Identity & Access Management 101

The IAM 101 area provides free information about a variety of topics relevant to security, identity and access management, single sign-on, multi-factor authentication, provisioning, and other technologies that help businesses provide users with secure access to the applications and systems they need. We update the IAM 101 area regularly with new content, so be sure to bookmark this page.

All Topics

Authentication vs. Authorization

Authentication and authorization are two vital information security processes that administrators use to protect systems and information. _Authentication_ verifies the identity of a user or service, and _authorization_ determines their access rights. Although the two terms sound alike, they play separate but equally essential roles in securing applications and data. Understanding the difference is crucial. Combined, they determine the security of a system. You cannot have a secure solution unless you have configured both authentication and authorization correctly. ## What is authentication (AuthN)? Authentication (AuthN) is a process that verifies that someone or something is who they say they are. Technology systems typically use some form of authentication to secure access to an application or its data. For example, when you need to access an online site or service, you usually have to enter your username and password. Then, behind the scenes, it compares the username and password you entered with a record it has on its database. If the information you submitted matches, the system assumes you are a valid user and grants you access. System authentication in this example presumes that only you would know the correct username and password. It, therefore, authenticates you by using the principle of something only you would know. ### What is the purpose of authentication? The purpose of authentication is to verify that someone or something is who or what they claim to be. There are many forms of authentication. For example, the art world has processes and institutions that confirm a painting or sculpture is the work of a particular artist. Likewise, governments use different authentication techniques to protect their currency from counterfeiting. Typically, authentication protects items of value, and in the information age, it protects systems and data. ### What is identity authentication? Identity authentication is the process of verifying the identity of a user or service. Based on this information, a system then provides the user with the appropriate access. For example, let's say we have two people working in a coffee shop, Lucia and Rahul. Lucia is the coffee shop manager while Rahul is the barista. The coffee shop uses a Point of Sale (POS) system where waiters and baristas can place orders for preparation. In this example, the POS would use some process to verify Lucia or Rahul's identity before allowing them access to the system. For instance, it may ask them for a username and password, or they may need to scan their thumb on a fingerprint reader. As the coffee shop needs to secure access to its POS, employees using the system need to verify their identity via an authentication process. ### Common types of authentication Systems can use several mechanisms to authenticate a user. Typically, to verify your identity, authentication processes use: - something you know - something you have - or something you are Passwords and security questions are two authentication factors that fall under the something-you-know category. As only you would know your password or the answer to a particular set of security questions, systems use this assumption to grant you access. Another common type of authentication factor uses something you have. Physical devices such as USB security tokens and mobile phones fall under this category. For example, when you access a system, and it sends you a [One Time Pin (OTP)](https://www.onelogin.com/learn/otp-totp-hotp) via SMS or an app, it can verify your identity because it is your device. The last type of authentication factor uses something you are. [Biometric authentication](https://www.onelogin.com/learn/biometric-authentication) mechanisms fall under this category. Since individual physical characteristics such as fingerprints are unique, verifying individuals by using these factors is a secure authentication mechanism. ## What is authorization (AuthZ)? Authorization is the security process that determines a user or service's level of access. In technology, we use authorization to give users or services permission to access some data or perform a particular action. If we revisit our coffee shop example, Rahul and Lucia have different roles in the coffee shop. As Rahul is a barista, he may only place and view orders. Lucia, on the other hand, in her role as manager, may also have access to the daily sales totals. Since Rahul and Lucia have different jobs in the coffee shop, the system would use their verified identity to provide each user with individual permissions. It is vital to note the difference here between authentication and authorization. Authentication verifies the user (Lucia) before allowing them access, and authorization determines what they can do once the system has granted them access (view sales information). ### Common types of authorization Authorization systems exist in many forms in a typical technology environment. For example, Access Control Lists (ACLs) determine which users or services can access a particular digital environment. They accomplish this access control by enforcing allow or deny rules based on the user's authorization level. For instance, on any system, there are usually general users and super users or administrators. If a standard user wants to make changes that affect its security, an ACL may deny access. On the other hand, administrators have the authorization to make security changes, so the ACL will allow them to do so. Another common type of authorization is access to data. In any enterprise environment, you typically have data with different levels of sensitivity. For example, you may have public data that you find on the company's website, internal data that is only accessible to employees, and confidential data that only a handful of individuals can access. In this example, authorization determines which users can access the various information types. ## The difference between authentication and authorization As mentioned, authentication and authorization may sound alike, but each plays a different role in securing systems and data. Unfortunately, people often use both terms interchangeably as they both refer to system access. However, they are distinct processes. Simply put, one verifies the identity of a user or service before granting them access, while the other determines what they can do once they have access. The best way to illustrate the differences between the two terms is with a simple example. Let's say you decide to go and visit a friend's home. On arrival, you knock on the door, and your friend opens it. She recognizes you (authentication) and greets you. As your friend has authenticated you, she is now comfortable letting you into her home. However, based on your relationship, there are certain things you can do and others you cannot (authorization). For example, you may enter the kitchen area, but you cannot go into her private office. In other words, you have the authorization to enter the kitchen, but access to her private office is prohibited. ## What are the similarities between authorization and authentication? Authentication and authorization are similar in that they are two parts of the underlying process that provides access. Consequently, the two terms are often confused in information security as they share the same "auth" abbreviation. Authentication and authorization are also similar in the way they both leverage identity. For example, one verifies an identity before granting access, while the other uses this verified identity to control access. ## Authentication and authorization in cloud computing Security is a vital component in any cloud computing solution. As these services provide a shared access model where everything runs on the same platform, they need to separate and protect customer systems and data. Cloud service providers use authentication and authorization to achieve these security goals. In fact, cloud computing platforms could not provide economies of scale via their shared resourcing model without authentication and authorization. For example, when a user tries to access a particular cloud service, the system will prompt them for some form of authentication. This challenge could ask them to enter a username and password or use another identity verification factor, such as accepting a notification on an app. Once the user successfully authenticates, the cloud platform will then use authorization to ensure the user can only access their systems and data. Without authentication and authorization, the separation of customer environments on the same platform would not be possible. ## Which comes first, authentication or authorization? Authentication and authorization both rely on identity. As you cannot authorize a user or service before identifying them, authentication always comes before authorization. Again, we can refer back to our coffee shop example to illustrate this point. As mentioned, baristas can only create and view orders, while managers can also access daily sales data. If the POS system cannot identify which user is accessing the system, it cannot provide the correct level of access. Authentication provides the verified identity authorization needs to control access. When Rahul or Lucia sign into the system, the application knows who has signed in and what role it should assign to their identity. ## Access control vs. authentication? People often use the terms access control and authorization interchangeably. Although many authorization policies form part of access control, access control is a component of authorization. Access control uses the authorization process to either grant or deny access to systems or data. In other words, authorization defines policies on what a user or service may access. Access control enforces these policies. If we compare authentication and access control, the comparison between authentication and authorization still applies. Authentication verifies the user's identity, and access control uses this identity to grant or deny access.

READ MORE

What is CIAM?

What is Customer Identity & Access Management (CIAM)? Customer Identity and Access Management (CIAM) is a type of identity and access management (IAM) that integrates authentication and authorization into customer-facing applications. CIAM does three main things: 1. Improves customer registration and login experiences, while reducing the risk of account takeover (a rampant problem in the consumer space because of password reuse.) 2. Offers customized and branded experiences for consumers, businesses, and enterprise customers. 3. Provides a scalable solution that can support hundreds of millions of customers. CIAM Key Benefits Customer identity management is an important security measure across businesses of all shapes and sizes. Breaches can get expensive very quickly, often making a substantial impact on the bottom line. According to IBM Security, 80% of breached organizations have stated that customer PII was compromised during the breach and on average the cost of breach is $150 per customer. CIAM solutions can be easily integrated with systems that control common customer tasks such as account self-management, bill paying, order tracking, and returns, reducing the risks associated with poor password hygiene. Key benefits of CIAM include: - Identity and Access Management: IAM solutions securely manage digital identities and their access to various applications and systems. They manage people and also other kinds of identities, such as software (apps or programs), and hardware (such as IoT devices) - Customer data protection (MFA and Adaptive Authentication): Consumers are notorious for reusing passwords for the dozens of services they use online. Advanced CIAM solutions protect those passwords with adaptive multi-factor authentication (MFA), which looks at various contextual factors like location, time of day, and device. It supports even stronger security by increasing authentication requirements for high-risk login attempts. - Seamless and trusted digital customer experiences: Many companies have multiple web applications and portals, each with its own identity store, requiring users to authenticate multiple times when switching between different applications. This creates additional friction during the login process. By integrating all your digital channels with a single CIAM solution, you can provide a more seamless user experience: one point of entry for all the applications. - Quick migration of users without interrupting the user experience: A CIAM solution should work with your existing system to quickly migrate your customers without impacting the experience. - Customization with flexible APIs: When building applications, developers want to ensure a seamless customer experience for securing access to digital resources. APIs provide the flexibility needed to customize authentication requirements throughout the development lifecycle. - Multichannel support (mobile, laptop, game consoles, etc): The best solutions offer a diversity of entry points across all devices, making it as easy as possible for customers to access the tools they need to run their business. - Account self-service: A CIAM solution should empower the user to solve their problems through a self-service platform that allows them to reset passwords and go through authentication protocols without involving an IT professional. - Application lifecycle management: Businesses at any stage may be developing and deploying products that are being managed across a number of platforms. A comprehensive CIAM solution helps manage that process seamlessly. - Compliance with security and privacy standards like HIPAA and ISO: The ability to integrate additional security measures that apply to particular sectors like healthcare and international organizations. - Customer analytics: The ability to run comprehensive reporting around customer behavior is important for making key business decisions. Using customer analytics as a reference point, businesses can increase conversions, improve retention, supporting upselling and cross-selling messaging. - Scalability and high availability: A good enterprise solution needs to be able to support a high volume of users with as little delays and downtime as possible. CIAM vs IAM CIAM and IAM requirements are similar when it comes to scalability, security, and accessibility. Both must meet these three requirements to guarantee a great user experience, whether for internal employees or external customers. However, CIAM goes beyond the traditional IAM approach in the following ways: IAM CIAM Limited users (10–100,000) with less capability to handle spikes in traffic A CIAM portal must be able to support millions of users. It also has to be able to handle rapid spikes in traffic (volume and frequency). Use of the portal is unpredictable, but there will be peak times when many people are accessing your system at the same time, such as Black Friday, and your CIAM solution must be able to handle those peaks. Single identity per user Consumers can have multiple identities Company registration Self-registration Closed system Highly accessible system available on any device with a consistent login experience no matter where the end-user is or what device they’re using. Internal authentication with strict security policies CIAM must be implemented in a way that keeps the barrier of entry low. Authentication with external sources like social providers (e.g., Google, LinkedIn) reduces friction by enabling passwordless authentication without compromising on security. Employee access and profile data used for internal purposes Customer data used to provide critical analytics around marketing, business decisions, security, and compliance. How Does CIAM Protect Customer Data? Consumers have to remember a lot of passwords, and good CIAM vendors know that customer identity management is important for the security of the individual and the company. Whether it’s their social media, online banking, or online streaming accounts, the number quickly adds up. As consumer services are breached around the world, hackers accumulate even more user credentials, which are sold and bought online to launch large-scale password stuffing attacks using extensive bot networks. This puts consumers who reuse passwords at particular risk. With CIAM, you can give the consumer the option to add a second authentication factor or sign in with their social identity, which provides stronger protection against account takeover. Customers are given access to a customized, secure login portal with an authentication requirement. This portal is managed by the IT department, which keeps all security software, checks, and protocols up to date behind the scenes, protecting against ever-increasing viruses and hackers. In the past, companies only gave customers one option for signing in: username and password. Now that MFA is commonplace, applications often require two or more factors before granting users access. To ensure that adding MFA is not discouraging users from creating accounts or slowing down their experience, CIAM must be implemented in a way that keeps the barrier of entry low. Adaptive authentication uses risk scoring to determine whether or not MFA is required at the time of login. The risk score is a calculation of the risk level at the time of login that determines whether or not the end user will be granted access or will require a second level of authentication. Location, time, and frequency are some of the criteria used to determine the risk score. CIAM Solution Features - Robust Security & Authentication - Easy Migration & Administration - Seamless User Experiences - Reliability at Scale Does CIAM Improve Customer Retention and Sales? According to Gartner, CIAM is an essential component to building solid customer trust. In fact, by 2020, companies that implement digitally trustworthy customer solutions will generate 20 percent more online profit than those that do not. With a Trusted Customer Experiences™ solution, companies can build a strong foundation for customer identity, trust, and loyalty, while minimizing operating costs, maximizing revenue and retention, and optimizing the customer experience. SmartFactor Authentication™ minimizes friction during the authentication process by increasing security when you need it and not when you don’t. CIAM helps you acquire more customers, create more customer interactions, and influence cross-sells so you can build trust and loyalty to increase revenue and customer retention. CIAM Use Cases Since the goal of CIAM solutions is to streamline the end user experience while maintaining robust security, the various use cases all serve those goals. Here are the most common CIAM use cases: - Improve customer login experiences across multiple platforms and apps - Offer easy identity resolution and password resets/retrievals - Provide a unified and coherent customer experience - Streamline a secure sign-in process that reduces abandonment rates - Improve overall security by avoiding poor password hygiene - Streamline user authentication - Enable social login - Offer scalable customer identity management - Ease the process of user migration off of legacy systems

READ MORE

What is Privileged Access Management?

Privileged Access Management (PAM) refers to systems that securely manage the accounts of users who have elevated permissions to critical, corporate resources. These may be human administrators, devices, applications, and other types of users. Privileged user accounts are high value targets for cyber criminals. That’s because they have elevated permissions in systems, allowing them to access highly confidential information and/or make administrative-level changes to mission critical applications and systems. In the last year, 44 percent of data breaches involved privileged identities.1 Privileged Access Management is also sometimes referred to as Privileged Account Management or Privileged Session Management (PSM). Privileged session management is actually a component of a good PAM system. ### Why is PAM important? Privileged accounts exist everywhere. There are many types of privileged accounts and they can exist on-premises and in the cloud. They differ from other accounts in that they have elevated levels of permissions, such as the ability to change settings for large groups of users. Also, often multiple people may have access to a specific privileged account, at least on a temporary basis. For example, the root account on a Linux machine is a form of privileged account. An account owner for Amazon Web Services (AWS) is another form of privileged account. A corporate account for the official company Twitter profile is yet another form. Privileged accounts present a serious risk. Cyber criminals are more interested in stealing credentials for privileged accounts than any other type of account. Thus, they present a challenge for IT departments. Traditionally, access to these accounts has not been well managed, despite the high risk of large damage if such accounts are compromised. Common issues include many people using the same account with no clear history or accountability, and static passwords that are never changed. PAM solutions aim to address these risks. ### How do privileged access management systems work? A PAM administrator uses the PAM portal to define methods to access the privileged account across various applications and enterprise resources. The credentials of privileged accounts (such as their passwords) are stored in a special-purpose and highly secure password vault. The PAM administrator also uses the PAM portal to define the policies of who can assume access to these privileged accounts and under what conditions. Privileged users log in through the PAM and request or immediately assume access to the privileged user account. This access is logged and remains temporary for the exclusive performance of specific tasks. To ensure security, the PAM user is usually asked to provide a business justification for using the account. Sometimes manager approval is required, as well. Often, the user isn’t granted access to the actual passwords used to log into the applications but instead is provided access via the PAM. Additionally, the PAM ensures that passwords are frequently changed, often automatically, either at regular intervals or after each use. The PAM administrator can monitor user activities through the PAM portal and even manage live sessions in real time, if needed. Modern PAMs also use machine learning to identify anomalies and use risk scoring to alert the PAM Administrator in real time of risky operations. ### What are the benefits of a PAM? Increased security is the obvious benefit of implementing a PAM system. However, it’s not the only one. PAM helps: **Protect against cyber criminals** Privileged users, such as administrators, face the same challenges as other users with regard to remembering multiple passwords—and have the same tendency to use the same password across multiple accounts. Yet, these users are also more likely to be the target of cyber criminals. A PAM system can reduce the need for administrators to remember many passwords and avoid privileged users creating local/direct system passwords. Session management and alerts helps the superadmin identify potential attacks in real time. **Protect against inside attacks** Sadly, a significant number of attacks come from bad actors inside the organization. Or employees who have left but haven’t been fully de-provisioned to prevent access after departure. **Greater productivity** A PAM is a boon for privileged users. It allows them to login faster to the systems they need and relieves the cognitive burden of remembering many passwords. It also enables the superuser to easily manage privileged user access from one central location, rather than a slew of different systems and applications. **Ensure compliance** Many regulations require granular and specific management of privileged user access and the ability to audit access. You can restrict access to sensitive systems, require additional approvals, or use multi-factor authentication for privileged accounts. The auditing tools in PAM systems record activities and enable you to provide a clear audit trail. PAM helps organizations [comply](https://www.onelogin.com/blog/categories/security-and-compliance) with regulations like SOX, HIPAA, PCI DSS, GLBA, ISO 27002, ICS CERT, FDCC, FISMA. ### How is PAM Different from Identity Access Management (IAM)? Privileged access management is sometimes confused with Identity Access Management (IAM). IAM focuses on authenticating and authorizing **all** types of users for an organization, often including employees, vendors, contractors, partners, and even customers. IAM manages general access to applications and resources, including on-prem and cloud and usually integrates with directory systems such as Microsoft Active Directory. PAM focuses on **privileged users**, administrators or those with elevated privileges in the organization. PAM systems are specifically designed to manage and secure the access of these users to critical resources. Organizations need both tools if they are to protect against attacks. IAM systems cover the larger attack surface of access from the many users across the organization’s ecosystem. PAM focuses on privileged users—but PAM is important because while it covers a smaller attack surface, it’s a high-value surface and requires an additional set of controls normally not relevant or even appropriate for regular users (such as session recording). ### How can IAM improve PAM? There are multiple benefits for integrating your PAM solution with your IAM solution. Many customers choose to do this integration because it reduces security risks, is required by auditors and compliance regulations, and it improves the user experience. IAM lets you: - Add Multi-Factor-Authentication (MFA) and Adaptive Authentication for your PAM access. This can help meet compliance requirements, such as PCI DSS Requirement 8.3. Many regulations such as PCI DSS require securing administrative access with tools like MFA. - Make sure that privileged access is terminated automatically upon the employee leaving the organization. Again, this is often a compliance requirement, such as for PCI DSS. Not all PAM tools ensure this and—too often—IT departments don’t de-provision ex-employees quickly enough. When that employee has access to privileged accounts, it can spell disaster. - Ensure that administrators are productive on day one. By using your IAM with PAM, you can automatically provision administrators to the PAM and grant them appropriate access on their very first day. - Provide a single user experience. By using your IAM as the interface to the PAM, you improve the user experience for privileged users, since they access the PAM from the same place that they access other corporate resources. In conclusion, PAM has a critical role to play in securing your organization’s resources and data. The best identity management solutions involve a coordinated use of an IAM and a PAM system to ensure security and usability. 1. https://www.globalbankingandfinance.com/44-of-data-breaches-in-the-last-year-involved-privileged-identity-according-to-global-balabit-research-report/

READ MORE

What is MFA?

