Professional Documents
Culture Documents
These materials are © 2018 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.
Multi-Factor Authentication For Dummies®, iovation Special Edition
Published by
John Wiley & Sons, Inc.
111 River St.
Hoboken, NJ 07030-5774
www.wiley.com
Copyright © 2018 by John Wiley & Sons, Inc., Hoboken, New Jersey
No part of this publication may be reproduced, stored in a retrieval system or transmitted in any form
or by any means, electronic, mechanical, photocopying, recording, scanning or otherwise, except as
permitted under Sections 107 or 108 of the 1976 United States Copyright Act, without the prior written
permission of the Publisher. Requests to the Publisher for permission should be addressed to the
Permissions Department, John Wiley & Sons, Inc., 111 River Street, Hoboken, NJ 07030, (201) 748-6011,
fax (201) 748-6008, or online at http://www.wiley.com/go/permissions.
Trademarks: Wiley, For Dummies, the Dummies Man logo, The Dummies Way, Dummies.com, Making
Everything Easier, and related trade dress are trademarks or registered trademarks of John Wiley & Sons,
Inc. and/or its affiliates in the United States and other countries, and may not be used without written
permission. All other trademarks are the property of their respective owners. John Wiley & Sons, Inc., is
not associated with any product or vendor mentioned in this book.
10 9 8 7 6 5 4 3 2 1
For general information on our other products and services, or how to create a custom For Dummies book
for your business or organization, please contact our Business Development Department in the U.S. at
877-409-4177, contact info@dummies.biz, or visit www.wiley.com/go/custompub. For information about
licensing the For Dummies brand for products or services, contact BrandedRights&Licenses@Wiley.com.
Publisher’s Acknowledgments
Some of the people who helped bring this book to market include the following:
These materials are © 2018 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.
Table of Contents
INTRODUCTION................................................................................................ 1
About This Book.................................................................................... 1
Foolish Assumptions............................................................................. 2
Icons Used in This Book........................................................................ 2
Beyond the Book................................................................................... 2
These materials are © 2018 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.
CHAPTER 5: Adapting to Risk in Real Time........................................... 19
Using Dynamic Authentication.......................................................... 19
Introducing the Three Cs of Dynamic Authentication.................... 20
Contextual....................................................................................... 20
Continuous..................................................................................... 22
Complementary............................................................................. 22
Seeing How Dynamic Authentication Works................................... 23
These materials are © 2018 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.
Introduction
D
igital businesses are in a precarious state. They need to
authenticate users for their own protection, but if the
process proves to be too cumbersome, they won’t have any
customers to authenticate. Yet the most common form of authen-
tication (and, some people would argue, the best understood) is
also notorious for being cybersecurity’s weakest link. You know it
well: the combination of username and password.
It’s time for a change. It’s time to disrupt the status quo and
give users the security and authentication experience that they
deserve, and that enables you to run a successful digital business
with confidence.
Introduction 1
These materials are © 2018 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.
Foolish Assumptions
In preparing this book, we’ve assumed a couple things about you,
the reader:
The Tip icon points out practical advice that can help you craft a
better strategy, whether you’re planning a purchase or setting up
your software.
Look out! When you see the Warning icon, it’s time to pay
attention. You won’t want to miss this cautionary information.
Maybe you’re one of those highly detailed people who really need
to grasp all the nuts and bolts — even the most techie parts. If
so, these tidbits marked with the Technical Stuff icon are right
up your alley.
These materials are © 2018 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.
IN THIS CHAPTER
»» Getting to know consumer
authentication requirements
Chapter 1
Understanding
Consumer
Authentication
Challenges
T
hanks to the digitalization of practically everything, authen-
tication is a ubiquitous exercise. No longer limited to finan-
cial transactions or the workplace, it’s integrated into our
everyday lives, from actions as mundane as making a phone call
to visiting a favorite online store.
These materials are © 2018 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.
Authentication Systems Built
for Enterprises
Many enterprise technologies have been affected by the consum-
erization of IT, but authentication isn’t one of them. The systems
that are built and deployed to authenticate internal users to an
enterprise network and its systems don’t work well to authenti-
cate consumers for websites, mobile applications, vehicles, and
more. Systems like LDAP, RADIUS, and SAML, often used in con-
junction with hardware tokens that generate keys, aren’t suitable
for consumer environments.
Now consider Brad, the consumer user. Brad is one of many poten-
tial users who may or may not be tech-savvy. Regardless, Brad
doesn’t want to learn a complex authentication process or adhere
to strict controls that make it difficult to check his bank account
balance, download a mobile app, or purchase a book online. He
has a choice in the matter. If the authentication process is incon-
venient or messy, he’ll find another provider.
