access to resources at a more granular level. This allows organizations to comply with regulations that require provisioning users with appropriate permissions. UAM systems enable SSO with role-based access control (RBAC) and security policies. This type of SSO solution also deprovisions users quickly—or even automatically—another common compliance requirement meant to ensure that former employees, partners, or others can’t access sensitive data. ### SSO improves usability for employees With the move to the cloud, employees are using more and more apps in the workplace. Requiring separate usernames and passwords for each app is a huge burden for employees and, frankly, is unrealistic. Single sign-on reduces that cognitive burden. Signing in once also saves time, thus improving employee productivity. Given that 68% of employees switch between ten apps every hour, eliminating multiple logins can save a company considerable time and money. SSO solutions that are part of an identity and access management system usually have an app portal. To use an app, employees select it from the portal. If the user doesn’t have an app, he or she can request it through the portal and it’s added with SSO enabled. It all happens quickly, so users who might be discouraged from requesting or using apps are more likely to use them. ### How SSO lowers IT costs SSO lowers IT costs by saving time on password resets. When apps each require a different username and password for every employee, chances are high that employees will forget passwords—and that means help tickets for password resets pile up. With SSO, users have only one set of credentials to remember, reducing the number of help tickets. And most SSO solutions allow users to reset their passwords themselves, eliminating the need for IT involvement. SSO that is part of a unified access management system takes advantage of a central directory to provision and deprovision users, making the process faster and cheaper. Policies can be defined based on user role, location, and other user traits. And employees, partners, and customers can be quickly provisioned across multiple applications in one action, rather than having to separately provision each application. Similarly, IT saves time on deprovisioning, which can be done in minutes instead of hours. When enterprises implement a quality SSO solution, it adds security, improves usability, and saves time and money for the IT department.

READ MORE

Password Vaulting

A password vault, also called a password manager, is a program that stores usernames and passwords for multiple applications in a secure location and in an encrypted format. Users can access the password vault via a single username and password. The password vault then provides them the password for the website they are trying to access. Consumers often use the password manager built into Chrome or Safari, for example. In those cases, Google or Apple stores your password information. Businesses may buy a password management tool. (Note that some password managers will also generate more secure, random passwords, called one-time passwords [OTPs], for the user for each site.) ### What is single sign-on? Single sign-on (SSO) is a secure solution that provides employees access to company apps and websites by asking them to sign in just once a day, using one username and password. When you sign in to a website through Facebook or Google, you’re using a type of SSO. In a business setting, employees usually have access to their company’s apps through SSO as an identity and access management (IAM) solution that uses the company’s directory, such as Microsoft Active Directory, Azure Active Directory, or a directory provided by the SSO solution. ### Which is better, SSO or password vaults? In general, SSO is considered more secure and easier to use than password vaults. As part of an IAM solution, SSO eliminates the need for employees to maintain multiple passwords, easing the burden on users. It also reduces the frequency of logins and the number of credentials stored, reducing the attack surface for cybercriminals. When businesses begin to implement stricter password requirements, they often start with password managers. For example, an organization might require that passwords are changed frequently, use random characters, or be longer. Since these more complex passwords are harder to remember, the organization may buy a password manager that employees can use to store them in an encrypted, relatively secure environment. But most organizations quickly outgrow password managers. For one thing, password managers introduce a new problem: employees must add password management to their list of tasks. Password vaults also don’t solve the problem of app proliferation, and they still require users to waste time logging into each app. Since 68% of users report having to switch between 10 different apps every hour, that’s a lot of wasted time. Single sign-on systems let users log in just once, with one set of credentials, to access all apps. SSO systems often use the business’s identity provider, such as Active Directory, for added security. And they use standard, widely accepted protocols, such as SAML or OAuth, and technologies like digital certificates to provide enterprise-level security. SSO is more secure because passwords aren’t being passed around. Instead, after users log in, the SSO system passes tokens to the app or website requesting authentication. Many SSO solutions also work across both on-prem and cloud apps and websites, providing seamless and secure access across corporate systems.

READ MORE

What Type of Attacks Does MFA Prevent?