Multi-factor Authentication (MFA) is an authentication method that requires the user to provide two or more verification factors to gain access to a resource such as an application, online account, or a VPN. MFA is a core component of a strong [identity and access management (IAM)](https://www.onelogin.com/learn/iam) policy. Rather than just asking for a username and password, MFA requires one or more additional verification factors, which decreases the likelihood of a successful cyber attack. ## Why is MFA Important? The main benefit of MFA is it will enhance your organization's security by requiring your users to identify themselves by more than a username and password. While important, usernames and passwords are vulnerable to [brute force attacks](https://www.onelogin.com/learn/mfa-types-of-cyber-attacks) and can be stolen by third parties. Enforcing the use of an MFA factor like a thumbprint or physical hardware key means increased confidence that your organization will stay safe from cyber criminals. ## How Does MFA work? MFA works by requiring additional verification information (factors). One of the most common MFA factors that users encounter are [one-time passwords (OTP)](https://www.onelogin.com/learn/otp-totp-hotp). OTPs are those 4-8 digit codes that you often receive via email, SMS or some sort of mobile app. With OTPs a new code is generated periodically or each time an authentication request is submitted. The code is generated based upon a seed value that is assigned to the user when they first register and some other factor which could simply be a counter that is incremented or a time value. ## Three Main Types of MFA Authentication Methods Most MFA authentication methodology is based on one of three types of additional information: Things you know (knowledge), such as a password or PIN Things you have (possession), such as a badge or smartphone Things you are (inherence), such as a biometric like fingerprints or voice recognition ## MFA Examples Examples of Multi-Factor Authentication include using a combination of these elements to authenticate: Knowledge Answers to personal security questions Password OTPs (Can be both Knowledge and Possession - You know the OTP and you have to have something in your Possession to get it like your phone) Possession OTPs generated by smartphone apps OTPs sent via text or email Access badges, USB devices, Smart Cards or fobs or security keys Software tokens and certificates Inherence Fingerprints, facial recognition, voice, retina or iris scanning or other Biometrics Behavioral analysis ## Other Types of Multi-Factor Authentication As MFA integrates machine learning and artificial intelligence (AI), authentication methods become more sophisticated, including: ##### Location-based Location-based MFA usually looks at a user’s IP address and, if possible, their geo location. This information can be used to simply block a user’s access if their location information does not match what is specified on a whitelist or it might be used as an additional form of authentication in addition to other factors such as a password or OTP to confirm that user’s identity. ##### Adaptive Authentication or Risk-based Authentication Another subset of MFA is [Adaptive Authentication](https://www.onelogin.com/learn/what-why-adaptive-authentication) also referred to as Risk-based Authentication. Adaptive Authentication analyzes additional factors by considering context and behavior when authenticating and often uses these values to assign a level of risk associated with the login attempt. For example: From where is the user when trying to access information? When you are trying to access company information? During your normal hours or during "off hours"? What kind of device is used? Is it the same one used yesterday? Is the connection via private network or a public network? The risk level is calculated based upon how these questions are answered and can be used to determine whether or not a user will be prompted for an additional authentication factor or whether or not they will even be allowed to log in. Thus another term used to describe this type of authentication is risk-based authentication. With Adaptive Authentication in place, a user logging in from a cafe late at night, an activity they do not normally do, might be required to enter a code texted to the user’s phone in addition to providing their username and password. Whereas, when they log in from the office every day at 9 am they are simply prompted to provide their username and password. Cyber criminals spend their lives trying to steal your information and an effective and enforced MFA strategy is your first line of defense against them. An effective data security plan will save your organization time and money in the future. ## What's the Difference between MFA and Two-Factor Authentication (2FA)? MFA is often used interchangeably with two-factor authentication (2FA). 2FA is basically a subset of MFA since 2FA restricts the number of factors that are required to only two factors, while MFA can be two or more. ## What is MFA in Cloud Computing With the advent of Cloud Computing, MFA has become even more necessary. As companies move their systems to the cloud they can no longer rely upon a user being physically on the same network as a system as a security factor. Additional security needs to be put into place to ensure that those accessing the systems are not bad actors. As users are accessing these systems anytime and from anyplace MFA can help ensure that they are who they say they are by prompting for additional authentication factors that are more difficult for hackers to imitate or use brute force methods to crack. ## MFA for Office 365 Many cloud based systems provide their own MFA offerings like AWS or Microsoft’s Office 365 product. Office 365 by default uses Azure Active Directory (AD) as its authentication system. And there are a few limitations. For example, you only have four basic options when it comes to what type of additional authentication factor they can use: Microsoft Authenticator, SMS, Voice and Oauth Token. You also might have to spend more on licensing depending on the types of options you want available and whether or not you want to control exactly which users will need to use MFA. Identity as a Service (IDaaS) solutions like OneLogin offer many more MFA authentication methods when it comes to authentication factors and they integrate more easily with applications outside of the Microsoft ecosystem. .tabbullet { margin-left: 2em; }

READ MORE

RBAC vs ABAC: Make the Right Call

Role-based access control (RBAC) and attribute-based access control (ABAC) are the two most popular ways to implement access control. Knowing what separates the two methods can help you choose what’s right for your organization. RBAC grants or rejects access based on the requesting user’s role within a company. ABAC takes into account various pre-configured attributes or characteristics, which can be related to the user, and/or the environment, and/or the accessed resource. ## But first – what’s access control? Think of a company’s network and resources as a secure building. The only entry point is protected by a security guard, who verifies the identity of anyone and everyone entering the building. If someone fails to prove their identity, or if they don’t have the necessary rights to enter the building, they are sent away. In this analogy, the security guard is like an access control mechanism, which lays the foundation of a company’s security infrastructure. It’s hard to overstate the need for access control. Every year data breaches cost companies [millions of dollars](https://www.statista.com/statistics/290525/cyber-crime-biggest-online-data-breaches-worldwide/), and a lot of these can be avoided by implementing better access control. In the following sections, let’s explore what RBAC and ABAC bring to the table and how they fare against each other. ## What is Role-Based Access Control (RBAC)? In an RBAC system, people are assigned privileges and permissions based on their “roles.” These roles are defined by an administrator who categorizes people based on their departments, responsibilities, seniority levels, and/or geographical locations. For example, a chief technology officer may have exclusive access to all the company’s servers. A software engineer may only have access to a small subset of application servers. Remote employees may get assigned a special role, which only lets them access the server they are actively working on. The levels of access may also differ based on roles. For example, a junior resource is only allowed to read information from a database; they can’t add or alter anything. However, a senior database developer has maximum privileges on all the databases. The duration of access might also be different for different roles. E.g., a third-party contractor is assigned the outsider role, which grants them access to a server for x hours. On the other hand, an internal software developer may be allowed indefinite access to the same server. It’s also possible for one user to be assigned multiple roles. For example, a software architect oversees different teams that are building different projects. They need access to all the files related to all these projects. To this end, the administrator assigns them multiple roles with each giving them access to files from a particular project. ## Types of RBAC The [NIST model for role-based access control](https://csrc.nist.gov/CSRC/media/Publications/conference-paper/2000/07/26/the-nist-model-for-role-based-access-control-towards-a-unified-/documents/sandhu-ferraiolo-kuhn-00.pdf) defines the following RBAC categories: - **Flat RBAC:** Each employee is assigned at least one role, but some can have more than one. If someone wants access to a new file/resource/server, they need to first obtain a new role. - **Hierarchical RBAC:** Roles are defined based on seniority levels. In addition to their own privileges, senior employees also possess those of their subordinates. - **Constrained RBAC:** This model introduces separation of duties (SOD). SOD spreads the authority of performing a task, across multiple users, reducing the risk of fraudulent and/or risky activities. E.g., if a developer wants to decommission a server, they need approval from not only their direct manager, but also the head of infrastructure. This gives the infrastructure head a change to deny risky and/or unnecessary requests. - **Symmetric RBAC:** All organizational roles are reviewed regularly. As a result of these reviews, privileges may get assigned or revoked, and roles may get added or removed. ## What is Attribute-based Access Control (ABAC)? In an ABAC environment, when a user logs in, the system grants or rejects access based on different attributes. These attributes can be related to the: - **User.** In ABAC terms, the requesting user is also known as the subject. User attributes can include designation, usual responsibilities, security clearance, department, and/or seniority levels. For example, let’s say Bob, a payroll analyst, tries to access the HR portal. The system checks their “department,” “designation,” and “responsibilities” attributes to determine that they should be allowed access. However, if Alice from the IT team tries to access the same portal, she won’t be allowed, because she doesn’t have the required attributes. - **Accessed resource.** This can include name and type of the resource (which can be a file, server, or application), its creator and owner, and level of sensitivity. For example, Alice tries to access a shared file which contains the best practices for software development. Since the “sensitivity level” attribute for the file is low, Alice is allowed access to it, even though she doesn’t own it. However, if she tries to access a file from a project she doesn’t work on, the “file owner” and “sensitivity level” attributes will prevent her from doing so. - **Action.** What is the user trying to do with the resource? Relevant attributes can include “write,” “read,” “copy,” “delete,” “update,” or “all.” For example, if Alice only has the “read” attribute set in her profile, for a particular file, she will not be allowed to update the source code written in that file. However, someone with the “all” attribute set can do whatever they want. - **Environment.** Some of the considered attributes are time of day, the location of the user and the resource, the user device and the device hosting the file. For example, Alice may be allowed to access a file in a “local” environment, but not when it’s hosted in a “client” environment. ## RBAC vs. ABAC: Pros and Cons RBAC Pros RBAC Cons Defining and implementing roles is much simpler and faster than assigning attributes to individuals. This is especially helpful for small-to-medium sized organizations. To establish granular policies, administrators need to keep adding more roles. This can very easily lead to “role explosion,” which requires administrators to manage thousands of organizational roles. Allows you to create access hierarchies, where managers automatically get all the permissions of their direct reports. In the event of a role explosion, translating user requirements to roles can be a complicated task. If role explosions can be avoided, costs associated with RBAC implementations are usually low. ABAC Pros ABAC Cons Define a granular access control policy. Administrators have the luxury of choosing from a large set of attributes, which helps them formulate highly specific rules. Can be hard to implement, especially in time-constrained situations. No need to modify existing rules to accommodate new users. All administrators need to do is assign relevant attributes to the new joiners. Recovering from a bad ABAC implementation can be difficult and time-consuming. When revoking or adding permissions, it’s much easier to modify attributes than to change or define new roles. Implementing ABAC often requires more time, resources, and expensive tooling, which add to the overall cost. However, a successful ABAC implementation can be a future-proof, financially viable investment. ## When to use RBAC or ABAC? Even though ABAC is widely considered an evolved form of RBAC, it’s not always the right choice. Depending on your company’s size, budget, and security needs, you may choose one over the other. ## Choose ABAC if you: - Have the time, resources, and budget for a proper ABAC implementation. - Are in a large organization, which is constantly growing. ABAC enables scalability. - Have a workforce that is geographically distributed. ABAC can help you add attributes based on location and time-zone. - Want as granular and flexible an access control policy as possible. - Want to future-proof your access control policy. The world is evolving, and RBAC is slowly becoming a dated approach. ABAC gives you more control and flexibility over your security controls. ## Choose RBAC if you: - Are in a small-to-medium sized organization. - Have well-defined groups within your organization, and applying wide, role-based policies makes sense. - Have limited time, resources, and/or budget to implement an access control policy. - Don’t have too many external contributors and don’t expect to onboard a lot of new people.

READ MORE

What is the Principle of Least Privilege?

What is PoLP? The principle of least privilege (PoLP), also known as the principle of minimal privilege or the principle of least authority, is an information security concept. It states that any user, device, workload, or process should only have the bare minimum privileges it needs to perform its intended function. The word _privilege_ in this context refers to system rights or data access. For instance, it determines which users can access a particular file or which devices can access a specific network. It is also used to define what users can do on a system. For example, some users may only be able to execute particular functions, while others may be able to do more such as restart the application or apply updates. Information security practice typically categorizes accounts as either privileged or non-privileged. Privileged accounts can refer to user accounts or system accounts with greater access to system functions or stored data. For example, a system administrator that can apply updates, add users, and restart an application is a privileged account. Similarly, an application's service account that can access confidential information in a database, such as customer credit card details, is another example of a privileged account. ## Benefits of Least Privilege Access for security & productivity The primary objective of the principle of least privilege is to enhance the security of an application, network, or technology environment. As threat actors follow the path of least resistance when trying to obtain unauthorized access to a system, PoLP fortifies systems by reducing the number of potential access points. Similarly, it protects an organization from downtime or data breaches due to user error. The following analogy illustrates the principle of least privilege in both scenarios. Consider a bank with general staff and a bank manager. Applying the principle of least privilege, the manager needs access to the safe. However, the other staff members do not. As a result, the manager is the only individual with the keys. If a bank robber enters a bank where everyone has access to the safe, robbing that bank would be far easier than another bank where only the manager has the keys. Similarly, if every staff member has keys to the safe, the likelihood of them falling into the wrong hands increases exponentially. As illustrated in the analogy, the principle of least privilege reduces the potential attack surface. The same rule applies to information security. The fewer people with privileged access to a system or data, the less risk to the system from an attack or user error. In addition to reducing the attack surface, PoLP limits the potential damage and improves the management and maintainability of a technology environment. For instance, it provides data security and audit capabilities, improving compliance and reporting. ## Additional PoLP concepts and terms Managing the information security of an environment by implementing the principle of least privilege is not an event but a process. As a result, system administrators need to monitor their environment and continuously ensure that PoLP is enforced in the strictest possible terms. The following terms and concepts relate to PoLP and define particular scenarios that relate to the implementation of an effective PoLP strategy. - **Privilege creep:** Privilege creep is the gradual accumulation of access rights. In many instances, the additional access rights are beyond what the users need to perform their duties. Privilege creep often occurs when individuals move departments within an organization. For instance, a user transferred from Finance to HR is given access to the HR system, but their access to finance is not revoked. As a result, the principle of least privilege is not being applied correctly as the user no longer needs access to finance to do their job. - **Privilege bracketing:** Privilege bracketing is an information security concept where a standard user is provided with elevated privileges for a brief moment. An excellent example of this is the Sudo command in Linux or the User Account Control (UAC) function in Windows. In both instances, when a user wants to install software or run a command that needs access to secure areas of the operating system, they are prompted to enter an administrative username and password. Once the privileged execution completes, the user no longer has elevated access. Privilege separation: The concept of privilege separation refers to a technique where the functionality of a system is divided into separate parts. The system then assigns access to each part to a different set of privileged users. For example, some users can load payments in many banking systems, and other users can release them. The users that can load payments do not have release privileges. Likewise, the users that can release payments do not have the privileges to load them. This segregation of duties reduces the risk of fraud or embezzlement as two separate individuals are needed to make one payment. - **Privilege escalation:** Privilege escalation is a form of cyberattack where an attacker gains unauthorized access to elevated rights or privileges. For instance, an application error may provide a regular user with access to administrative functions. Another example of privilege escalation is an external attacker exploiting a known system vulnerability to execute commands as administrator. ## Zero Trust and PoLP [Zero Trust](https://www.onelogin.com/learn/zero-trust) is an information security concept that states that an organization should deem any activity in its technology environment as untrusted. The model places data at its core and considers any workload, user, device, or network interacting with it as suspicious. Taking this prudent approach, the model states that organizations should authenticate and authorize every action and segment their environments. Finally, Zero Trust recommends that all data, whether in transit or at rest, should be protected with encryption. The principle of least privilege aligns with the concept of Zero Trust. However, the two are distinct concepts. You can implement PoLP without Zero Trust. For instance, you could limit access to a system or data based on user roles and not implement network segmentation or encryption. Conversely, it would be impossible to implement Zero Trust without enforcing the principle of least privilege. As the model deems any action as untrusted, logic dictates that you must limit access to systems or data. Furthermore, administrators should only grant access to users, devices, networks, or workloads that need it to perform an authorized function. ## PAM vs PoLP [Privileged Access Management (PAM)](https://www.onelogin.com/learn/privileged-access-management) is an information security mechanism that safeguards identities with special access or capabilities beyond regular users. It deals with the security processes and technologies required to protect privileged accounts. A PAM solution enables and enforces the principle of least privilege. However, implementing a Privileged Access Management solution does not mean you have implemented PoLP. It is only one of the components of an overarching PoLP strategy. While PAM provides administrators with the functionality, automation, and reporting they need to manage privileged accounts, it does not limit access to systems and data. You would need to use other technologies or built-in system capabilities to restrict access. ## Just-in-time Privileged Access and PoLP _Just-in-time access_ is a concept that stems from [Identity and Access Management (IAM)](https://www.onelogin.com/learn/iam). Its approach is to reduce the risk of 'standing privileges.' For instance, when an organization grants a user administrator access, it gives the individual elevated rights to systems and data. Typically, it statically assigns those elevated rights that remain in perpetuity. Just-in-time access is a solution that grants a user elevated privileges when they need to perform an administrative function and then automatically removes it once the individual completes the action. The concept of Just-in-time aligns with privilege bracketing. It is dependent on PoLP as you cannot implement Just-in-time if you do not have the principle of least privilege in place. ## PoLP example To illustrate the principle of least privilege further, let's use another analogy. In this example, we will use the scenario of a passenger aircraft. On the aircraft, there are passengers and crew. As the flight crew needs to manage the plane's functions, including flying it from point A to point B, they have the elevated privileges required to perform their duties. For instance, the captain and pilot can access the flight controls, but the flight attendants and passengers cannot. Likewise, the flight attendants have access to the galley to prepare meals and beverages, while the passengers are confined to the cabin. This scenario illustrates the implementation of an effective PoLP strategy. It defines and restricts each individual’s role on the aircraft, limiting them to the areas and capabilities each one needs to perform their duties. ## Strategies/best practices for implementation The principle of least privilege is a concept that is only as effective as its implementation. Therefore, organizations should consider the following best practices: - **Conduct an audit:** Before implementing PoLP, understanding the current level of access across all your systems is vital. Conducting a privilege audit can help you identify users with privileged access and if they need it to perform their duties. - **Enforce the separation of privileges:** Enforcing the separation of privileges will allow you to tighten security controls and identify areas where restricted access is required. - **Start all accounts with the least privilege:** Create all new accounts with no privileges and only add them when needed. Avoid privilege creep by removing access when users change job roles. - **Leverage Just-in-time privileges:** Leverage Just-in-time privilege solutions to strengthen the security of your technology environment. There are very few instances where an administrator will need perpetual access. - **Audit access:** Once you have implemented the principle of least privilege, it is vital that you continuously monitor your technology environment. Where possible, enable auditing so that you can trace individual accounts.