Password Insecurity
Passwords are the de facto authentication mechanism for just
about anything. Unfortunately, they’re also inherently insecure.
There are several reasons for this insecurity:
These materials are © 2018 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.
»» Password-cracking tools: Passwords have been around
for so long that password crackers have become a
cottage industry. These applications can leverage cheap
processor power to cycle through thousands of hash
permutations and open an account in minutes through
brute-force efforts.
»» Centralized password repositories: Password function-
ality is traditionally built on top of the systems or apps
the passwords are meant to secure. As a result, the
authentication layer (with its unified attack surface) is
centrally located and accessible by anyone, including
cyber attackers.
Attackers can obtain hundreds of thousands of user
credentials from a single break-in. Because users reuse
passwords, they may be useful for gaining access to other
services. Attackers may use the credentials or sell them on
the dark web.
These materials are © 2018 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.
»» 2FA affects the user experience. OTPs expire quickly and aren’t
always received on mobile devices in near real time. Faced
with these inconveniences, users are likely to abandon 2FA.
These materials are © 2018 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.
IN THIS CHAPTER
»» Working with authentication factors
Chapter 2
Protecting Access with
Multiple Factors
G
iven the many security issues surrounding passwords and
the architectural problems associated with two-factor
authentication (2FA), you may wonder how you can safely
authenticate users.
These materials are © 2018 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.
»» Possession: A possession factor is something that the user
possesses, often in the form of a physical device, such as a
security token or smartphone.
»» Inherence: An inherence factor utilizes a physical characteris-
tic that inherently represents a unique user. Inherence
factors, like fingerprints and facial patterns, are measured
and analyzed by biometric technologies.
These materials are © 2018 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.
password and a pet’s name, than to acquire a knowledge-based
authenticator and an inherence factor, such as a fingerprint.)
Fingerprint scan
Many new smartphones and tablets include digital scanners that
enable users to authenticate to the device by assessing their fin-
gerprint rather than entering a PIN. MFA technologies can lever-
age this functionality by verifying the user’s biometric scan via
the mobile device.
PIN code
A PIN is a string of numbers or characters that users enter via the
number or keypad on their mobile devices. Each user creates her
own PIN, and the system administrator determines when PINs
should be updated.
Pattern code
A pattern code (such as a circle code or pattern lock) is a knowledge
factor that uses the touchscreen of the user’s mobile device to
verify a predefined sequence of movements or actions set by the
end user. Such action might include movements around a circle or
connecting a sequence of dots onscreen.
These materials are © 2018 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.
Geofencing
Geofencing allows the user or enterprise to identify specific physi-
cal locations in which the mobile device must be located before
the user can authenticate. If the device is outside these areas,
authentication fails or the user is prompted to submit another
authentication factor.
Facial recognition
Another authentication method is facial recognition. Like finger-
print verification, facial recognition uses the mobile device’s
functionality for biometric authentication. In this case, the user
leverages the camera on a mobile device to authenticate their
unique biometric facial signature.
These materials are © 2018 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.
IN THIS CHAPTER
»» Seeing why authentication is fragmented
Chapter 3
Unifying the User
Experience
F
or every channel that customers use to engage with your
company, chances are that they have a different way to
authenticate. The goal of authentication, however, isn’t to
see how many authenticators or authentication methods you can
force on users.
Understanding Authentication
Fragmentation
The authentication experience today for both business users and
consumers is fragmented across a variety of channels. The result
is a poor outcome for everyone involved.
These materials are © 2018 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.
In the consumer world
Modern enterprises communicate with consumers through many
touchpoints or channels. Banks, for example, allow customers to
access their accounts via online banking, mobile app, ATMs, and
tellers. Each of these customer touchpoints serves as a channel
to the same account, but each requires a different authentication
method. For example, the same user may need to authenticate
with a username and password for his online account, with an
ID card in person, and with knowledge questions when calling
customer support.
These materials are © 2018 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.
Unifying Authenticators
Luckily, a better approach to authentication is available. An MFA
platform allows each channel to use any or all of the available
authentication methods when they’re most appropriate. This
arrangement creates a unified experience across brands or services,
resulting in a simplified user experience and stronger security.
If you think about all the ways you authenticate to a single service,
you’re likely to count multiple usernames and passwords, per-
haps a personal identification number (PIN), challenge questions,
and proof of identity. With a unified authentication approach, all
of these disconnected methods can be consolidated into a single,
mobile MFA experience that spans all touchpoints.
These materials are © 2018 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.
Considering New Access Requirements
As we state in Chapter 1, legacy authentication methods don’t
always translate well to consumer authentication. In addition,
consumer and enterprise authentication scenarios place new
requirements on authentication and authorization.