Multi-Factor Authentication (MFA), as part of an identity and access management (IAM) solution, can help prevent some of the most common and successful types of cyberattacks, including: - Phishing - Spear phishing - Keyloggers - Credential stuffing - Brute force and reverse brute force attacks - Man-in-the-middle (MITM) attacks ### How does MFA help prevent security breaches? To understand how MFA helps prevent security breaches, let’s first review how these types of cyberattacks work: #### Phishing How it works: The attacker uses a list of phone numbers or email addresses and delivers a message with a compelling call to action. (For example, the user may be told that he or she needs to log in and verify transactions.) Usually, it sends users to a fake website where the users provide their username and password. #### Spear phishing How it works: The attacker targets a small group of individuals with well-crafted, believable messages that are relevant to the target group, often using personalized content (such as the user’s name or a recent user action or event). Like phishing, it uses calls to action that get users to provide their credentials. #### Keylogger How it works: The attacker installs a program (often via a virus) that captures every keystroke on the user’s computer, including sites visited, usernames, passwords, answers to security questions, and more. #### Credential stuffing How it works: The attacker takes advantage of the fact that users often use the same username and password on multiple accounts by attempting to use stolen credential pairs to gain access to many different sites and apps. #### Brute force and reverse brute force attacks How it works: The attacker uses a program to generate possible usernames/passwords and to try and gain access with them. (Dictionary attacks are a type of brute force attack.) Or the attacker tries the most commonly used passwords (like Password123) on many different accounts. #### Man-in-the-middle (MITM) attacks How it works: The attacker’s program inserts itself into the interaction between a user and an app (for instance, by impersonating a public Wi-Fi). The program then gathers the login credentials that the user enters—or even hijacks the session token. ###How MFA combats common cyberattacks Multi-Factor Authentication works to thwart cybercriminals by requiring additional information or credentials from the user. A phishing attack may garner a user’s credentials, but it won’t provide the hacker with a fingerprint, for instance, or the answer to a personal security question. Similarly, a brute force or reverse brute force attack may manage to find a working username and password, but the attacker doesn’t know what other authentication factors the MFA system requires and doesn’t have those credentials. Similarly, MFA can combat more sophisticated attacks, such as MITM, by adding an extra layer of security. Even if the hacker or program inserts itself and captures the information that the user enters, the IT administrator can set up MFA to require that the user supply credentials from a different device or channel. Push-based authenticators are extremely well suited to provide a secure mechanism with minimal user inconvenience. For example, let’s say that the user is logging in from her laptop, which has been compromised by a MITM program. But the business has set up MFA and, to complete her login, the user must use a phone app, such as OneLogin Protect. The native mobile authenticator app sends a code from the phone to the authentication system to complete the login. Since the MITM hacker doesn’t have access to the user’s phone, the breach is prevented. MFA and IAM don’t stop all types of attacks, and it doesn’t guarantee security. But it does add additional layers of authentication that make cyberattacks more difficult.

READ MORE

What is Adaptive Authentication?

Standard authentication methods, including Multi-Factor Authentication (MFA), ask users for specific credentials whenever they try to log in or access corporate resources. Adaptive Authentication asks for different credentials, depending upon the situation—tightening security when the risk of breach is higher. When users always log in with standard credentials, such as a username and password, it makes them vulnerable to cyberattack. Authentication tools for identity and access management, such as MFA provide better security by requiring additional credentials, such as a code generated from a smartphone app. More factors help, but it’s still too easy for cybercriminals to acquire or hack the user’s various credentials and then use them to gain access. Adaptive authentication intelligently changes the requirements, making it much harder for a hacker to gain access to the enterprise because some of the signals that are used are difficult for an attacker to circumvent. #### How does adaptive authentication work? When you implement risk-based authentication in your organization, you determine the baseline login requirements for a given user or set of users. You might have stricter requirements for users in certain locales or users in roles that permit them access to sensitive information. Adaptive authentication works by creating a profile for each user, which includes information such as the user’s geographical location, registered devices, role, and more. Each time someone tries to authenticate, the request is evaluated and assigned a risk score. Depending on the risk score, the user may be required to provide additional credentials or, conversely, allowed to use fewer credentials. For example, if a user tries to access applications via an unregistered device, they may be prompted to register it. If the user logs in from a geographical location other than their office, they may have to answer a security question. IT determines the response to requests with different risk scores. In any given scenario, the user may be allowed to authenticate, may be prevented from accessing, or may even be challenged to prove his or her identity. #### Adaptive authentication and machine learning Most risk-based authentication solutions use machine learning. The algorithms in these tools monitor and learn user behavior over time to build an accurate profile of a given user’s login patterns. They may track devices, typical user login times, or usual work locations. They check IP addresses and network reputations, in addition to threat data for those networks. Adaptive authentication solutions assign a risk score based on behavior and context, and they respond to the perceived risk based on the rules established by IT. These rules may vary by risk score, user role, location, device, and more. Using artificial intelligence (AI), advanced authentication is evolving to monitor in real time and to identify anomalies in the user’s authentication patterns or even threats in the authentication path (such as compromised networks). The most advanced adaptive authentication solutions automatically adjust the authentication requirements based on the risk score and IT policies. They might require few or no additional challenges for users whose risk score is low. They might add multiple challenges—a one-time password plus biometrics, for instance—for someone whose risk score is high. These advanced solutions may even restrict or deny the user access based on the risk score and as per IT policies. #### Benefits of adaptive authentication As well as adding security, adaptive authentication reduces the friction for users trying to get their work done. Standard MFA defines login requirements that may be onerous—requiring the user to always enter a name, password, and a code from an app, or requiring users to answer a security question when authenticating outside the office. Adaptive authentication can request less information from users who are recognized and behaving in expected ways. It only queries users for more information occasionally, when circumstances suggest a greater security risk. This means fewer interruptions for users, lower barriers of entry, and greater security.