READ MORE

What is Serverless Computing?

Find out the pros and cons, how it works, and how secure it is.

READ MORE

U2F and Adaptive MFA

Universal Second Factor, or U2F, is an authentication standard that simplifies [multi-factor authentication (MFA)](https://www.onelogin.com/learn/what-is-mfa) by using physical devices as part of the user authentication workflow. After a user enters their login credentials, they simply press or tap a small device inserted in their computer’s USB port, which acts as their second factor. It’s convenient -- no driver installation required, just a supported browser. It’s also secure. U2F prevents attacks like keylogging, phishing, and man-in-the-middle. ## Where did U2F come from? U2F was created and released by the [FIDO Alliance](https://fidoalliance.org/), in an attempt to provide a safe and easy way for internet users to log in. Google was a cofounder of the U2F group inside FIDO and now supports adding U2F as a second factor. A new set of specifications, built on top of U2F, [FIDO2](https://fidoalliance.org/fido2/), was also recently released by the FIDO Alliance. ## Who supports U2F? Many prominent websites and applications support U2F, including, but not limited to: Facebook, Bitbucket, GitHub, Gmail, and YouTube. When it comes to browsers, the following currently provide U2F support: - Google Chrome, version 38 and above - Mozilla Firefox, version 57 and above - Opera, version 40 and above - Safari, on OS version 13.5.1 and above On iOS devices, U2F can be used via Safari, whereas on Android devices, the U2F support is offered by both Google Chrome and the default Android browser. ## How do you use U2F? The portable U2F hardware can take the form of a USB, a Bluetooth-LE, or a Near-field communication device. These devices can be used to securely log in to any website on the internet that supports the U2F protocol. Here’s how a typical two-factor authentication with U2F works: 1. The user visits a website (www.example.com), also known as the origin, that supports U2F. They open an account on the website and register their U2F device with it. 2. The device creates a pair of keys: a public key and a private key. It securely stores the private key itself and asks the website to associate the public key with the user account. This unique key pair can only be used to login at www.example.com. 3. After the user enters their login credentials at www.example.com, the website generates a unique challenge, using the user’s public key. The challenge can only be solved using the private key stored within the U2F device. 4. Upon receiving the challenge, the U2F device signs it, using the private key for www.example.com, and sends it back to the website. 5. The website verifies the unique signature, and allows the user to log in. Remember, this five-step process may appear complicated, but it all happens behind-the-scenes. As far as the end-user is concerned, they just have to insert the U2F device and press a button (or tap). ![U2F vs adaptive MFA](/assets/img/learn/u2f-amfa.svg) The same U2F device can be used to register at different sites on the internet. Think of a U2F device as your personal, virtual keychain. This allows you to seamlessly and securely log in to your favorite websites. ## Can U2F be hacked? No authentication mechanism is categorically impervious to hacking. With that said, thus far, no breaches or vulnerabilities have been reported in the U2F protocol. By design, it protects against phishing attacks. Even if a user is tricked into thinking that a fake website is real, the authentication will fail because of the public-private key mismatch. U2F is also very good at detecting man-in-the-middle (MITM) attacks. Let’s suppose someone tries to intermediate the communication between a website and a user during the authentication process. As soon as the man-in-the-middle interferes, the U2F device will stop responding because it will notice that the origin of the challenge is different from the registered one. ## What is adaptive multi-factor authentication (AMFA)? Not all authentication requests are created equal. _Adaptive multi-factor authentication_ uses the context of a login attempt to determine in real-time which authentication rules and policies to apply. AMFA uses various factors like consecutive login failures, level of requested access, IP address, location, device IDs, and time, etc. to tailor a user’s login experience. Only use MFA when a user is determined to be of a high risk, for instance, using multiple incorrect login attempts, the request originating from a device not officially registered, or a login request for a server with sensitive data after office hours. By using adaptive multi-factor authentication, companies can: - create a much-needed balance between _user experience_ and _strong security_ - make it easy for trusted, low-risk people to log in - make it incredibly hard for potential intruders ## How is AMFA different from MFA? MFA protects against password-related breaches by adding another layer of security. However, making end-users enroll for multi-factor authentication can sometimes be hard. And it makes sense. Waiting for and then entering a one-time password (OTP) can be a nuisance for people, especially if they have to do it multiple times a day. Users just want to browse their social media feed, read an article, or stream a TV show; they don’t see a point in adding a second authentication factor for these seemingly trivial activities. Sure, you can make MFA compulsory, but that will (often) come at the cost of customer unhappiness. Creating a fine balance between security and user experience is hard, but oh-so-important. This is where adaptive MFA can come in handy. With adaptive MFA, if the primary factor authentication for a user doesn’t look suspicious or high-risk, they often don’t have to provide a secondary factor. This enhancement of the traditional MFA approach makes life much more convenient for regular users. For example: **Scenario 1:** Consider a scenario where a customer, say Allan, logs in to a web portal. He is on the same laptop that he has been using ever since he registered on the website. His IP puts him in the same city as always. He got the password right in the first attempt. These, along with other factors, are used to determine that it’s indeed Allan who is trying to log in, and thus, the system doesn’t ask him to provide a second factor. **Scenario 2:** Now, imagine a hacker, say Adam, gets Allan’s login credentials. When Adam tries to log in, the system realizes that the login request has come from a new device and from a different geographical location. It classifies this request as high-risk and prompts Adam to provide a second factor. Since Adam can’t comply, the access is declined. ## Combining U2F and Adaptive MFA – Best of both worlds Adaptive MFA is a win-win for both end-user and service provider. The service provider is able to implement a rigorous-but-customer-friendly security policy and the end-user doesn’t have to provide secondary factors most of the time. But what if we combined U2F and adaptive MFA to form an even more customer-centric and impregnable authentication solution? On the rare occasion that a customer has to provide a second factor, all they have to do is tap or press a button on their U2F device. This is much more convenient than opening another app to retrieve a passcode or waiting for an OTP message to arrive. For the service provider, this is far securer as well since the device communicates directly with the browser and it’s virtually impossible to replicate the key signature. ## Final Word U2F reduces the risk of phishing, man-in-the-middle, and other dangerous cyberattacks while simplifying two-factor authentication. Adaptive MFA doesn’t ask regular users for secondary factors, but enforces it strictly at the first sign of suspicion. Using both together makes for a simple-yet-secure login.

READ MORE

SAML vs. OIDC

OpenID Connect (OIDC) and Security Assertion Markup Language (SAML) are both authentication protocols that allow identity providers (IdP) to implement user validation and access control. Each defines its own mechanism to maintain virtual identities of verified users, which are then used to grant or reject access to protected applications. ## What are OIDC and SAML? An IdP maintains a database of user identity information. A service provider (SP) relies on this information to authenticate a user, sometimes only once for multiple applications (single sign-on). Both OIDC and SAML are standards that define just how this information is to flow between these two parties. The end goal for both is the same: user authentication. But the underlying methodology to achieve the goal is different. ## What does authentication mean? Authentication is a process by which the identity of a user, or a process, can be validated. This is usually done to restrict access to protected applications and/or resources. ## SAML SAML 2.0, which is the current version of the standard, has been around since 2005. It uses XML to format identity information. XML is an established information-formatting standard which encodes documents, such that they are easily understandable by both humans and computers. For transferring or receiving XML-encoded information, it uses basic SOAP or HTTP requests. The service requesting identity information is defined by the SAML contract, as a service provider (SP). Here’s what a typical SAML authentication flow looks like: 1. Before the SP can talk to the IdP for identity verification, the two parties must first get to know each other better. They do so by exchanging preliminary information, via metadata, which includes details like: - Public keys (used for encryption) - Supported encryption algorithms - Endpoint URLs (where to send SAML messages) - Supported connection methods, and - Supported XML attribute formats Once both the SP and the IdP know these specifics about each other, they reconfigure themselves accordingly. 2. As a user tries to log in, the SP sends an authentication request to the IdP. This request is known as SAML AuthnRequest. 3. The IdP checks the user identity, creates an encoded SAML response, known as a SAML assertion, and sends it back to the SP. 4. The SP parses the SAML assertion XML and, based on the response, either grants or rejects user access to the application. ![How SAML works](/assets/img/learn/saml-flow.png) ## OIDC A relatively newer, but well-maintained protocol, OIDC is built on top of the OAuth 2.0 framework. OIDC uses JSON-based web tokens (JWT) to structure data. JWT is an industry standard which defines the rules to represent and securely transfer claims between two parties. Think of claims as encrypted, sensitive user data, used to support identity management and verification. For transportation, OIDC uses default HTTPS flows. ## OIDC scopes OIDC _scopes_ define the _claims_ (the user attributes) that an application can have access to. The IdP maintains a list of acceptable scopes, and an application can choose which to request, depending on its needs. After a user explicitly consents to sharing their details (which includes the scopes), the IdP makes the scopes available to the application. To better understand how scopes work in a typical OIDC flow, let’s consider a web application that authenticates a user based on their username and password. Post-authentication, it also sends them a sequence of welcome emails. _(Note: OIDC supports a number of different authentication flows. Below is an example of the simplest OIDC flow, known as the implicit flow.)_ 1. Just like in SAML, the Relying Party (RP) and the IdP must exchange metadata before they can start communicating. For OIDC, however, the minimum metadata exchange requirements are relatively simpler. Both parties must agree on possible scopes, the IdP must assign a secret and client-ID to the RP, and the RP must share the endpoint it wants to receive codes and/or tokens on. 2. When a user logs in to the application, the application redirects them to the IdP. It includes the client-ID, along with the requested scopes, which in our case, will be the user’s email address. 3. The IdP, in turn, redirects the user to the login screen. 4. Once the user’s identity has been successfully verified, they are prompted to grant the application access to their data (specified by the requested scopes). 5. If the user grants the access, the scope values are made available to the application via the preconfigured endpoint. 6. The application can now use the user's email address to send them the welcome sequence. ![How OIDC works](/assets/img/learn/oidc-flow-20210603152719.png) ## What’re the differences between OIDC and SAML? - Since SAML is an older standard, it is very hard to use it for authenticating modern application types like single-page applications (SPAs) and smartphone applications. It simply wasn’t built for them. Conversely, OIDC is ideal for such apps. - OIDC uses JWTs, which are smaller in size, and require lightweight processing. On the other hand, the XML documents used by SAML are much larger, and relatively difficult to process. - OIDC supports user consent by default. The same can be achieved with SAML, but requires extensive manual development. - Since SAML has been around for much longer, it’s still trusted by a lot of organizations, including government entities. It’s certainly more feature-rich, but OIDC is now starting to catch up. - OIDC is much easier to set up, especially in a consumer-centric environment, where the basic identity features are required. ## Is OIDC more secure than SAML? OIDC was designed to be the modern replacement of SAML, as it replicated most of the fundamental SAML use-cases, while reducing the processing overhead caused by XML and SOAP based messages. Most security flaws don’t stem from intrinsic problems in any of the two standards, but instead, are caused by implementation mistakes. However, it can be argued that since SAML is a lot harder to implement than OIDC, it’s also more prone to implementation errors. Moreover, there are a lot of security threats and [vulnerabilities associated with XML](https://cheatsheetseries.owasp.org/cheatsheets/XML_Security_Cheat_Sheet.html) that must be avoided during SAML implementation, adding to the complexity. Conversely, since OIDC is based on OAuth 2.0, it incorporates a lot of the documented [threat model and security considerations](https://datatracker.ietf.org/doc/html/rfc6819). Encrypting JSON is also a lot easier than XML, which again, reduces the chances of implementation errors. ## Does OIDC protect privacy better than SAML? Via scopes, OIDC gives users the ability to choose the level of information they want to share with an application. E.g. an application only asks the user to share their email address, as opposed to sharing their entire profile. This establishes a win-win contract between the user and the application; the application gets what it needs to improve a user’s experience, and the user gets to only share bare-minimum personal information. Yes, this feature can be added to SAML-based systems as well, but it would require additional development, because SAML doesn’t support it, out-of-the-box. ## Does OIDC or SAML prevent phishing attacks better? Both OIDC and SAML can be used to implement single sign-on (SSO), which reduces the need to log in multiple times, and hence, decreases the probability of [phishing attacks](https://www.onelogin.com/learn/6-types-password-attacks). However, just because the probability is low, doesn’t mean that they can’t happen. The [Cofense Phishing Defense Center](https://cofense.com/mfa-bypass-phish-caught-oauth2-grants-access-user-data-without-password/) discovered a phishing tactic which manipulated OIDC to reveal user data, without a password, despite multi-factor authentication. Similar phishing attacks have also been carried out on [SAML implementations](https://securityboulevard.com/2018/07/owning-saml/) in the past. Once again, it’s difficult to answer whether one prevents phishing better than the other; a lot of it is dependent on the security considerations made during the implementation. ## Does OIDC or SAML prevent brute force attacks? Both SAML and OIDC can be used to implement single sign-on, which means that the user only has to remember one password to log in to the identity and access management (IAM) service. That single login can also be protected by requiring users to provide an additional authentication factor. Once users are securely logged into the IAM service, they can seamlessly access all protected applications, without having to enter any more passwords. This is big in preventing brute-force attacks, in which attackers repeatedly enter potential passwords, in the hope of eventually getting a match. No passwords = no chance of [brute force attacks](https://www.onelogin.com/blog/brute-force-attacks)! ## When should I use OIDC vs using SAML? OIDC and SAML are both powerful authentication technologies with unique features. Which one you choose for your organization, depends on your specific needs. If you: - Want to quickly set up an identity platform, choose OIDC over SAML, without thinking twice. Implementing a basic OIDC solution is much simpler, compared to SAML, which would require heavy-weight XML processing. - Have an API-centered architecture, with a lot of mobile and single-page applications, use OIDC. It will guarantee a much more efficient and interoperable experience. - Want to implement a mature standard, something that has been around for a long time, then choose SAML. It’s feature-rich, gets the job done, and has been a staple of enterprise networks for over a decade.

READ MORE

What’s the Difference Between OTP, TOTP and HOTP?