Mobile authentication
Online activity is no longer limited to desktop computers in the
workplace. We live and work in a highly connected, mobile world.
Regardless of where a user happens to be, connected networks
and the services that run on them are just a tap away via smart-
phones, tablets, smartwatches, and other devices. The need for
authentication and authorization can arise anywhere, at any time.
As a result, authentication solutions must be mobile.
These materials are © 2018 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.
IN THIS CHAPTER
»» Uncovering the drawbacks of centralized
authentication
Chapter 4
Decentralizing MFA
Architecture
T
he centralized architecture used in password-based authen-
tication presents a significant liability. Next-generation
multi-factor authentication (MFA) technologies must elim-
inate the risks associated with centralized credential stores to
provide robust protection.
These materials are © 2018 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.
»» Out of band: When authentication is out of band, the
authentication process takes place via a separate channel.
Instead of the user submitting credentials through the
requesting application (in band), for example, the application
can verify a token or fingerprint via the user’s smartphone
(out of band).
These materials are © 2018 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.
supply their credentials to an application, you can direct the appli-
cation to obtain authorization by reaching out-of-band to users’
mobile devices. Each user authenticates remotely and responds to
authentication requests that are delivered to her device, and the
authentication layer is accessible to only the user of that device.
These materials are © 2018 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.
institutions, e-commerce companies, and internal business
organizations can leverage the features and capabilities on
their users’ own devices to deliver secure access.
»» Decentralizing the authentication layer reduces the over-
head associated with managing, storing, and securing user
credentials, while removing the threat that an incorrectly
secured database or disgruntled administrator could result
in the breach of every user’s credentials. All authentication
data is securely stored on each user’s mobile device. Should
a user’s mobile authenticator become jeopardized, users
themselves, as well as the requesting applications, can
remotely unpair and disable compromised, stolen, or lost
clients as needed.
This flexibility also ensures that the MFA technology can change inde-
pendently of the user or application. As mobile devices evolve, possi-
bly incorporating new embedded authentication hardware, the
client-side authenticators inherit those new capabilities. As threats
evolve in turn, dynamic security policies ensure you’re never locked in
to a static security posture.
These materials are © 2018 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.
IN THIS CHAPTER
»» Understanding dynamic authentication
Chapter 5
Adapting to Risk in
Real Time
R
equiring multiple factors for authentication and imple-
menting a decentralized architecture can solve some of the
problems associated with single-factor authentication. But
you’re still left with a rigid “one-size-fits-all” approach to
authentication that forces you to sacrifice the user experience for
stronger assurance or stronger assurance for a better user
experience.
These materials are © 2018 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.
not immune to them. Dynamic authentication is a multilayered
approach that adapts to specific authentication policies in real
time.
Contextual
Dynamic authentication is contextual because it considers all pos-
sible risks — both near and far — at the moment of authentica-
tion. Dynamic authentication looks at a user’s access request in
full context, taking into account factors such as the following:
These materials are © 2018 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.
»» Number of fonts or images on the device
»» Match between the transaction’s IP address and the IP
address reported by the browser
»» The device’s speed and kernel version
»» Consistency between the subscriber identity module (SIM)
operator’s country and identification number with what local
services report
These materials are © 2018 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.
Continuous
The days of “one-and-done” authentication are over. The dynamic
nature of security and risk requires continuous authentication.
Complementary
Dynamic authentication uses complementary technologies to
provide varying levels of assurance. Disparate authentication
technologies work together as the system decides which method
best suits the current risk/request scenario.
These materials are © 2018 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.
»» Knowledge-based authentication uses information previ-
ously shared between the user and authenticator.
These materials are © 2018 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.
Dynamic authentication enables you to require the right amount
of authentication at any time. Using risk-appropriate authentica-
tion only when it’s needed allows you to preserve a frictionless
user experience for longer periods, which improves the overall
user experience and results in greater user acceptance.
CARTA assesses risk signals in the user’s session and on the device, as
well as any inherent risk in the user’s request. Risk signals include
environmental context, threat intelligence, enterprise policy, and his-
torical behaviors. These signals inform an adaptive authentication
process that continually aligns risk throughout the session. MFA solu-
tions are uniquely suited to delivering this dynamic authentication
experience to users.
These materials are © 2018 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.
IN THIS CHAPTER
»» Making MFA personal for customers
»» Extending authentication
Chapter 6
Customizing the MFA
Experience
A
uthentication technologies become yet another channel
through which customers and users interact with your
company. If you’ve made your users miserable in the past
by making them remember the name of their kindergarten teach-
ers, now take the opportunity to associate your brand with an
easy, secure user experience. Customizing the multi-factor
authentication (MFA) experience for your users — both internal
and external — helps you ensure consistency across your brand
and improves your brand’s image.