READ MORE

What is MFA?

Multi-factor Authentication (MFA) is an authentication method that requires the user to provide two or more verification factors to gain access to a resource such as an application, online account, or a VPN. MFA is a core component of a strong [identity and access management (IAM)](https://www.onelogin.com/learn/iam) policy. Rather than just asking for a username and password, MFA requires one or more additional verification factors, which decreases the likelihood of a successful cyber attack. ## Why is MFA Important? The main benefit of MFA is it will enhance your organization's security by requiring your users to identify themselves by more than a username and password. While important, usernames and passwords are vulnerable to [brute force attacks](https://www.onelogin.com/learn/mfa-types-of-cyber-attacks) and can be stolen by third parties. Enforcing the use of an MFA factor like a thumbprint or physical hardware key means increased confidence that your organization will stay safe from cyber criminals. ## How Does MFA work? MFA works by requiring additional verification information (factors). One of the most common MFA factors that users encounter are [one-time passwords (OTP)](https://www.onelogin.com/learn/otp-totp-hotp). OTPs are those 4-8 digit codes that you often receive via email, SMS or some sort of mobile app. With OTPs a new code is generated periodically or each time an authentication request is submitted. The code is generated based upon a seed value that is assigned to the user when they first register and some other factor which could simply be a counter that is incremented or a time value. ## Three Main Types of MFA Authentication Methods Most MFA authentication methodology is based on one of three types of additional information: Things you know (knowledge), such as a password or PIN Things you have (possession), such as a badge or smartphone Things you are (inherence), such as a biometric like fingerprints or voice recognition ## MFA Examples Examples of Multi-Factor Authentication include using a combination of these elements to authenticate: Knowledge Answers to personal security questions Password OTPs (Can be both Knowledge and Possession - You know the OTP and you have to have something in your Possession to get it like your phone) Possession OTPs generated by smartphone apps OTPs sent via text or email Access badges, USB devices, Smart Cards or fobs or security keys Software tokens and certificates Inherence Fingerprints, facial recognition, voice, retina or iris scanning or other Biometrics Behavioral analysis ## Other Types of Multi-Factor Authentication As MFA integrates machine learning and artificial intelligence (AI), authentication methods become more sophisticated, including: ##### Location-based Location-based MFA usually looks at a user’s IP address and, if possible, their geo location. This information can be used to simply block a user’s access if their location information does not match what is specified on a whitelist or it might be used as an additional form of authentication in addition to other factors such as a password or OTP to confirm that user’s identity. ##### Adaptive Authentication or Risk-based Authentication Another subset of MFA is [Adaptive Authentication](https://www.onelogin.com/learn/what-why-adaptive-authentication) also referred to as Risk-based Authentication. Adaptive Authentication analyzes additional factors by considering context and behavior when authenticating and often uses these values to assign a level of risk associated with the login attempt. For example: From where is the user when trying to access information? When you are trying to access company information? During your normal hours or during "off hours"? What kind of device is used? Is it the same one used yesterday? Is the connection via private network or a public network? The risk level is calculated based upon how these questions are answered and can be used to determine whether or not a user will be prompted for an additional authentication factor or whether or not they will even be allowed to log in. Thus another term used to describe this type of authentication is risk-based authentication. With Adaptive Authentication in place, a user logging in from a cafe late at night, an activity they do not normally do, might be required to enter a code texted to the user’s phone in addition to providing their username and password. Whereas, when they log in from the office every day at 9 am they are simply prompted to provide their username and password. Cyber criminals spend their lives trying to steal your information and an effective and enforced MFA strategy is your first line of defense against them. An effective data security plan will save your organization time and money in the future. ## What's the Difference between MFA and Two-Factor Authentication (2FA)? MFA is often used interchangeably with two-factor authentication (2FA). 2FA is basically a subset of MFA since 2FA restricts the number of factors that are required to only two factors, while MFA can be two or more. ## What is MFA in Cloud Computing With the advent of Cloud Computing, MFA has become even more necessary. As companies move their systems to the cloud they can no longer rely upon a user being physically on the same network as a system as a security factor. Additional security needs to be put into place to ensure that those accessing the systems are not bad actors. As users are accessing these systems anytime and from anyplace MFA can help ensure that they are who they say they are by prompting for additional authentication factors that are more difficult for hackers to imitate or use brute force methods to crack. ## MFA for Office 365 Many cloud based systems provide their own MFA offerings like AWS or Microsoft’s Office 365 product. Office 365 by default uses Azure Active Directory (AD) as its authentication system. And there are a few limitations. For example, you only have four basic options when it comes to what type of additional authentication factor they can use: Microsoft Authenticator, SMS, Voice and Oauth Token. You also might have to spend more on licensing depending on the types of options you want available and whether or not you want to control exactly which users will need to use MFA. Identity as a Service (IDaaS) solutions like OneLogin offer many more MFA authentication methods when it comes to authentication factors and they integrate more easily with applications outside of the Microsoft ecosystem. .tabbullet { margin-left: 2em; }