Providing secure access to applications and cloud-based software is a constant challenge for companies across all industries. Empowering users with simple but reliable security is critical to protecting user information and sensitive company data. One of the ways technology companies have counteracted password theft and other types of cyberattacks is through the use of one-time passwords (OTPs). OTP is a form of [multi-factor authentication (MFA)](/learn/what-is-mfa) designed to make it much harder for hackers to access protected information. MFAs require additional credentials beyond a simple password before the end user can gain access to an application or system. For example, an MFA that uses SMS will send the user a text with a numeric string that has to be entered before they are granted access. That code is a type of OTP. Both B2B and B2C companies have an incentive to protect their user and company data while maintaining a great user experience (UX), which means that whatever security solution they choose, it needs to be streamlined without drastically interfering with a user’s workflow. OTP authentication is an elegant solution to both security concerns and UX. There are two types of OTP: HOTP and TOTP. We’ll get into the differences of each below. But first, let’s dig a little deeper into OTP. ###What is OTP and How Does it Work? An OTP is like a password but it can only be used once, thus it stands for one-time password. It is often used in combination with a regular password as an additional authentication mechanism providing extra security. OTPs are exactly what they sound like: one and done. Once you’ve used that password once, it’s dumped, and the next time you need to get into that application, you will use another one. Doing this increases security and makes it a lot harder for bad actors to penetrate private accounts. Users can access an OTP for a given application or website through smartphone apps, a text message, or a proprietary token (such as a key fob). OneLogin Protect is an example of an OTP generator that you can use as an app on your phone. Any time you receive an SMS text with a code to help you get into a website or application, you’re using an OTP. There are a variety of industry standard algorithms, such as SHA-1, that generate OTPs. All of these algorithms use two inputs to generate the OTP code: a **seed** and a **moving factor**. The seed is a static value (secret key) that’s created when you establish a new account on the authentication server. While the seed doesn’t change, the moving factor does each time a new OTP is requested. How the moving factor is generated is the big differentiator between HOTP and TOTP. ###What is HOTP? The “H” in HOTP stands for Hash-based Message Authentication Code (HMAC). Put in layman’s terms, HMAC-based One-time Password algorithm (HOTP) is an event-based OTP where the moving factor in each code is based on a counter. Each time the HOTP is requested and validated, the moving factor is incremented based on a counter. The code that’s generated is valid until you actively request another one and it’s validated by the authentication server. The OTP generator and the server are synced each time the code is validated and the user gains access. Yubiko’s Yubikey is an example of an OTP generator that uses HOTP. ###What is TOTP? Time-based One-time Password (TOTP) is a time-based OTP. The seed for TOTP is static, just like in HOTP, but the moving factor in a TOTP is time-based rather than counter-based. The amount of time in which each password is valid is called a **timestep**. As a rule, timesteps tend to be 30 seconds or 60 seconds in length. If you haven’t used your password within that window, it will no longer be valid, and you’ll need to request a new one to gain access to your application. ###Limitations and Advantages While both are far more secure than not using MFA at all, there are limitations and advantages to both HOTP and TOTP. TOTP (the newer of the two technologies) is easy to use and implement, but the time-based element does have a potential for time-drift (the lag between the password creation and use). If the user doesn’t enter the TOTP right away, there’s a chance it will expire before they do. So the server has to account for that and make it easy for the user to try again without automatically locking them out. Since HOTP doesn’t have the time-based limitation, it’s a little more user-friendly, but may be more susceptible to brute force attack. That’s because of a potentially longer window in which the HOTP is valid. Some forms of HOTP have accounted for this vulnerability by adding a time-based component to their code, somewhat blurring the lines between these two types of OTP. ###A Final Word Regardless of which type of OTP you use, choosing an [OTP generator](/product/one-time-password) like an authenticator app or key fob is a safer way to use MFA than the SMS texting options. Scammers have found creative ways to intercept these SMS codes, whether it’s through SIM card fraud or some other type of hack that helps them gain access to your texts. While SMS-based MFAs might be better than no MFA at all, they’re a lot less secure than having an authenticator app on your phone or using a key fob code generator.

READ MORE

What is User Provisioning and Deprovisioning?

User provisioning and deprovisioning involves the process of creating, updating and deleting user accounts in multiple applications and systems. This access management practice can sometimes include associated information, such as user entitlements, group memberships and even the groups themselves. Many organizations have moved to automated user provisioning, which is the systematic creation and management of user data relative to users’ ability to access resources, such as applications, that are available in one or more systems. Accessible systems can be on-premises, cloud-based, or a hybrid of the two. ### User provisioning and deprovisioning key benefits Automated user provisioning is one of the main features of many identity and access management (IAM) solutions. Provisioning comes into play when an employee joins an organization, moves to a different department or division, or exits a company. This is known as the joiner/mover/leaver (JML) process. By integrating an IAM solution directly to HR and personnel systems, you connect the process of creating/updating/deleting user accounts with HR actions. Actions that result in changes to HR data, such as those related to employee onboarding and offboarding, can automatically result in changes to permissions for accessing systems and applications tied to corresponding employee accounts. User provisioning and deprovisioning provide the following key benefits: - **Easily onboard and offboard employees**: Create and maintain employees’ user attributes, such as usernames, roles, and profiles, and automatically assign access permissions and user accounts based on predefined roles and flexible entitlement rules. - **Streamline user management across applications**: Automatically import users from Active Directory (AD), Lightweight Directory Access Protocol (LDAP), and other apps. Provisioning enables you to continuously propagate user profiles to ensure that your systems have the latest updates. - **Increase security and reduce cost**: Use HR-Driven Identity Management (IM) to prevent former employees from having continued online access, to totally eliminate the possibility of zombie accounts sitting idle and at risk of being compromised. ### How do provisioning and deprovisioning work? In a basic automated provisioning workflow, you add users to apps based on specific [user roles](https://onelogin.service-now.com/kb_view_customer.do?sysparm_article=KB0010606). Whenever a user is assigned a role, that user is automatically created in the associated app and granted access permissions. In the diagram below, once a new user is provisioned, that user is added to the Sales role, and is therefore granted access to the apps associated with that role. In this example, the provisioned user can access to Salesforce, Office 365, and G Suite. When it's time to deprovision former employees from apps, you want a solution that lets you simply change the user’s status, so that the user's accounts in all apps will be deleted or suspended, depending on the configuration preferences that you set. Expanding on our example in the diagram, after deprovisioning the user, the apps associated with the employee’s role would no longer be accessible by the user. ### How do user provisioning and deprovisioning make companies more secure? The risk of costly security breaches for companies who fail to provision and deprovision, properly or quickly, is huge: the average cost of a data breach is $148 per record and $7.91 million per breach in the U.S. As a result, breached companies often underperform the market for years following a major breach, and 60% of small businesses fold within six months of a successful attack. Automated user provisioning helps keep your company secure by ensuring employees have access only to the apps they need. Automated user deprovisioning helps keep your company secure by ensuring that whenever an employee leaves, their access is automatically removed for all connected applications. In addition, all existing user sessions are removed to reduce security risk.

READ MORE

Be Sure Your Zero Trust Plan Gives Complete Coverage

So, you’re moving to a Zero Trust security plan. You know the principles of Zero Trust. Great. But you also need to ensure your Zero Trust plan covers all the bases. That means three areas: what your plan covers, when, and where. ### What do your Zero Trust protocols cover? Your Zero Trust plan needs to ensure you’re managing access to and from every type of entity. That means access management from: - All devices—That means computers, including desktops and laptops, but also mobile phones and other mobile devices. - All users—Employees, contractors, vendors, and customers. - To all types of data and applications—Your Zero Trust plan needs to manage access to your cloud applications and data as well as on-prem ones. It needs to handle databases, servers, software, and everything that could put your company at risk. ### When is your access plan applied? Key to Zero Trust is the idea that you don’t trust access attempts inside the organization any more than those coming from outside of it. So, when users inside the firewall try to access an application, you manage them largely like you would those outside the firewall. In addition, Zero Trust doesn’t make exceptions. Your high-security requirements apply whenever someone attempts to access an application or data. When pretty much means always. ### Where do you enforce Zero Trust? Traditional security methods are focused on the endpoints where cyber criminals initiate their attacks. Zero Trust applies everywhere: - Data access points - Cloud applications - On-prem and legacy apps - Ideally, the desktop, laptop, or phone—so that even the device login is protected ### The tools for Zero Trust Identity and access management tools, such as Single Sign-On (SSO) and, Multi-Factor Authentication (MFA), can help you address the what, when, and where. SSO improves both security and ease-of-use, eliminating passwords and using a vetted trust relationship for safe authorization. MFA adds an important level of security by requesting additional data from users to verify they are who they say they are. Add to this a good identity management system that provides role-based access control and easy provisioning capabilities; a system to protect devices through SSO; and, preferably, risk-based authentication that accounts for contextual information such as the user’s location, IP address, and login time to create user profiles and challenge risky login attempts. These tools, on top of a secure infrastructure with micro-segmentation, will help you implement Zero Trust security in a way that isn’t burdensome to users.

READ MORE

How to Get to Zero Trust Security

The idea of Zero Trust security was first introduced by Forrester in 2010. But it’s still not as widely adopted as those in the security industry might hope. That may be changing though. With the threat from cyber criminals rising every year along with the cost of breaches to businesses, more and more organizations are seeking to implement a Zero Trust model. Here’s the core information you need to implement it in your business. ### The four principles Zero Trust involves a mind-shift more than any one technology. Once you make that mind shift, you can evaluate technical solutions for implementing Zero Trust. Here are the four principles that your company—and especially your IT organization—need to adopt: #### Threats come from inside as well as outside This is probably the biggest shift in thinking. Traditionally, IT has been focused on the perimeter of the organization, seeking to prevent entry. The idea is that those inside the organization are generally safe. So less effort is placed on verifying or detecting issues within the firewall. This is sometimes called the castle-and-moat approach to security. It’s time to change that mindset. In a Zero Trust environment, you assume that threats can come from inside as well outside. It may be because criminals have already infiltrated your organization. Or that you have a bad actor. Either way, it’s just as important to focus on what’s happening inside the organization and protecting from inside attack as outside attack. #### Use micro-segmentation Which leads to principle number two: use micro-segmentation. With this approach, even inside the firewall areas of the organization are walled off or segmented from others. For example, the marketing department gets access to the tools and data they use: customer information, apps like Salesforce, etc. But they don’t have access to financial data or tools used by accounting, nor the product IP and software that development works with. #### Least privileged access Tied to micro-segmentation is the idea of least privileged access. That means limiting users, even within a department, to the minimum information and access they need. Just because someone works in finance doesn’t mean they need access to all the customer and company financial data. Depending upon the user’s role, he or she may only need access to a select set of customers’ data—or no access to customer financials at all. By restricting access to just what’s needed, you help ensure that even if a hacker manages to impersonate a user’s identity, he or she can only do a limited amount of damage. #### Never trust, always verify To enforce all of this, an organization must flip the model and use what’s called a Zero Trust approach. You never trust that a user is who they say they are. Instead, you always verify the user’s identity and level of access. Never trust, always verify increases the chances of stopping a criminal or program that has infiltrated your organization before it can gain access to sensitive information or do damage. ### Tools for Zero Trust security If you’re looking at the four Zero Trust principles with a critical eye, you may see some challenges in the actual implementation. For example, while security requires a never trust/ always verify approach, the trick is to keep verification relatively painless for users. Going back to our castle analogy, having gates everywhere that require unlocking with a key can really impact people’s day to day productivity. Similarly, we all know that roles are not entirely clean and some users will need access to applications or data that aren’t assigned to them by default based on their role. That means you need a fast way to provision and de-provision users for apps on an as-needed basis. With that said, here are four tools central to Zero Trust security: - SSO—Single Sign-On (SSO) provides the ability for users to sign in once with their credentials, including a single password, and have access to all of their web apps. With the right tools, SSO can also provide single sign-on access to on-prem legacy apps. SSO increases security by getting rid of passwords while also increasing usability and employee satisfaction. - MFA—Multi-factor Authentication (MFA) is a critical identity and access management (IAM) tool that every organization should be using. MFA requires additional factors when users try to login. For example, they may be required to enter a PIN or authenticate from a mobile app in addition to entering their username and password. The fact is, passwords alone aren’t secure enough. You need MFA. But MFA should be combined with SSO. Otherwise, you’re adding more steps for users to login while still also requiring them to login many times per day. - Fast provisioning systems—When you move to Zero Trust, you’re going to need a system that lets you quickly provision and de-provision users for applications. Since you’re going to least privileged access, expect to have to make exceptions regularly. So, if your current system of provisioning is time-consuming, things are only going to get worse when you move to Zero Trust. - Device protection—The device the user is logging in from is the first line of defense and the focal point of attack: the endpoint. So, look for tools that protect and monitor devices so that you can offset the danger at the source. That’s it. Those are the four principles and four tools to consider first when moving to Zero Trust.

READ MORE

SAML Explained in Plain English

SAML is an acronym used to describe the Security Assertion Markup Language (SAML). Its primary role in online security is that it enables you to access multiple web applications using one set of login credentials. It works by passing authentication information in a particular format between two parties, usually an identity provider (idP) and a web application. ## What SAML is and how it works SAML is an open standard used for authentication. Based upon the Extensible Markup Language (XML) format, web applications use SAML to transfer authentication data between two parties - the identity provider (IdP) and the service provider (SP). The technology industry created SAML to simplify the authentication process where users needed to access multiple, independent web applications across domains. Prior to SAML, single sign-on (SSO) was achievable but relied on cookies that were only viable within the same domain. It achieves this objective by centralizing user authentication with an identity provider. Web applications can then leverage SAML via the identity provider to grant access to their users. This SAML authentication approach means users do not need to remember multiple usernames and passwords. It also benefits service providers as it increases security of their own platform, primarily by avoiding the need to store (often weak and insecure) passwords and not having to address forgotten password issues. ### SAML benefits Due to its many benefits, SAML is a widely adopted enterprise solution. First, it improves the user experience as you only need to sign in once to access multiple web applications. Not only does this speed up the authentication process, but it also means you only need to remember one set of credentials. The organization also benefits from this feature as it means fewer Help Desk calls for password resets. In addition to improving the user experience, SAML also offers increased security. Since the identity provider stores all login information, the service provider does not need to store any user credentials on their system. Furthermore, as the identity provider specializes in providing secure SAML authentication, they have the economies of scale to invest time and resources in implementing multiple layers of security. For example, IdP’s have comprehensive identity security solutions that include built-in features such as multi-factor authentication (MFA) that protect against common password attacks. ### How does SAML work? SAML works by exchanging user information, such as logins, authentication state, identifiers, and other relevant attributes between the identity and service provider. As a result, it simplifies and secures the authentication process as the user only needs to log in once with a single set of authentication credentials. So, when the user tries to access a site, the identity provider passes the SAML authentication to the service provider, who then grants the user entry. Let's illustrate this concept with a real-world analogy. Organizations often need to confirm your identity before granting you access. A good case is the airline industry. Before you board an aircraft, the airline needs to confirm you are who you say you are to ensure the security of other passengers. So, they verify your identity with some form of government-issued picture identification. Once they confirm that your name on your identity matches the name on your airline ticket, they then allow you to board the aircraft. In the example above, the government is the identity provider, and the airline is the service provider. Your government-issued identification is the SAML assertion. When you apply for a government ID, you usually need to complete a form, have your picture taken, and in some circumstances, your fingerprints as well. The government (service provider) then stores these identifying attributes in their database and issues you with a physical ID associated with your identity. In the airline example, when you arrive at the gate, the airline (service provider) checks your ID (SAML) assertion. The airline accepts your ID as it contains your details, and the identity card or passport passes scrutiny as a valid document. After successful authentication, the airline then allows you to board the aircraft. ### What is SAML SSO? SAML Single Sign-On is a mechanism that leverages SAML allowing users to log on to multiple web applications after logging into the identity provider. As the user only has to log in once, SAML SSO provides a faster, seamless user experience. SAML SSO is easy to use and more secure from a user perspective as they only need to remember one set of user credentials. It also provides fast and seamless access to a site as every application they access does not prompt them to enter a username and password. Instead, the user logs into the identity provider and then accesses the relevant web application by clicking on its icon or navigating to the site via its URL. SAML SSO also offers other benefits in addition to an enhanced user experience. It improves productivity for both the user and the Help Desk. Users do not need to waste time logging into multiple web applications with a unique set of credentials for each one. Consequently, they do not inundate the Help Desk with password reset requests, freeing the service team to attend to other service-related issues. In addition to increased user satisfaction and improved productivity, SAML SSO also helps reduce costs. For example, Help Desks need to manage fewer calls. Instead of building a local authentication implementation for their solution, they can subscribe to an identity provider, reducing the labor cost of building and maintaining it internally. ### How does OAuth compare to SAML? OAuth and SAML are both protocols we use for allowing access. However, the primary difference between the two is that we use SAML for authentication and OAuth for authorization. If we revisit the airline analogy, the passenger's ID is the SAML assertion, and the ticket the OAuth token. The airline uses the ID to verify the passenger’s identity before allowing them to board the aircraft. However, once the passengers are on the plane, the flight attendants use the ticket to confirm the passengers' status and entitlement. For example, they may have a first-class ticket giving them access to seats and amenities not accessible by passengers in economy. ### SAML example SAML uses a claims-based authentication workflow. First, when a user tries to access a site, the service provider asks the identity provider to authenticate the user. Then, the service provider uses the SAML assertion issued by the identity provider to grant the user access. Let's illustrate the workflow with an example. 1. The user opens their browser and navigates to the service provider's web application, which uses an identity provider for authentication. 2. The web application responds with a SAML request. 3. The browser passesSAML request to the identity provider. 4. The identity provider parses the SAML request. 5. The identity provider authenticates the user by prompting for a username and password or some other authentication factor. NOTE: The identity provider will skip this step if the user is already authenticated. 6. The identity provider generates the SAML response and returns it to the user's browser. 7. The browser sends the generated SAML response to the service provider's web application which verifies it. 8. If the verification succeeds, the web application grants the user access. ### SAML tutorial OneLogin offers several [SAML toolkits](https://developers.onelogin.com/saml) developers can use to enable SSO for their app via an identity provider that offers SAML authentication. In addition, it provides resources on how to add your app to the OneLogin catalog, code your app to provide your users with SSO via OneLogin, as well as helpful best practices and FAQs. The OneLogin SAML Toolkit also offers online tools at https://www.samltool.com. For example, you can obtain a self-signed X.509 certificate you can use in a test environment. In addition, since SAML uses the Base64 encoding algorithm, the OneLogin toolkit resources offer an online service where you can encode and decode XML to Base64 and vice versa. The toolkit also supplies resources for encrypting nodes from XML, signing AuthNRequests, and validating your XML against the SAML XSD schema. In addition to the certificate support and XML encoding, decoding, signing, and validation services, the OneLogin SAML online tools also provide other helpful development resources. For example, you can build the XML metadata of a SAML identity provider. It also provides a tool that extracts the NameID and other relevant attributes from the assertion of a SAML response. Finally, the OneLogin SAML online tools also offer a service that converts an XML or SAML message into a human-readable format.

