Access Management – Implementing Multi-Factor Authentication
Multi-factor authentication (MFA) elevates the security of user accounts. With MFA, you can ensure that only authorized users gain access to your systems and data, even if credentials are leaked or stolen. HelloID provides extensive support for MFA. This article explains your options and helps you get started with MFA.
What is MFA?
MFA is a security method where users authenticate not only with a username and password but also complete an additional step. For example, by entering a code delivered via an app, SMS, or email.
Because users authenticate in two ways with MFA, the security level is increased. If unauthorized parties obtain a user's username and password, MFA prevents them from accessing that user's account.
Multiple options available
HelloID supports a broad range of MFA solutions. The following options are available:
WebAuthn via the FIDO2 standard for passwordless authentication, used by devices such as Yubico's YubiKey
Push to Verify via the HelloID Authenticator app
One-time password via any other soft token app
Email
SMS
How do you want to offer MFA?
With HelloID, you are in control. You can enforce a specific MFA method for users; this is always a single fixed MFA option. You can choose a one-time password via an app of your choice, SMS, email, or a hardware token. A key advantage is that administrators can preconfigure these methods, for instance by populating attributes through HelloID Provisioning or by assigning a hardware token to a specific user.
You can also choose to give users more flexibility and let them decide which MFA option they want to use. In this case you support multiple MFA options, so users can adopt their preferred method. Tools4ever recommends this second approach. It offers several advantages:
Support for Push to Verify: the user sees a pop-up in the HelloID Authenticator app and only needs to click Yes to gain access. There is no need to manually enter a code.
The ability to enable multiple MFA options: if a user loses access to their smartphone due to theft or damage, or the HelloID Authenticator is not yet installed on a new device, the user can still receive a one-time password via SMS to access an application or system.
Register the same MFA option multiple times: does a user work on multiple smartphones? It is possible to register an MFA option multiple times, for example linked to multiple smartphones. This ensures the user can always authenticate, regardless of which smartphone they are using at that moment.
What should you consider?
There are several considerations when selecting the MFA options you want to support. Using SMS incurs additional costs; if this option is used frequently the costs can increase quickly. You must also arrange your own SMS provider.
Another consideration is delivering MFA codes via email. Choose this only if the email address is not directly tied to HelloID. This matters because in many cases users sign in to both HelloID and their email with the same credentials. If you send an MFA code to that mailbox, users can access the code only if MFA is not applied to the email account. The account is therefore not optimally secured.
If a user uses an external email address with a unique username and password, this issue does not apply and sending an MFA code via email is safe. If HelloID credentials are leaked, an attacker does not gain access to the email account and therefore not to the user's MFA code. If the email account credentials are leaked, they do not provide access to HelloID.
Another consideration is the use of hardware tokens. These tokens must always be assigned to the user by an administrator; the user cannot do this themselves. Note: using hardware tokens also introduces additional costs. The tokens must be purchased and managed.
A popular and well-known MFA option is a FIDO2 security key, such as Yubico's YubiKey. If you plan to use this, pay close attention to which FIDO2 key you select; several variants are available, each with different capabilities. If users work on mobile devices such as smartphones and tablets, the FIDO2 key must also support NFC or Bluetooth, which is typically available only on more expensive models. If you choose a FIDO2 key with a USB interface, there is a risk that users leave the key in the USB port of their device, which introduces security risks. Although FIDO2 keys, unlike many other hardware tokens, can be configured by users themselves, administrators still need to purchase and distribute the keys to users.
Configuring MFA
HelloID offers a wide range of MFA options. When configuring MFA you define which options you provide and how you enforce them. You can apply the same rules to all HelloID users and enforce a single specific MFA option. It is also possible to create separate rules within the portal or application access rules, for example to require MFA via SMS or email for a specific application. In this case you can prepopulate the email address or phone number the user must use, or allow the user to choose. A third option is to let users decide which MFA option they want to use to provide more flexibility.
There are also multiple options for rolling out MFA. You can allow users to configure MFA themselves via the Security menu in their HelloID profile. You can also enable MFA in phases based on group membership at the portal or application level. Members of that group will see a wizard the next time they sign in that lets them configure MFA. The third option is to roll out MFA to all users at once so everyone adopts this additional security layer in one step.
Get started
Ready to get started with HelloID Access Management? Visit our website for more information about the capabilities. Have questions? Contact us!