READ MORE

MFA Checklist

It’s critical that your Multi-Factor Authentication (MFA) solution meets the basic requirements for secure identity and access management (IAM) solutions in a hybrid environment. Digital transformation today relies on a Unified Access Management (UAM) platform that includes at least basic MFA. Use the checklist below to make sure that your MFA solution offers the protection your company needs. #### User Community Support Does the MFA solution support all the user communities that access your sensitive data? Workforce (employees and contractors) Partners/Vendors Customers #### Application Integration Does the MFA solution work with the cloud and on-premises apps that are critical to your organization? Integration with cloud applications Integration with on-premises applications Integration with Human Resource Management Systems (HRMS), such as Workday or SuccessFactors Directory integration, such as Active Directory or LDAP #### Enterprise Access Does the MFA solution support the network access systems your organization uses or might use? VPN access Wi-Fi access SSH/RDP access RADIUS integration #### Authentication Methods Does the MFA solution support the authentication tools that your organization uses? Native mobile OTP authenticator (push-based) Offline time-based verification codes (TOTP) Hardware tokens, such as Yubico YubiKey X.509–based certificates Legacy authentication methods, such as SMS, security questions, or email #### Flexible Authentication Policies Does the MFA solution enable flexible and sophisticated authentication policies at a granular level? Granular policies for different identities, apps, devices, and contexts Allows for definition of different policies for various identities communities or applications Customizable authentication flow Risk-based decisions #### Developer Support Does the MFA solution provide APIs and support for integration with your custom applications and third-party systems? MFA registration and life-cycle management APIs SDK for major platforms and languages #### Open Standards Support Does the MFA solution support these popular, modern standards for secure connections to web applications? SAML OpenID Connect OAuth2 #### Reporting Does the MFA solution provide reports that enable you to meet compliance requirements and enhance your security based on threat data? Ability to externalize authorization events to third-party SIEM solutions Out-of-the-box reports and audit trails Ability to effect system change based on authorization events Real-time information about access attempts ### Advanced Requirements Although any MFA solution should meet basic requirements, organizations making a successful digital transformation usually choose solutions that meet advanced requirements. MFA is evolving quickly. An advanced MFA solution ensures, from the start, that you aren’t behind the curve. #### Behavioral Analytics Does the MFA solution use behavioral analytics to intelligently adapt, and does it require different authentication factors? Familiarity signals Attack signals Anomalies (user behavior and context signals) Continuous authentication #### Device Trust Does the MFA solution take into account information about the device being used for authentication? Device health, including version, tampered, lock, encryption, browser plug-in, and more Device reputation X.509–based certificates Integration with mobile device management (MDM) #### Users and devices Does the MFA solution support user access via multiple devices, and does it account for different types of users and user roles? Support for multiple devices Support for different user communities, such as employees, contractors, partners, IT administrators, and customers #### General considerations Can you integrate the MFA solution with your custom apps and in your organization without having to replace or significantly modify existing solutions? Enables integration into your custom apps via an API Enables incorporation of MFA without the need to rip and replace other solutions

READ MORE

Secure All Your Apps, Users, and Devices