READ MORE

Is Your Enterprise Password Manager Good Enough?

An enterprise password manager or password vault is often the first step that companies take as they try to wrangle passwords and make them secure while also ensuring ease-of-use for employees. But not all enterprise password managers are the same. Here are the features that any such tool should have and extras that only some tools have but that your business might need. ### The basic enterprise password manager Any of the main enterprise password managers on the market does the basic task of storing user passwords in a secure password database, usually in the cloud. Quality password managers encrypt the data securely using ciphers like AES-256. Most of these tools also have built-in random password generators, making it easy to create secure passwords. When picking a business password vault, you’ll want to make sure you choose a tool that supports employee access across devices and syncs across them. That’s because employees typically use their phones as well as work machines, and may also use personal laptops. The top enterprise password managers will support all the common browsers and mobile operating systems. Now, for the extras. ### Enterprise password managers: extra security options Two items to look for in a password manager are the ability for automatic password resets and the ability to enforce password rules through the tool. Both will aid in security while also avoiding the burden on IT or your helpdesk. For security, it’s important that the enterprise password manager supports two-factor or multi-factor authentication (MFA). A password manager is a good first step in improving password security. But it’s rarely enough by itself. Password managers have been hacked and various types of attacks can still intercept and capture the password being entered. Make sure the enterprise password vault works with your MFA solution (or includes MFA) to require that users provide additional authentication factors when logging in, such as a pin from a phone app, a fingerprint, or facial recognition. ### Enterprise password managers: usability extras For the enterprise password manager to work, employees have to use it. For them to use it, it has to be easy. Look for these capabilities: - **Fill-in web forms**—Most enterprise password managers include the ability to detect a website and automatically fetch and fill in the login dialog for it. They don’t all do a great job or detect all sites equally well, though. - **App passwords**—Websites aren’t enough. Employees don’t distinguish between a website and an app—they are all just tools to get the job done. Not all password managers support apps. Look for ones that do. It’ll cut down on employee complaints and increase adoption. - **On-prem application support**—Even fewer enterprise password managers support on-prem applications. But, again, user’s don’t make a big distinction between web and on-prem systems. They just want to quickly login and get their work done. A password manager that doesn’t support your on-prem apps is only a partial solution to the password problem. ### What you probably won’t find in enterprise password managers Enterprise password managers may provide some basic reports but they rarely provide the kind of auditing tools needed for compliance with standards like PCI or SOX. They won’t give you the information you need to identify attack attempts, either. Enterprise password managers offer only basic synchronization with directories like Active Directory (AD). If you’re looking to implement security policies based on role, location, etc. with granular permissions using identity and access management (IAM), you’ll need a true single sign-on (SSO) system instead of a password manager. Similarly, if you onboard and offboard through AD, Workday, or other directories—or even multiple directories as in many organizations—a password manager is likely to prove unwieldy and become just another system you have to maintain. The right enterprise password manager can be a good first step to increase security for your company. But to maintain password security and keep employees happy, you’ll probably want to move to an IAM solution with SSO. That will enable users to log in just once and then easily access all their work websites and apps—whether cloud-based or on-prem—without having to login again. It means truly using just one password. And an IAM solution with SSO will integrate with your directories to provide the granular level of permissions and control that is the reason you use a directory like AD in the first place. So, consider an enterprise password manager as a first step on the path to greater security, but don’t expect it to be your last.

READ MORE

6 Types of Password Attacks & How to Stop Them

Password attacks are one of the most common forms of corporate and personal data breach. A password attack is simply when a hacker trys to steal your password. In 2020, 81% of data breaches were due to compromised credentials. Because passwords can only contain so many letters and numbers, [passwords are becoming less safe](/resource-center/infographics/poor-password-management-us). Hackers know that many passwords are poorly designed, so password attacks will remain a method of attack as long as passwords are being used. Protect yourself from password attacks with the information below. ##1. Phishing Phishing is when a hacker posing as a trustworthy party sends you a fraudulent email, hoping you will reveal your personal information voluntarily. Sometimes they lead you to fake "reset your password" screens; other times, the links install malicious code on your device. We highlight several examples on the OneLogin blog. Here are a few examples of phishing: - **Regular phishing.** You get an email from what looks like goodwebsite.com asking you to reset your password, but you didn't read closely and it's actually goodwobsite.com. You "reset your password" and the hacker steals your credentials. - **Spear phishing.** A hacker targets you specifically with an email that appears to be from a friend, colleague, or associate. It has a brief, generic blurb ("Check out the invoice I attached and let me know if it makes sense.") and hopes you click on the malicious attachment. - **Smishing and vishing.** You receive a text message (SMS phishing, or smishing) or phone call (voice phishing, or vishing) from a hacker who informs you that your account has been frozen or that fraud has been detected. You enter your account information and the hacker steals it. - **Whaling.** You or your organization receive an email purportedly from a senior figure in your company. You don't do your homework on the email's veracity and send sensitive information to a hacker. To avoid phishing attacks, follow these steps: - **Check who sent the email**: look at the From: line in every email to ensure that the person they claim to be matches the email address you're expecting. - **Double check with the source**: when in doubt, contact the person who the email is from and ensure that they were the sender. - **Check in with your IT team**: your organization's IT department can often tell you if the email you received is legitimate. ##2. Man-in-the-middle attack Man-in-the middle (MitM) attacks are when a hacker or compromised system sits in between two uncompromised people or systems and deciphers the information they're passing to each other, including passwords. If Alice and Bob are passing notes in class, but Jeremy has to relay those notes, Jeremy has the opportunity to be the man in the middle. Similarly, in 2017, Equifax removed its apps from the App Store and Google Play store because they were passing sensitive data over insecure channels where hackers could have stolen customer information. To help prevent man-in-the-middle attacks: - **Enable encryption on your router.** If your modem and router can be accessed by anyone off the street, they can use "sniffer" technology to see the information that is passed through it. - **Use strong credentials and two-factor authentication.** Many router credentials are never changed from the default username and password. If a hacker gets access to your router administration, they can redirect all your traffic to their hacked servers. - **Use a VPN.** A secure virtual private network (VPN) will help prevent man-in-the-middle attacks by ensuring that all the servers you send data to are trusted. ##3. Brute force attack If a password is equivalent to using a key to open a door, a brute force attack is using a battering ram. A hacker can try 2.18 trillion password/username combinations in 22 seconds, and if your password is simple, your account could be in the crosshairs. To help prevent brute force attacks: - **Use a complex password.** The difference between an all-lowercase, all-alphabetic, six-digit password and a mixed case, mixed-character, ten-digit password is enormous. As your password's complexity increases, the chance of a successful brute force attack decreases. - **Enable and configure remote access.** Ask your IT department if your company uses remote access management. An access management tool like [OneLogin](/product/onelogin-access) will mitigate the risk of a brute-force attack. - **Require multi-factor authentication.** If multi-factor authentication (MFA) is enabled on your account, a potential hacker can only send a request to your second factor for access to your account. Hackers likely won't have access to your mobile device or thumbprint, which means they'll be locked out of your account. ##4. Dictionary attack A type of brute force attack, dictionary attacks rely on our habit of picking "basic" words as our password, the most common of which hackers have collated into "cracking dictionaries." More sophisticated dictionary attacks incorporate words that are personally important to you, like a birthplace, child's name, or pet's name. To help prevent a dictionary attack: - **Never use a dictionary word as a password.** If you've read it in a book, it should never be part of your password. If you must use a password instead of an access management tool, consider using a password management system. - **Lock accounts after too many password failures.** It can be frustrating to be locked out of your account when you briefly forget a password, but the alternative is often account insecurity. Give yourself five or fewer tries before your application tells you to cool down. - **Consider investing in a password manager.** Password managers automatically generate complex passwords that help prevent dictionary attacks. ##5. Credential stuffing If you've suffered a hack in the past, you know that your old passwords were likely leaked onto a disreputable website. Credential stuffing takes advantage of accounts that never had their passwords changed after an account break-in. Hackers will try various combinations of former usernames and passwords, hoping the victim never changed them. To help prevent credential stuffing: - **Monitor your accounts.** There are paid services that will monitor your online identities, but you can also use free services like haveIbeenpwned.com to check whether your email address is connected to any recent leaks. - **Regularly change your passwords.** The longer one password goes unchanged, the more likely it is that a hacker will find a way to crack it. - **Use a password manager.** Like a dictionary attack, many credential stuffing attacks can be avoided by having a strong and secure password. A password manager helps maintain those. ##6. Keyloggers Keyloggers are a type of malicious software designed to track every keystroke and report it back to a hacker. Typically, a user will download the software believing it to be legitimate, only for it to install a keylogger without notice. To protect yourself from keyloggers: - **Check your physical hardware.** If someone has access to your workstation, they can install a hardware keylogger to collect information about your keystrokes. Regularly inspect your computer and the surrounding area to make sure you know each piece of hardware. - **Run a virus scan.** Use a reputable antivirus software to scan your computer on a regular basis. Antivirus companies keep their records of the most common malware keyloggers and will flag them as dangerous. ## Preventing password attacks The best way to fix a password attack is to avoid one in the first place. Ask your IT professional about proactively investing in a common security policy that includes: - **Multi-factor authentication.** Using a physical token (like a Yubikey) or a personal device (like a mobile phone) to authenticate users ensures that passwords are not the sole gate to access. - **Remote access.** Using a smart remote access platform like OneLogin means that individual websites are no longer the source of user trust. Instead, OneLogin ensures that the user's identity is confirmed, then logs them in. - **Biometrics.** A malicious actor will find it very difficult to replicate your fingerprint or facial shape. Enabling biometric authentication turns your password into only one of several points of trust that a hacker needs to overcome. .content-container ul { margin-left: 2em; }

READ MORE

Business Use of Cloud Password Managers

Password managers, password vaults, single sign-on—they’re all terms you’ve probably heard as a way to create and manage secure passwords using identity and access management technologies. But what are they and how do they differ? ### Password managers vs. password vaults Password managers and password vaults are just two terms for the same kind of product. These products are secure storage systems that encrypt and store user passwords for different websites or apps. Usually, an employee logs into the password manager with one password and then can access all the passwords they’ve created for their work apps and websites. Modern password managers do more than this, though. Most will generate strong, random passwords for the employee to use on websites or apps. And most now offer browser extensions that will fetch the credentials for the site the user is logging into, populating the login dialog to make it easier to login without having to remember all those passwords. ### Single sign-on vs. password managers Single sign-on (SSO) is a different technology that lets users securely authenticate to websites and apps by logging in just once a day with one password. After that, the user is automatically logged into any work app or site without having to re-enter credentials. SSO doesn’t rely on looking up the user’s password in a database. Instead, it relies on standards like SAML or OpenID Connect to log in using trust relationships. That means the third-party site (an app or website) trusts the SSO tool to verify that the user is who he or she says she is. ### Cloud password managers Most password managers these days are cloud-based. Of course, you can use a password manager that stores the database on the employee’s local machine, but that makes it hard to access passwords when the employee logs into a website from their phone or a different machine. That said, many password managers require that you install browser extensions or mobile apps in order to have access from every device and browser. A cloud-based password manager also helps ensure you don’t lose your passwords if there is an event on a server or machine. ### Is a cloud password manager the solution you need? For individuals trying to keep their personal passwords secure, a cloud password manager makes sense. It’s better than a spreadsheet or using the same password for every site (which is the most common tactic). When you’re looking for a solution to password challenges for your business, though, a cloud password manager may not be best. Password managers for businesses often store all the organization’s users’ passwords in one database. The password manager then just becomes another attack surface for hackers. That makes the recent news from ISE even more alarming. It showed that some major password managers expose user credentials in memory, even in a locked state. The master password for the password manager may even be exposed. One way to add to the security of password vaults or managers is to require multi-factor authentication (MFA). This ensures that cybercriminals who gain an account’s username and password still can’t log in. Unfortunately, not all password managers support MFA or support it in a seamless fashion. And password managers just don’t provide the level of security that single sign-on (SSO) does. They don’t let you manage role or location-based access rights within an application. They don’t let you refine access by, for instance, restricting access to confidential data or requiring more frequent authentication for apps with confidential access. They don’t let you implement smart authentication, such as restricting access to some apps or sites when users are logging in from locations deemed less secure. Unlike SSO, most password managers don’t synchronize with your cloud directory or your Active Directory system for role-based access to provide a seamless experience for IT and users. They also usually don’t provide the fine-grained control and auditing functionality that many standards require for compliance. SSO, on the other hand, lets you see who has logged in and where they’ve logged in from, even down to the IP. Lastly, most cloud password managers only work on websites and web apps. They don’t enable easy login on the desktop or on-prem applications. SSO tools, using LDAP and products like OneLogin Desktop, can give employees a single login experience that works the same across all their applications and devices. The result is greater employee satisfaction and productivity. Cloud password managers supplemented by MFA are a good first start for smaller businesses that aren’t ready to invest in single sign-on. But rapidly growing businesses and mid-size to larger companies will find they outgrow their cloud password manager quickly and need to look at more robust single sign-on tools to meet their evolving security and ease-of-use requirements.

READ MORE

Helpdesk Password Reset Best Practices

If your organization has a helpdesk or other staff handle password resets, remember that password reset tickets are an opportunity for hackers. When an employee, vendor, or customer forgets a password, their account is vulnerable. Your helpdesk processes can create more vulnerability if you aren’t following password management, and ultimately, identity and access management, best practices. So, don’t open the door to hackers. Make sure your helpdesk and its password reset processes are secure. ### Start with the password reset call or ticket First, make sure your helpdesk is secure. Helpdesks are often a target of attack. So be sure you have your own security house in order. That means secure machines, security training, and [NIST-compliant](/compliance/nist-cybersecurity-framework) processes. Then, when users call or email to say they’ve forgotten their password, start with user verification. I.e., verify that the user is the owner of the account. And make sure your verification process is hard for hackers to infiltrate. That means don’t use common security questions. Traditional questions like mother’s maiden name, the user’s high school, or the employee’s hire date—that’s information that can easily be discovered online by cyber criminals. Ideally, use [multi-factor authentication](/learn/what-is-mfa) (MFA) to verify users. MFA that requires a card key or that requires the user to respond to an email or text, i.e. device in hand, is preferred for efficient identity and access management. If that’s not possible, ask a series of questions that rely on personal information that’s not easy for a hacker to find. ### Helpdesk temporary passwords Some helpdesks respond to password reset requests by providing a temporary password. This isn’t the preferred approach because it means at least two people know the password and it requires conveying a temporary password, which opens an opportunity for infiltration. If you must use this approach, follow these guidelines: - Always use a unique password for each user. **Don’t** use the same temporary password for everyone—which would mean that a single mistake opens the door to multiple accounts. - Use long passwords, ideally sixteen characters or more. - Randomly generate the passwords. They should consist of random characters, not words. And nothing predictable like HiredateName. - Use a mix of uppercase, lowercase, numbers, and special characters. Avoid obvious and common substitutions like zero for the letter 0 or three for the letter E. If you do send a temporary password, you need a way to verify that the user changed his or her password from the temporary one that you provided. And your password requirements should ensure that whatever new password the user comes up with is also a strong one. ### Password reset emails If you respond to requests with an email, you still need a verification process to ensure that the reset request isn’t coming from a hacker. To be safe, make sure that you separately email or otherwise notify the user that there was a password reset request and/or that the password was reset. And include a way for the person to contact your helpdesk if he or she didn’t request that reset, so you can thwart any attack. In your response email, never send the new or temporary password. Don’t even send the account holder’s username in the email. Doing so provides an opportunity for hackers to intercept the email and gain half of the credential pair. Ideally, you will send a password reset link so that no temporary password is necessary and the user can reset his or her own password. When you do: - Make sure your email doesn’t look like a phishing email. The spelling should be correct and the email professionally formatted. - Set an expiration on the reset link and make it a one-time use link. That closes another potential door to cyber criminals. - Make sure you include instructions for how to contact support if the user needs more help or didn’t request the reset. For the reset link itself, be careful that the redirect or thank you page you go to after the reset doesn’t give away information about the user or the types of accounts that the user has. For example, don’t redirect to an administrator login or to a portfolio account login, revealing information to potential hackers about the person’s privileges or what they own. Lastly, use the reset as an opportunity to educate employees and customers. The more employees understand and work to increase security, the safer you are. Make sure they know why strong passwords, though harder to remember, are important and what might be at risk if their account is breached. ### A better way If you’re still doing password resets manually, you know it’s an expensive process. Today, there are many tools that make password resets easier. The best ones [remove IT/helpdesk from the password reset process](/blog/password-reset-it-middle-guy) entirely, by enabling users to do automatic password resets. Automatic password reset tools can still require multi-factor authentication and can enforce strong password requirements, but they eliminate the delays that frustrate users and many of the vulnerabilities inherent in a manual process.

READ MORE

What is Two-Factor Authentication (2FA)?

Cyber attackers are relentless. They hunt, phish, scam, and social-engineer everybody including privileged users to infiltrate your organization. Once inside, they look for opportunities to elevate privilege and appropriate resources. Every app is vulnerable. Without controlling cloud and on-prem application access, organizations are at risk of a security breach. Two-factor authentication helps thwart attacks and protect corporate data, as a key identity and access management (IAM) solution ### What is two-factor authentication? Two-factor authentication (2FA) adds an additional layer of security when users login to apps. Without additional authentication, users are asked to prove their identity by providing simple credentials such as an email address and a password. With 2FA, they are asked for a second factor (2F), usually by prompting the user to provide information via a physical token (i.e. a card) or a security question whose answer only they know. US Federal regulations recognize the following authentication factor options: ### How does 2FA make companies more secure? Having an additional authentication factor prevents someone from signing into a user’s account—even if they know the user’s password. Other factors are needed because passwords, by themselves, just aren’t safe. They can be compromised in a number of ways: - Most individuals choose an easy-to-remember password which is therefore easy to hack. For example, they use discoverable information such as a pet’s name, a birthplace, or an important date like their anniversary. - Most individuals reuse the same password for several applications. So, once a cyber criminal gets the password, he or she has access to more than one application. - Cyber criminals themselves use many different and increasingly sophisticated techniques to [compromise login credentials](/learn/what-is-cyber-security). That’s why more factors help. If authentication requires both a password and, say, a USB token with a digital certificate on it, a criminal would need to know the user’s credentials and be in possession of the USB token in order to sign into the user’s account. Without being in possession of both, any unauthorized access would fail and trigger a security event to let the admin know of a suspicious login attempt. Authentication can be made even stronger by combining additional identity and access management (IAM) factors to achieve [multi-factor authentication](/learn/what-is-mfa) (MFA). Multi-factor authentication allows you to add factors like a PKI certificate in the user’s browser or require a mobile app for authentication. And products like OneLogin Desktop increase security via an on-laptop certificate that delivers a second factor of authentication in the form of a trusted device. ### Strong authentication factors for 2FA There are a variety of second authentication factors that can be used for 2FA to secure application access. Here are some examples: - One-time password (OTP) – A unique password which can only be used once. This is typically a short string of numbers generated based on a secret stored in a physical device such as a USB token or a smartphone. Upon authentication, the one-time password is verified against the OTP vendor’s service in the cloud. Even if someone manages to steal the password, it cannot be used to login successfully without the OTP. - Time-based PIN – A sequence of digits which have to be entered within a short window, typically 30 to 60 seconds. The PIN can be generated by a software application or hardware device with a very precise clock. The security lies in the fact that the PIN is only valid for a short period of time. - Digital (PKI) certificates – A digital certificate, issued by a trusted certificate authority, is installed on the device or in the user’s browser. The identity provider can check for the presence of valid certificates as well as revoke them at any time. Only a browser with a valid certificate will be allowed to sign in. .diagram.desktop { display: block; }

READ MORE

The Truth About Passwordless Authentication

Passwordless authentication is the new buzzword in secure authentication for identity and access management (IAM) solutions. With good reason. [Passwords remain a weakness](/blog/5-reasons-passwords-disaster) for consumers and those trying to secure customer and corporate data. In fact, 81 percent of breaches involve weak or stolen passwords. And passwords are the number one target of cyber criminals. For IT departments, passwords are a burden in multiple ways. First, they have to store the passwords securely. Failure to do so risks a breach, which can have a huge impact on the bottom line, share value, and the organization’s reputation for years to come. Second, when you’re the keeper of passwords, you’re tasked with supporting them, too. That often means [handling password resets](/learn/help-desk-password-reset-best-practices) that flood the helpdesk. So, there’s good reason for organizations to want to dump passwords and move to passwordless authentication. ### How does passwordless authentication work? Passwordless authentication is a type of [multi-factor authentication](/learn/what-is-mfa) (MFA), but one that replaces passwords with a more secure authentication factor, such as a fingerprint or a PIN. With MFA, two or more factors are required for verification when logging in. Passwordless authentication relies on the same principles as digital certificates: a cryptographic key pair with a private and a public key. Although they are both called keys, think of the public key as the padlock and the private key as the actual key that unlocks that padlock. There is only one key for the padlock and only one padlock for the key. An individual wishing to create a secure account uses a tool (a mobile app, a browser extension, etc.) to generate a public-private key pair. The private key is stored on the user’s local device and is tied to an authentication factor, such as a fingerprint, PIN, or voice recognition. It can only be accessed with this gesture. The public key is provided to the website, application, browser, or other online system for which the user wants to have an account. ### Passwordless authentication brings freedom and security Today’s passwordless authentication relies on the FIDO2 standard (which encompasses the WebAuthn and the CTAP standards). Using this standard, passwordless authentication frees IT from the burden of securing passwords. Why? Because while as a service provider, you may store people’s public keys, the public keys are just that, public. Like a padlock, if a hacker gets the public key, it’s useless without the private key that unlocks it. And the private key remains in the hands of the end-user or, within an organization, the employee. Another benefit of passwordless authentication is that the user can choose what tool he or she uses to create the keys and authenticate. It might be a mobile app like OneLogin Protect. It might be a biometric or a physical device, such as YubiKey. The app or website to which the user is authenticating is agnostic. It doesn’t care how you create your key pair and authenticate. In fact, passwordless authentication relies on this. For example, browsers implementing passwordless authentication may have JavaScript that is downloaded when you visit a page and that runs on your machine, but that script is part of the website and does not store your critical information. It and the website aren’t trusted with your private key, hence they aren’t a profitable attack surface for cyber criminals. As a multi-factor authentication method, passwordless authentication will continue to evolve. Most organizations still use traditional passwords as their core authentication method. But the wide and known issues with passwords is expected to increasingly drive businesses using IAM toward MFA and toward passwordless authentication.

READ MORE

Biometric Authentication: Good, Bad, & Ugly

It seems like biometrics are everywhere in Identity and Access Management (IAM): fingerprints, facial recognition, voice recognition, and more. But are biometrics really the cure for secure authentication? Like all technologies, this one has pros and cons. In this topic, we’ll examine the good, the bad, and the ugly side of biometrics for authentication. ### The good part about biometrics for security There’s a reason biometrics are increasingly popular in identity management: they’re harder to fake. Authentication has evolved. It started with what you know, a username and password, for instance. But it’s easy to steal or trick people into giving up the information they know. So, authentication techniques moved to what you have: a cell phone in hand or a card key. This, combined with what you know, made users more secure. But, biometric authentication might not be secure enough. Cyber criminals could still obtain or fake the devices users had. What you are, demonstrated through biometrics, is the next stage for authentication. And it’s true, it’s much harder to fake someone’s voice, fingerprint, iris, etc. On top of that, biometric authentication is often easier for users: you carry you around everywhere. Putting a finger over a keypad or looking into an eye scanner isn’t tough to do. Some systems, such as facial recognition, can even authenticate without the user consciously making a gesture. Simply move into a room or sit in front of your computer and you’re authenticated via facial recognition, for instance. Best of all, users aren’t going to forget their fingers or eyes like they do passwords or physical keys. You won’t have all those password reset tickets piling up at your helpdesk with biometrics. ### The bad part about biometrics for authentication So, what’s the downside? First, while biometrics are generally more secure, they aren’t foolproof. For example, smartphone fingerprint scanners often rely on partial matches, and researchers have found that it’s possible to create “master prints” that match partials well enough to give access to a large number of user accounts. Researchers have also demonstrated the ability to create fake fingerprints from high quality prints left behind. Others have found ways to use photos or 3D prints to trick iris scanners or facial recognition systems. Sometimes the issue is that the system can be hacked as much as that it too often fails to recognize a valid user: someone wearing different makeup or new glasses, the voice of a user who is sick or has just woken up. So, it’s no surprise then that quality biometric solutions cost more. In fact, 67 percent of IT professionals cite cost as the biggest reason for not adopting biometric authentication. There are hidden costs, too, with 47% of those surveyed reporting a need to upgrade systems in order to support a shift to biometrics. This is why many companies considering adoption of biometrics are focused on using it as only one component of [multi-factor authentication](/learn/what-is-mfa) (MFA). MFA can require a biometric factor and a non-biometric one. If one authentication factor is hacked, the user’s account is still secured by the other. And with tools like risk-based authentication, MFA can adapt to challenge users when the probability of cybercrime is high and reduce the barriers to entry when it’s low. ### The ugly side of biometrics If you’ve been following developments in biometrics, you’re probably aware of the ethical concerns surrounding many forms of biometrics. One of them involves bias. Facial recognition systems may not recognize POC or non-CIS gender people as accurately. And learning systems for biometrics have too often been based primarily on white or white male photos, creating a clear bias that results in difficulty recognizing people in the broader population. Additionally, there are fears about how biometric data could be used. Who has access to images used for facial recognition, fingerprints, or voice patterns? Is it acceptable for companies to sell or provide their biometric data to others, such as law enforcement, immigration enforcement, or repressive foreign governments? For businesses, another ugly side of biometric data is the storage issue. Where biometric data is stored, it must be stored securely. Because if it’s hacked, there’s no going back—a person can’t change their fingerprint or their iris. That means losing your biometric data presents a permanent risk of hacking for the rest of your life. Companies that choose to store employees’ or customers’ biometric data are taking on a big financial and ethical responsibility. This is one reason to consider on device storage: where the biometric data is stored on the device that authenticates the user, like the user’s smartphone or computer. This gives the user control over the data and it also restricts its location to a local device, reducing the likelihood of a cyber criminal gaining access to large sets of biometric data through a single breach. While there are many sides to the biometric debate, one thing is for certain: the technology is here to stay. Despite the bad and the ugly side of biometrics, the good side is outweighing them, enough that companies are expected to continue adopting biometrics for authentication.

READ MORE

How Single Sign-On Works

How does single sign-on work? What is single sign-on? Single sign-on (SSO) is an authentication method that enables users to securely authenticate with multiple applications and websites by using just one set of credentials. How does SSO work? SSO works based upon a trust relationship set up between an application, known as the service provider, and an identity provider, like OneLogin. This trust relationship is often based upon a certificate that is exchanged between the identity provider and the service provider. This certificate can be used to sign identity information that is being sent from the identity provider to the service provider so that the service provider knows it is coming from a trusted source. In SSO, this identity data takes the form of tokens which contain identifying bits of information about the user like a user’s email address or a username. The login flow usually looks like this: 1. A user browses to the application or website they want access to, aka, the Service Provider. 2. The Service Provider sends a token that contains some information about the user, like their email address, to the SSO system, aka, the Identity Provider, as part of a request to authenticate the user. 3. The Identity Provider first checks to see whether the user has already been authenticated, in which case it will grant the user access to the Service Provider application and skip to step 5. 4. If the user hasn’t logged in, they will be prompted to do so by providing the credentials required by the Identity Provider. This could simply be a username and password or it might include some other form of authentication like a [One-Time Password (OTP)](https://www.onelogin.com/learn/otp-totp-hotp). 5. Once the Identity Provider validates the credentials provided, it will send a token back to the Service Provider confirming a successful authentication. 6. This token is passed through the user’s browser to the Service Provider. 7. The token that is received by the Service Provider is validated according to the trust relationship that was set up between the Service Provider and the Identity Provider during the initial configuration. 8. The user is granted access to the Service Provider. When the user tries to access a different website, the new website would have to have a similar trust relationship configured with the SSO solution and the authentication flow would follow the same steps. ### What is an SSO token? An SSO token is a collection of data or information that is passed from one system to another during the SSO process. The data can simply be a user’s email address and information about which system is sending the token. Tokens must be digitally signed for the token receiver to verify that the token is coming from a trusted source. The certificate that is used for this digital signature is exchanged during the initial configuration process. ## Is SSO secure? The answer to this question is “It depends.” There are many reasons why SSO can improve security. A single sign-on solution can simplify username and password management for both users and administrators. Users no longer have to keep track of different sets of credentials and can simply remember a single more complex password. SSO often enables users to just get access to their applications much faster. SSO can also cut down on the amount of time the help desk has to spend on assisting users with lost passwords. Administrators can centrally control requirements like password complexity and [multi-factor authentication (MFA)](https://www.onelogin.com/learn/what-is-mfa). Administrators can also more quickly relinquish login privileges across the board when a user leaves the organization. Single Sign-On does have some drawbacks. For example, you might have applications that you want to have locked down a bit more. For this reason, it would be important to choose an SSO solution that gives you the ability to, say, require an additional authentication factor before a user logs into a particular application or that prevents users from accessing certain applications unless they are connected to a secure network. ## How is SSO implemented? The specifics on how an SSO solution is implemented will differ depending on what exact SSO solution you are working with. But no matter what the specific steps are, you need to make sure you have set clear objectives and goals for your implementation. Make sure you answer the following questions: * What different types of users are you serving and what are their different requirements? * Are you looking for an On Prem solution or a Cloud Based solution? * Will this solution be able to grow with your company and your needs? * What features are you looking for to ensure only trusted users are logging in? MFA, Adaptive Authentication, Device Trust, IP Address Whitelisting, etc.? * What systems do you need to integrate with? * Do you need API access? ## What makes a true SSO system? It’s important to understand the difference between single sign-on and [password vaulting](https://www.onelogin.com/learn/password-vaulting) or password managers, which are sometimes referred to as SSO which can mean Same Sign-on not Single Sign-on. With password vaulting, you may have the same username and password, but they need to be entered each time you move to a different application or website. The password vaulting system is simply storing your credentials for all the different applications and inserting them when necessary. There is no trust relationship set up between the applications and the password vaulting system. With SSO, meaning Single Sign-On, after you’re logged in via the SSO solution, you can access all company-approved applications and websites without having to log in again. That includes cloud applications as well as on-prem applications, often available through an SSO portal (also called a login portal). ## What is an SSO software vs an SSO solution When researching SSO options that are available, you might see them sometimes referred to as SSO software vs an SSO solution vs an SSO provider. In many cases, the difference might simply be in the way the companies have categorized themselves. A piece of software suggests something that is installed on-premise. It is usually designed to do a specific set of tasks and nothing else. A solution suggests that there is the ability to expand or customize the capabilities of the core product. A provider would be a way to refer to the company that is producing or hosting the solution. For example, OneLogin is known as an SSO solution provider. ### Are there different types of SSO? There are a lot of terms that are used when we talk about Single Sign-On (SSO). * Federated Identity Management (FIM) * OAuth (specifically OAuth 2.0 nowadays) * OpenID Connect (OIDC) * Security Access Markup Language (SAML) * Same Sign On (SSO) SSO is actually a part of a larger concept called Federated Identity Management, thus sometimes SSO is referred to as federated SSO. FIM just refers to a trust relationship that is created between two or more domains or identity management systems. Single Sign-on is often a feature that is available within a FIM architecture. OAuth 2.0 is a specific framework that could also be considered part of a FIM architecture. OAuth focuses on that trusted relationship allowing user identity information to be shared across the domains. [OpenID Connect (OIDC)](https://www.onelogin.com/blog/openid-connect-explained-in-plain-english) is an authentication layer that was built on top of OAuth 2.0 to provide Single Sign-on functionality. [Security Access Markup Language (SAML)](https://www.onelogin.com/learn/saml) is an open standard that is also designed to provide Single Sign-on functionality. Same Sign On which is also often referred to as SSO is actually not the same as Single Sign-on because it doesn’t involve any trust relationship between the entities that are doing the authentication. It is more dependent on credentials being duplicated between systems and simply passing in those credentials when necessary. It is not as secure as any of the Single Sign-on solutions. There are also some specific systems that commonly come up when we are discussing Single Sign-on: Active Directory, Active Directory Federation Services (ADFS) and Lightweight Directory Access Protocol (LDAP). Active Directory, which nowadays is specifically referred to as Active Directory Directory Services (ADDS), is Microsoft’s centralized directory service. Users and resources are added to the directory service for central management and ADDS works with authentication protocols like NTLM and Kerberos. Thus, users that belong to ADDS can authenticate from their machines and get access to others systems that integrate with ADDS. This is a form of Single Sign-on. Active Directory Federation Services (ADFS) is a type of Federated Identity Management system that also provides Single Sign-on capabilities. It supports both SAML and OIDC. ADFS is primarily used to set up trust between ADDS and other systems such as Azure AD or other ADDS forests. Lightweight Directory Access Protocol (LDAP) is simply an industry standard that defines a way to organize and query directory information. LDAP allows you to centrally manage resources like users and systems. LDAP, however, does not define how you log into those systems, meaning it does not define the actual protocols that are used in authentication. It is, however, often used as part of the authentication process and access control processes. For example, before a user can access a particular resource, LDAP might be used to query for that user and any groups that they belong to in order to see if the user has access to that resource. LDAP solutions like OpenLDAP do provide authentication through their support of authentication protocols like Simple Authentication and Security Layer (SASL) ## What is SSO software as a service? Just as many other applications have moved to run within the Internet, so has SSO functionality. Platforms like OneLogin that run in the cloud can then be categorized as a Software as a Service (SaaS) SSO solution. ## What is App-to-App SSO? Lastly, you might have heard of App-to-App or Application-to-Application SSO. This is not quite an industry standard yet. It is more of a term that has been used by SAPCloud to describe the process of passing a user identity from one application to another within their ecosystem. It is somewhat similar to OAuth 2.0 but again it is not a standard protocol or method and is currently specific to SAPCloud.

READ MORE

What is Identity & Access Management (IAM)?

Identity and access management (IAM) ensures that the right people and job roles in your organization (identities) can access the tools they need to do their jobs. Identity management and access systems enable your organization to manage employee apps without logging into each app as an administrator. Identity and access management systems enable your organization to manage a range of identities including people, software, and hardware like robotics and IoT devices. ### Why do you need IAM? Companies need IAM to provide online security and to increase employee productivity. - Security. Traditional security often has one point of failure - the password. If a user's password is breached - or worse yet, the email address for their password recoveries - your organization becomes vulnerable to attack. IAM services narrow the points of failure and backstops them with tools to catch mistakes when they're made. - Productivity. Once you log on to your main IAM portal, your employee no longer has to worry about having the right password or right access level to perform their duties. Not only does every employee get access to the perfect suite of tools for their job, their access can be managed as a group or role instead of individually, reducing the workload on your IT professionals. ### Does IAM improve regulatory compliance? Security is also a matter of law, regulation, and contracts. Data protection standards like Europe's General Data Protection Regulation and HIPPA and the Sarbanes-Oxley Act in the U.S. enforce strict standards for data security. With an IAM solution, your users and organization can ensure that the highest standards of security, tracking, and administrative transparency are a matter of course in your day-to-day operations. ### How does IAM Work? Identity management solutions generally perform two tasks: 1. IAM confirms that the user, software, or hardware is who they say they are by authenticating their credentials against a database. IAM cloud identity tools are more secure and flexible than traditional username and password solutions. 2. Identity access management systems grant only the appropriate level of access. Instead of a username and password allowing access to an entire software suite, IAM allows for narrow slices of access to be portioned out, i.e. editor, viewer, and commenter in a content management system. ### What does IAM do? IAM systems provide this core functionality: Task Tools Manage user identities IAM systems can be the sole directory used to create, modify, and delete users, or it may integrate with one or more other directories and synchronize with them. Identity and access management can also create new identities for users who need a specialized type of access to an organization's tools. Provisioning/deprovisioning users Specifying which tools and access levels (editor, viewer, administrator) to grant a user is called provisioning. IAM tools allow IT departments to provision users by role, department, or other grouping in consultation with the managers of that department. Since it is time consuming to specify each individual’s access to every resource, identity management systems enable provisioning via policies defined based on role-based access control (RBAC). Users are assigned one or more roles, usually based on job function, and the RBAC IAM system automatically grants them access. Provisioning also works in reverse; to avoid security risks presented by ex-employees retaining access to systems, IAM allows your organization to quickly remove their access. Authenticating users IAM systems authenticate a user by confirming that they are who they say they are. Today, secure authentication means multi-factor authentication (MFA) and, preferably, adaptive authentication. Authorizing users Access management ensures a user is granted the exact level and type of access to a tool that they're entitled to. Users can also be portioned into groups or roles so large cohorts of users can be granted the same privileges. Reporting IAM tools generate reports after most actions taken on the platform (like login time, systems accessed, and type of authentication) to ensure compliance and assess security risks. Single Sign-On Identity and access management solutions with single sign-on (SSO) allow users to authenticate their identity with one portal instead of many different resources. Once authenticated, the IAM system acts as the source of identity truth for the other resources available to the user, removing the requirement for the user to remember several passwords. ### What is the difference between identity management and access management? Identity management confirms that you are you and stores information about you. An identity management database holds information about your identity - for example, your job title and your direct reports - and authenticates that you are, indeed, the person described in the database. Access management uses the information about your identity to determine which software suites you're allowed access to and what you're allowed to do when you access them. For example, access management will ensure that every manager with direct reports has access to an app for timesheet approval, but not so much access that they can approve their own timesheets. ### Cloud versus on-premises IAM In the past, most identity and access management was managed by a server on the physical premises of an organization, which was called on-prem. Most IAM services are now managed by a provider in the cloud to avoid physical maintenance costs to the organization, as well as to ensure uptime, distributed and redundant systems, and short SLAs. ### What is AWS identity and access management? Amazon Web Services (AWS) identity and access management is simply the IAM system that is built into AWS. By using AWS IAM, you can create AWS users and groups and grant or deny them access to AWS services and resources. AWS IAM is available free of charge. AWS IAM service provides: - Fine-grained access control to AWS resources - AWS multi-factor authentication - Analysis features to validate and fine tune policies - Integration with external identity management solutions ### What tools do I need to implement identity and access management? The tools needed to implement IAM include password-management tools, provisioning software, security-policy enforcement applications, reporting and monitoring apps and identity repositories. IAM tools can include, but are not limited to: - MFA Multi-factor authentication means that your IAM provider requires more than one type of proof that you are who you say you are. A typical example is requiring both a password and a fingerprint. Other MFA choices include facial recognition, iris scans, and physical tokens like a Yubikey. - SSO SSO stands for single sign-on. If your IAM solution provides single sign-on, that means your users can sign in only once and then treat the identity and access management tool as a "portal" to the other software suites they have access to, all without signing in to each one. ### What does an IAM implementation strategy include? As a cornerstone of a zero-trust architecture, an IAM solution should be implemented using zero-trust principles such as least privilege access and identity-based security policies. - Central identity management A key principle of zero trust is managing access to resources at the identity level, therefore having centralized management of those identities can make this approach much simpler. This could mean migrating users from other systems or at least synchronizing your IAM with other user directories within your environment such as a Human Resources directory. - Secure access Since securing at the identity level is key, an IAM should make sure that it is confirming the identities of those who are logging in. This could mean implementing MFA or a combination of MFA and adaptive authentication to be able to take into consideration the context of the login attempt: location, time, device, etc. - Policy-based control Users should only be given authorization to perform their required tasks and no more privilege than is necessary. An IAM should be designed to give users access to resources based upon their job role, their department or any other attributes that seem appropriate. As part of the centrally managed identity solution these policies can then ensure that resources are secure no matter where they are being accessed from. - Zero-Trust Policy A zero trust policy means that an organization's IAM solution is constantly monitoring and securing its users identity and access points. In the past, organizations operated on a "once you're in, you have access" policy, but zero-trust policies ensure that each member of the organization is constantly being identified and their access managed. - Secured privileged accounts Not all accounts in an access management system are created equal. Accounts with special tools or privileged access to sensitive information can be provided a tier of security and support that suits their status as a gatekeeper for the organization. - Training and support IAM providers provide training for the users who will be most engaged with the product - including users and administrators - and often provide customer service for the long-term health of your IAM installation and its users. ### IAM technologies An IAM system is expected to be able to integrate with many different systems. Because of this, there are certain standards or technologies that all IAM systems are expected to support: Security Access Markup Language, OpenID Connect, and System for Cross-domain Identity Management. - Security Access Markup Language (SAML) SAML is an open standard used to exchange authentication and authorization information between an identity provider system such as an IAM and a service or application. This is the most commonly used method for an IAM to provide a user with the ability to log in to an application that has been integrated with the IAM platform. - OpenID Connect (OIDC) OIDC is a newer open standard that also enables users to log in to their application from an identity provider. It is very similar to SAML, but is built on the OAuth 2.0 standards and uses JSON to transmit the data instead of XML which is what SAML uses. - System for Cross-domain Identity Management (SCIM) SCIM is standard used to automatically exchange identity information between two systems. Though both SAML and OIDC can pass identity information to an application during the authentication process, SCIM is used to keep the user information up to date whenever new users are assigned to the service or application, user data is updated, or users are deleted. SCIM is a key component of user provisioning in the IAM space. { "@context": "https://schema.org", "@type": "Article", "mainEntityOfPage": { "@type": "WebPage", "@id": "https://www.onelogin.com/learn/iam" }, "headline": "What is identity and access management?", "description": "An intro to identity and access management (IAM), what it does and how it can benefit an online business.", "image": [ "https://www.onelogin.com/assets/img/learn/authentication-authorization.svg", "" ], "author": { "@type": "Organization", "name": "OneLogin" }, "publisher": { "@type": "Organization", "name": "OneLogin", "logo": { "@type": "ImageObject", "url": "https://www.onelogin.com/assets/img/new-logo-onelogin.svg" } }, "datePublished": "2019-03-14" }

READ MORE

What is Cybersecurity & Why Do We Need It

Cybersecurity is the practice of defending technical assets and data from malicious attack. This includes protecting computers, servers, mobile devices, electronic systems, networks, and corporate data. Cybersecurity encompasses: - **Network security**, securing a computer network from intruders. - **Application security**, keeping software and devices threat-free, important because they can provide access to corporate data. - **Information security**, protecting data in storage and in transit. - **Operational security**, ensuring users have appropriate permissions when accessing a network and that data is stored and shared securely. - **Disaster recovery and business continuity**, planning for adequate response to security incidents, data losses, or outages, as well as recovery in those instances. Business continuity is the plan the organization uses to continue operating when dealing with an incident. ### What is a cyber attack? A cyber attack is an attempt to steal, alter, expose, disable, destroy, or simply gain unauthorized access to a computer system or network. Some common types of attacks include: **Distributed Denial of Service (DDOS)** In which attackers overwhelm the targeted resource (such as a website or network) with superfluous requests attempting to overload the servers in order to prevent some or all legitimate requests from being fulfilled. For example, the attacker may use many different IP addresses to send hundreds of thousands of contact us requests to a website, overwhelming the site and causing it to go down. **Phishing** In which attackers obtain a set of phone numbers/email addresses and send a compelling message to all of them hoping to get the user to click a link leading to a fake website where the user will enter his or her username and password. The attacker can then use it to log in and capture data, steal money, etc. **Spear phishing** In which attackers send carefully crafted and very believable messages to smaller groups of individuals. The messages are specifically relevant to this group of people and often include personal information the attackers have obtained (such as a colleague’s name or some event the individuals recently attended). The message than acts like a regular phishing attack. **Keylogger** In which attackers manage to install a program on the user’s machine which captures keystrokes including the usernames and passwords for specific sites, apps, etc. **Credential stuffing** In which attackers use stolen username/password pairs and try to use them on many different websites or apps, hoping the user has used the same credentials for multiple sites. (This works because users do frequently use the same credentials across websites.) **Brute force and reverse brute force attacks** In which attackers generate possible username/password combinations based on typical patterns that people use, and then programmatically try to use them on many websites/apps to try to gain access. **Man-in-the-middle (MITM) attacks** In which attackers insert a program between the user and an app or website. For example, the program might look like a public Wi-Fi login. The program then captures the user’s login credentials or hijacks the user’s session so it can take actions hidden from the user. ### What is a security incident and a security breach? A security incident is an event that violates an organization’s security policies or procedures. Verizon’s 2016 Data Breach Investigations Report defines an incident as a “security event that compromises the integrity, confidentiality, or availability of an information asset.” A security breach is an incident that meets legal definitions at the state or federal level such that it qualifies as a data breach. Many state, federal, and compliance regulations require specific notifications in the event of a data breach, such as letting affected individuals or regulatory organizations know. ### How do you implement cybersecurity? There are no cybersecurity silver bullets, but being proactive and attentive increases the chances of preventing or mitigating a security incident or breach. Protecting your business or organization from cyber attack requires coordinated activity on multiple fronts. The IT department in an organization generally “owns” cybersecurity, but every employee, vendor, supplier, and person who has access to corporate resources plays a role. Defending the organization requires efforts on at least three fronts: - **Technology**—The right technical security tools are, of course, critical. Technical solutions should be implemented to protect on-prem networks and systems, cloud systems and apps, and all endpoints, i.e. devices, internet of things (IoT), routers, and any other entry points to your networks and systems. A Privileged Access Management system and an Identity and Access Management (IAM) system are critical technologies. - **Processes**—Staying diligent and successfully addressing potential or actual cybersecurity events can only occur if you have taken the time to define and roll out processes that support cybersecurity. These processes must be verified and updated regularly. - **People**—If the people in your business ecosystem don’t implement the required processes and technology, you won’t be successful. Moreover, people are a frequent target of the most common types of cyber attacks. So educating everyone inside and who works with your organization and ensuring they follow best practices, such as around password security, is mandatory to protect your organization. These cybersecurity tools must be applied to a set of functions, as per the NIST Framework: - **Identify** potential cybersecurity risks and weak points in the organization. - **Protect** from attack using the information determined in the identify phase. - **Detect** any attacks or potential attacks in real-time. - **Respond** to attacks. - **Recover** from the impact of an event.

READ MORE

What is Identity Governance & Administration

Identity Governance and Administration (IGA) joins the list of acronyms along with IAM and PAM. The term gained acceptance in 2013 after Gartner merged two of its Magic Quadrants–one addressing Identity Governance and the other Identity Administration–into the Magic Quadrant for Identity Governance and Administration. IGA systems merge identity administration, which addresses administering accounts and credentials, provisioning, and managing entitlements, with identity governance, which addresses the segregation of duties, role management, logging, and analytics and reporting. IGA systems provide additional functionality beyond standard Identity and Access Management (IAM) systems. In particular, they help organizations meet compliance requirements and enable them to audit access for compliance reporting. They also automate workflows for tasks such as access approvals and provisioning/de-provisioning. ### Elements of IGA Systems Identity governance and administration tools help handle user identity lifecycle management. IGA systems generally include these elements for identity administration: - **Password management** Through tools like password vaults or, more often, Single Sign-On (SSO), IGAs ensure users don’t have to remember many different passwords to access applications. - **Integrations** Connectors to integrate with directories and other systems that contain information about users and the applications and systems they have access to as well as their authorization in those systems. - **Access request management** Workflows that make it easier for users to request access to applications and systems and get approvals. - **Provisioning** Automated provisioning and de-provisioning at both the user and application level. - **Entitlement management** Ability to specify and verify what people are allowed to do in various applications (such as add, edit, view, or delete data). ! IGA systems generally include these elements for governance administration: - **Segregation of duties** Create rules that prevent risky sets of access from being granted to a person. For example, the ability to both view a corporate bank account and transfer funds to outside accounts (which might enable a user to transfer money to a personal account). - **Access review** Tools that streamlines the review and verification (or revocation) of users access to different apps and resources. Some IDG tools provide discovery features that help identify entitlements that have been granted and surface them. - **Role-based management** Defining and managing access through user roles. - **Analytics and reporting** Tools that log activities, generate reports (including for compliance) and provide analytics to identify issues and optimizations.

READ MORE

SSO Checklist

It’s critical that your SSO solution meets the basic requirements to support employees and IT needs. That means a secure solution and one with high usability. But remember that SSO is only part of your identity and access management solution. Digital transformation today relies on an Identity and Access Management (IAM) platform that includes SSO as well as other tools like MFA and directory integration. Use the checklist below to make sure that your SSO system offers the protection your company needs. #### User community support Does the SSO solution support all your user communities? Workforce (employees and contractors) Partners/Vendors Customers #### Customers If your customers need access, does the SSO system support commonly-used consumer authentication methods? Facebook Google #### True SSO Does the SSO solution allow true single sign-on versus password vaulting? User only enters one username and password to access all apps/sites User only has to log in once per day or session to gain access to all corporate apps/sites #### Application integration Does the SSO solution work with your cloud and on-prem apps? SSO supports all your cloud applications SSO supports all your on-prem applications #### Open standards support Does the SSO solution support the most common, widely-used protocols that enable a trusted relationship? SAML OpenID Connect OAuth 2 WS-Federation #### Reputation for security Does the vendor meet the common, highest security standards and implement adequate internal processes? SOC 2 Type 2 ISO 27017 ISO 27018 ISO 27001 Skyhigh Enterprise-Ready CSA Star TRUSTe U.S. Privacy Shield GDPR EU Model Contract clauses Adheres to the NIST Cybersecurity Framework Vendor performs Penetration tests Vendor performs network scans Vendor has a bug bounty program #### Availability and disaster recovery Does the SSO service demonstrate consistent and high availability and the ability to recover quickly from disasters? Historical availability of over 99% Recent availability (last twelve months) of over 99% Uses multiple data centers in different regions Uses replication and redundancy across regions #### High usability Is the SSO user interface simple enough that employees will embrace it? Provides a single portal of apps Integrates with all the common browsers Streamlines the app access process Streamlines the login process Makes it easy for users to reset their own passwords #### Mobile ready Does the SSO solution provide thorough support for mobile users? Provides SSO for mobile devices (via a native mobile app) Supports a variety of devices via SAML and partnerships with MDM vendors Works with your multi-factor authentication (MFA) tool #### Flexible password rules Does the SSO system support and enforce password requirements in a usable and effective manner? Lets you set password expiration times Lets you set password complexity (length, characters, etc.) Provides expiration notifications (helping to reduce support tickets) Enforces MFA requirements for password resets if MFA is used #### Enterprise access Does the SSO solution integrate with your network access points? Integrates with VPN Integrates with Wi-Fi for app access Provides endpoints for integration with RADIUS and LDAP #### Federation Does the SSO solution allow you to use the existing, corporate identity providers you prefer? Microsoft Active Directory Amazon Active Directory LDAP Google Directory Human Resource Management Systems (HRMS), such as Workday or SuccessFactors #### Authentication Does the SSO solution provide additional security? Multi-factor authentication Adaptive authentication Automatic forced authentication for high-risk resources X.509–based certificates #### Developer support Does the SSO solution provide APIs and support so you can enable single sign-on for your custom applications and third-party systems? SSO registration and life-cycle management APIs SDK for major platforms and languages Supports OpenID Connect #### Reporting Does the SSO solution provide reports that enable you to meet compliance requirements and enhance your security based on threat data? Ability to externalize authorization events to third-party SIEM solutions Out-of-the-box reports and audit trails ### Advanced requirements Although any SSO solution should meet basic requirements, organizations making a successful digital transformation usually choose solutions that meet advanced requirements. An advanced SSO solution ensures, from the start, that you aren’t behind the curve. #### Behavioral analytics Does the SSO solution use behavioral analytics to intelligently adapt and respond? Allows blacklist and whitelist of geolocations and IPs Allows you to set responses to high-risk login attempts Allows you to set certain apps to require re-authentication (such as through MFA) #### Manage authorization Can the SSO solution manage authorization through its integration with your identity provider(s)? Supports RBAC access Supports provisioning and deprovisioning of user access in apps #### Easy integration Can you integrate the SSO solution with your custom apps and in your organization without having to replace or significantly modify existing solutions? Enables integration into your custom apps via an API Enables incorporation of SSO without the need to rip and replace other solutions

READ MORE

Why is SSO Important?

Single sign-on (SSO) in the enterprise refers to the ability for employees to log in just one time with one set of credentials to get access to all corporate apps, websites, and data for which they have permission. SSO solves key problems for the business by providing: - Greater security and compliance. - Improved usability and employee satisfaction. - Lower IT costs. The proliferation of cloud apps and services in the enterprise—often in addition to on-prem ones—has created a significant fragmentation problem. Fragmentation in the enterprise is a challenge for IT and users. IT must manage the many apps in the enterprise, as well as deal with shadow IT. Employees have to use more and more apps each day just to complete their work, which means logging in to and switching between multiple apps and websites. SSO helps to solve the enterprise fragmentation problem. ### Security and compliance benefits of SSO Usernames and passwords are the main target of cybercriminals. Every time a user logs in to a new application, it’s an opportunity for hackers. SSO reduces the number of attack surfaces because users only log in once each day and only use one set of credentials. Reducing login to one set of credentials improves enterprise security. When employees have to use separate passwords for each app, they usually don’t. In fact, 59% use the same or similar passwords on multiple accounts. Thus, if a hacker gets access through one poorly secured website, they are likely to be able to access other corporate systems. SSO helps with regulatory compliance, too. Regulations, such as Sarbanes-Oxley, require that IT controls are documented and that organizations prove that adequate methods are in place to protect data. SSO is a way to meet requirements around data access and antivirus protection. SSO can also help with regulations, like HIPAA, that require effective authentication of users who are accessing electronic records or who require audit controls to track activity and access. Regulations, like HIPAA, also require automatic logoff of users, which most SSO solutions enable. When SSO is part of an identity and access management (IAM) solution, it utilizes a central directory that controls user access to resources at a more granular level. This allows organizations to comply with regulations that require provisioning users with appropriate permissions. UAM systems enable SSO with role-based access control (RBAC) and security policies. This type of SSO solution also deprovisions users quickly—or even automatically—another common compliance requirement meant to ensure that former employees, partners, or others can’t access sensitive data. ### SSO improves usability for employees With the move to the cloud, employees are using more and more apps in the workplace. Requiring separate usernames and passwords for each app is a huge burden for employees and, frankly, is unrealistic. Single sign-on reduces that cognitive burden. Signing in once also saves time, thus improving employee productivity. Given that 68% of employees switch between ten apps every hour, eliminating multiple logins can save a company considerable time and money. SSO solutions that are part of an identity and access management system usually have an app portal. To use an app, employees select it from the portal. If the user doesn’t have an app, he or she can request it through the portal and it’s added with SSO enabled. It all happens quickly, so users who might be discouraged from requesting or using apps are more likely to use them. ### How SSO lowers IT costs SSO lowers IT costs by saving time on password resets. When apps each require a different username and password for every employee, chances are high that employees will forget passwords—and that means help tickets for password resets pile up. With SSO, users have only one set of credentials to remember, reducing the number of help tickets. And most SSO solutions allow users to reset their passwords themselves, eliminating the need for IT involvement. SSO that is part of a unified access management system takes advantage of a central directory to provision and deprovision users, making the process faster and cheaper. Policies can be defined based on user role, location, and other user traits. And employees, partners, and customers can be quickly provisioned across multiple applications in one action, rather than having to separately provision each application. Similarly, IT saves time on deprovisioning, which can be done in minutes instead of hours. When enterprises implement a quality SSO solution, it adds security, improves usability, and saves time and money for the IT department.

READ MORE

Password Vaulting

A password vault, also called a password manager, is a program that stores usernames and passwords for multiple applications in a secure location and in an encrypted format. Users can access the password vault via a single username and password. The password vault then provides them the password for the website they are trying to access. Consumers often use the password manager built into Chrome or Safari, for example. In those cases, Google or Apple stores your password information. Businesses may buy a password management tool. (Note that some password managers will also generate more secure, random passwords, called one-time passwords [OTPs], for the user for each site.) ### What is single sign-on? Single sign-on (SSO) is a secure solution that provides employees access to company apps and websites by asking them to sign in just once a day, using one username and password. When you sign in to a website through Facebook or Google, you’re using a type of SSO. In a business setting, employees usually have access to their company’s apps through SSO as an identity and access management (IAM) solution that uses the company’s directory, such as Microsoft Active Directory, Azure Active Directory, or a directory provided by the SSO solution. ### Which is better, SSO or password vaults? In general, SSO is considered more secure and easier to use than password vaults. As part of an IAM solution, SSO eliminates the need for employees to maintain multiple passwords, easing the burden on users. It also reduces the frequency of logins and the number of credentials stored, reducing the attack surface for cybercriminals. When businesses begin to implement stricter password requirements, they often start with password managers. For example, an organization might require that passwords are changed frequently, use random characters, or be longer. Since these more complex passwords are harder to remember, the organization may buy a password manager that employees can use to store them in an encrypted, relatively secure environment. But most organizations quickly outgrow password managers. For one thing, password managers introduce a new problem: employees must add password management to their list of tasks. Password vaults also don’t solve the problem of app proliferation, and they still require users to waste time logging into each app. Since 68% of users report having to switch between 10 different apps every hour, that’s a lot of wasted time. Single sign-on systems let users log in just once, with one set of credentials, to access all apps. SSO systems often use the business’s identity provider, such as Active Directory, for added security. And they use standard, widely accepted protocols, such as SAML or OAuth, and technologies like digital certificates to provide enterprise-level security. SSO is more secure because passwords aren’t being passed around. Instead, after users log in, the SSO system passes tokens to the app or website requesting authentication. Many SSO solutions also work across both on-prem and cloud apps and websites, providing seamless and secure access across corporate systems.

READ MORE

What Type of Attacks Does MFA Prevent?

Multi-Factor Authentication (MFA), as part of an identity and access management (IAM) solution, can help prevent some of the most common and successful types of cyberattacks, including: - Phishing - Spear phishing - Keyloggers - Credential stuffing - Brute force and reverse brute force attacks - Man-in-the-middle (MITM) attacks ### How does MFA help prevent security breaches? To understand how MFA helps prevent security breaches, let’s first review how these types of cyberattacks work: #### Phishing How it works: The attacker uses a list of phone numbers or email addresses and delivers a message with a compelling call to action. (For example, the user may be told that he or she needs to log in and verify transactions.) Usually, it sends users to a fake website where the users provide their username and password. #### Spear phishing How it works: The attacker targets a small group of individuals with well-crafted, believable messages that are relevant to the target group, often using personalized content (such as the user’s name or a recent user action or event). Like phishing, it uses calls to action that get users to provide their credentials. #### Keylogger How it works: The attacker installs a program (often via a virus) that captures every keystroke on the user’s computer, including sites visited, usernames, passwords, answers to security questions, and more. #### Credential stuffing How it works: The attacker takes advantage of the fact that users often use the same username and password on multiple accounts by attempting to use stolen credential pairs to gain access to many different sites and apps. #### Brute force and reverse brute force attacks How it works: The attacker uses a program to generate possible usernames/passwords and to try and gain access with them. (Dictionary attacks are a type of brute force attack.) Or the attacker tries the most commonly used passwords (like Password123) on many different accounts. #### Man-in-the-middle (MITM) attacks How it works: The attacker’s program inserts itself into the interaction between a user and an app (for instance, by impersonating a public Wi-Fi). The program then gathers the login credentials that the user enters—or even hijacks the session token. ###How MFA combats common cyberattacks Multi-Factor Authentication works to thwart cybercriminals by requiring additional information or credentials from the user. A phishing attack may garner a user’s credentials, but it won’t provide the hacker with a fingerprint, for instance, or the answer to a personal security question. Similarly, a brute force or reverse brute force attack may manage to find a working username and password, but the attacker doesn’t know what other authentication factors the MFA system requires and doesn’t have those credentials. Similarly, MFA can combat more sophisticated attacks, such as MITM, by adding an extra layer of security. Even if the hacker or program inserts itself and captures the information that the user enters, the IT administrator can set up MFA to require that the user supply credentials from a different device or channel. Push-based authenticators are extremely well suited to provide a secure mechanism with minimal user inconvenience. For example, let’s say that the user is logging in from her laptop, which has been compromised by a MITM program. But the business has set up MFA and, to complete her login, the user must use a phone app, such as OneLogin Protect. The native mobile authenticator app sends a code from the phone to the authentication system to complete the login. Since the MITM hacker doesn’t have access to the user’s phone, the breach is prevented. MFA and IAM don’t stop all types of attacks, and it doesn’t guarantee security. But it does add additional layers of authentication that make cyberattacks more difficult.

READ MORE

What is Adaptive Authentication?

Standard authentication methods, including Multi-Factor Authentication (MFA), ask users for specific credentials whenever they try to log in or access corporate resources. Adaptive Authentication asks for different credentials, depending upon the situation—tightening security when the risk of breach is higher. When users always log in with standard credentials, such as a username and password, it makes them vulnerable to cyberattack. Authentication tools for identity and access management, such as MFA provide better security by requiring additional credentials, such as a code generated from a smartphone app. More factors help, but it’s still too easy for cybercriminals to acquire or hack the user’s various credentials and then use them to gain access. Adaptive authentication intelligently changes the requirements, making it much harder for a hacker to gain access to the enterprise because some of the signals that are used are difficult for an attacker to circumvent. #### How does adaptive authentication work? When you implement risk-based authentication in your organization, you determine the baseline login requirements for a given user or set of users. You might have stricter requirements for users in certain locales or users in roles that permit them access to sensitive information. Adaptive authentication works by creating a profile for each user, which includes information such as the user’s geographical location, registered devices, role, and more. Each time someone tries to authenticate, the request is evaluated and assigned a risk score. Depending on the risk score, the user may be required to provide additional credentials or, conversely, allowed to use fewer credentials. For example, if a user tries to access applications via an unregistered device, they may be prompted to register it. If the user logs in from a geographical location other than their office, they may have to answer a security question. IT determines the response to requests with different risk scores. In any given scenario, the user may be allowed to authenticate, may be prevented from accessing, or may even be challenged to prove his or her identity. #### Adaptive authentication and machine learning Most risk-based authentication solutions use machine learning. The algorithms in these tools monitor and learn user behavior over time to build an accurate profile of a given user’s login patterns. They may track devices, typical user login times, or usual work locations. They check IP addresses and network reputations, in addition to threat data for those networks. Adaptive authentication solutions assign a risk score based on behavior and context, and they respond to the perceived risk based on the rules established by IT. These rules may vary by risk score, user role, location, device, and more. Using artificial intelligence (AI), advanced authentication is evolving to monitor in real time and to identify anomalies in the user’s authentication patterns or even threats in the authentication path (such as compromised networks). The most advanced adaptive authentication solutions automatically adjust the authentication requirements based on the risk score and IT policies. They might require few or no additional challenges for users whose risk score is low. They might add multiple challenges—a one-time password plus biometrics, for instance—for someone whose risk score is high. These advanced solutions may even restrict or deny the user access based on the risk score and as per IT policies. #### Benefits of adaptive authentication As well as adding security, adaptive authentication reduces the friction for users trying to get their work done. Standard MFA defines login requirements that may be onerous—requiring the user to always enter a name, password, and a code from an app, or requiring users to answer a security question when authenticating outside the office. Adaptive authentication can request less information from users who are recognized and behaving in expected ways. It only queries users for more information occasionally, when circumstances suggest a greater security risk. This means fewer interruptions for users, lower barriers of entry, and greater security.

READ MORE

MFA Checklist

It’s critical that your Multi-Factor Authentication (MFA) solution meets the basic requirements for secure identity and access management (IAM) solutions in a hybrid environment. Digital transformation today relies on a Unified Access Management (UAM) platform that includes at least basic MFA. Use the checklist below to make sure that your MFA solution offers the protection your company needs. #### User Community Support Does the MFA solution support all the user communities that access your sensitive data? Workforce (employees and contractors) Partners/Vendors Customers #### Application Integration Does the MFA solution work with the cloud and on-premises apps that are critical to your organization? Integration with cloud applications Integration with on-premises applications Integration with Human Resource Management Systems (HRMS), such as Workday or SuccessFactors Directory integration, such as Active Directory or LDAP #### Enterprise Access Does the MFA solution support the network access systems your organization uses or might use? VPN access Wi-Fi access SSH/RDP access RADIUS integration #### Authentication Methods Does the MFA solution support the authentication tools that your organization uses? Native mobile OTP authenticator (push-based) Offline time-based verification codes (TOTP) Hardware tokens, such as Yubico YubiKey X.509–based certificates Legacy authentication methods, such as SMS, security questions, or email #### Flexible Authentication Policies Does the MFA solution enable flexible and sophisticated authentication policies at a granular level? Granular policies for different identities, apps, devices, and contexts Allows for definition of different policies for various identities communities or applications Customizable authentication flow Risk-based decisions #### Developer Support Does the MFA solution provide APIs and support for integration with your custom applications and third-party systems? MFA registration and life-cycle management APIs SDK for major platforms and languages #### Open Standards Support Does the MFA solution support these popular, modern standards for secure connections to web applications? SAML OpenID Connect OAuth2 #### Reporting Does the MFA solution provide reports that enable you to meet compliance requirements and enhance your security based on threat data? Ability to externalize authorization events to third-party SIEM solutions Out-of-the-box reports and audit trails Ability to effect system change based on authorization events Real-time information about access attempts ### Advanced Requirements Although any MFA solution should meet basic requirements, organizations making a successful digital transformation usually choose solutions that meet advanced requirements. MFA is evolving quickly. An advanced MFA solution ensures, from the start, that you aren’t behind the curve. #### Behavioral Analytics Does the MFA solution use behavioral analytics to intelligently adapt, and does it require different authentication factors? Familiarity signals Attack signals Anomalies (user behavior and context signals) Continuous authentication #### Device Trust Does the MFA solution take into account information about the device being used for authentication? Device health, including version, tampered, lock, encryption, browser plug-in, and more Device reputation X.509–based certificates Integration with mobile device management (MDM) #### Users and devices Does the MFA solution support user access via multiple devices, and does it account for different types of users and user roles? Support for multiple devices Support for different user communities, such as employees, contractors, partners, IT administrators, and customers #### General considerations Can you integrate the MFA solution with your custom apps and in your organization without having to replace or significantly modify existing solutions? Enables integration into your custom apps via an API Enables incorporation of MFA without the need to rip and replace other solutions

READ MORE

What is a Webhook?

How Apps Communicate Apps need to communicate with each other to save time, reduce errors, and improve user experiences. There are several ways apps can communicate. You may be familiar with one such method called an API (Application Programming Interface). Web APIs allow you to make a request over the internet to check for and send new data from one system to another. APIs can be used to perform certain actions, such as signing in with your social media account, completing a transaction with the “Pay with PayPal” option on a third-party site, and more. Another related, but very different, method that transfers information between several different applications is using webhooks. What is a Webhook? Apps use webhooks to communicate events automatically between each other. Unlike an API, webhooks do not require the administrator to manually submit a request when new information is needed. Instead, a webhook automatically broadcasts information to third-party systems which can then be used to make event-driven decisions. A common way to use a webhook is how OneLogin leverages a webhook to stream events to Security Information and Event Management (SIEM) tools. This enables IT admins to automatically receive updates on login activity as well as risky user logins without having to make an API request. How Does a Webhook Work? The first step is to enter the URL on your web application where you want the webhook to send HTTP requests. Once an event occurs in the originating service, the webhook sees the event, collects the data, and sends it to the app via the URL you specified in real-time. This is similar to when you provide an email address or phone number to receive notifications on upcoming sales from your favorite brands. You can use webhooks to: - Receive an alert when a particular event occurs - Ensure data synchronization across multiple web applications - Customize or modify functionality in an application based on a specific event What is an Example of a Webhook? Using webhooks can save you time, increase accuracy, and improve user satisfaction. instead of having to retype user or event information, a webhook can automatically: - Stream login events to your SIEM and analytics tools, like SumoLogic and Splunk - Post event notifications to Slack - Send an email notification when a new user logs in with a new device - Sync new members or membership updates with your CMS The Future of Webhooks Webhooks are a very useful method to communicate events, such as login activity, from one application or system to another. However, this is primarily a one-way flow of information and requires setting up a server to catch, filter, and act on these webhooks. The burden is on IT & developer teams to not only maintain their own servers, but also to scale performance as login activity increases. As we move more towards cloud orchestration and greater demands for customization, teams need a low-code approach to make event-driven decisions at scale and remove the burden of maintaining the infrastructure necessary to support them. OneLogin Smart Hooks OneLogin Smart Hooks is an exciting new concept that introduces next-gen extensibility. Unlike webhooks, Smart Hooks allow you to alter functionality within the OneLogin platform based on the occurrence of a specific event, rather than simply broadcasting a login event to a third-party application to take some action. Another benefit to Smart Hooks is that they are serverless, meaning OneLogin hosts and runs the custom code for you. No need to maintain additional servers or worry about performance or scale. Smart Hooks automatically scale with your user growth, providing greater customization and platform extensibility for even the most complex requirements. For example, you can use a Smart Hook to dynamically assign a user policy that requires users to submit a biometric factor when they attempt to sign in from a mobile device. Another example may be to require an additional authentication factor when a user is using an older browser, or even deny access for specific browser types. Perhaps you only want to allow specific factors when a user is traveling outside your home country, or need more granular control over factor enrollment workflows–all of this is now possible with Smart Hooks. We also have a growing list of sample hooks in our Postman collection, which includes a library of code examples, so that IT teams can quickly implement changes with minimal developer support required. In summary, there are several different approaches to customizing and integrating your identity and access management platform with other systems or applications. Whether it’s through traditional webhooks or API, each should be evaluated based on the available resources on your team and the goal you are trying to achieve. With Smart Hooks, you can build custom workflows and integrations using serverless code to meet your businesses’ access security needs faster. To learn more about OneLogin Smart Hooks, visit our Smart Hooks product page.

READ MORE

Secure All Your Apps, Users, and Devices