These materials are © 2018 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.
»» It gives users a sense of ownership.
»» It promotes the brand you’ve worked hard to develop.
Sending users and customers to a third-party technology solu-
tion diverts their attention from your brand. Their first thought is
“Wait. Why am I giving this company my information?”
These materials are © 2018 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.
across every channel. An embeddable version of the authentica-
tor runs independently within your mobile app, transparently
providing all the functionality and options of the technology
provider’s authenticator.
Extending Authentication to
Authorization
When MFA technology verifies that an enterprise user is who she
claims to be (that is, authenticates her), it must verify that the user
actually has the right to access the system or perform the requested
action. In a consumer-focused world, it must obtain the user’s
consent and approval, separate from verifying her credentials. In
both cases this process is called authorization.
These materials are © 2018 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.
Next-generation authentication technologies allow you to extend
and integrate authorization processes into more touchpoints along
the customer’s online journey. Instead of authorizing a user to carry
out every task at the time of authentication, the user can be autho-
rized each time he makes a request for a specific action. This system
helps ensure that if any changes create increased risk, appropriate
measures are taken to ensure that the user is both authenticated
and authorized. If the risk is too high, the request can be denied.
These materials are © 2018 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.
Deploying MFA as a Platform
The best way to take advantage of customizations is to deploy
MFA as a platform. A decentralized MFA and real-time authoriza-
tion platform can serve as an end-to-end authentication solution
(see Figure 6-1). As the platform provider develops and adds new
technologies, you can take advantage of them at the right time
and in the right places.
»» Voice recognition
»» Facial recognition
»» Iris scanning
»» Heartbeat-sensing wearables
»» Gait or stride patterns
When MFA is viewed as a strategic platform, you have the ability
to add new authentication methods as they mature and stabilize,
without ripping and replacing all the underlying systems.
These materials are © 2018 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.
FISCHER MAINTAINS MARKET
LEADERSHIP WITH MOBILE MFA
Fischer Identity has a vision to be “the last identity management solu-
tion you’ll ever need.” Even as a perennial market leader in the iden-
tity and access management (IAM) space, with successful solutions for
password management, privileged access, single sign-on, and identity
provisioning, the team at Fischer uses this vision to keep innovating.
These materials are © 2018 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.
IN THIS CHAPTER
»» Understanding the importance of
protocols and standards
»» Managing encryption
Chapter 7
Securing MFA
W
e talk in Chapter 1 about the security problems associ-
ated with legacy authentication systems, especially as
they relate to implementation and architecture. In
Chapter 4, we discuss decentralizing the multi-factor authentica-
tion (MFA) architecture to address some of those problems. But
efforts to secure the MFA service can’t stop there. Attackers are
always trying to punch holes in systems and services. If the
authentication factors themselves prove to be difficult to steal or
impersonate, cyber attackers will go for the gold: the service itself.
These materials are © 2018 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.
In addition, protocols and standards are updated to address new
technologies, such as the Internet of Things (IoT). Secure imple-
mentation of standards and protocols, such as using the larg-
est possible cryptographic key size, is critical. Aligning to these
standards and protocols allows you to use new technologies with
confidence.
Managing Cryptography
Encryption plays an important role in securing the MFA service,
but it’s effective only if it’s the most robust encryption avail-
able. Like protocols and standards, cryptographic keys are grow-
ing increasingly robust as they take advantage of technological
These materials are © 2018 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.
improvements like higher processor speed and better memory
utilization. At the same time, new attack vectors are also being
continually exploited. Latest cryptographic technologies address
these weaknesses by leveraging the largest possible cryptographic
key sizes with the most secure cryptographic approaches.
These materials are © 2018 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.
Although asymmetric cryptography should protect against MITM
attacks, you should always assume that the data transmitted
during the authentication process can be intercepted. Thus, you
should use Secure Sockets Layer/Transport Layer Security (SSL/
TLS) and forward secrecy (see the nearby sidebar “Forward
secrecy principles”) along with the largest possible encryption
keys and strongest available hash functions to defend against
brute-force attacks.
These materials are © 2018 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.
IN THIS CHAPTER
»» Understanding how an MFA platform can
help you meet changing regulatory
requirements
Chapter 8
Meeting Your
Authentication Goals,
Today and Tomorrow
S
o far, we’ve discussed how a modern approach to multi
factor authentication (MFA) can help you protect your users’
credentials and personally identifiable information (PII), as
well as secure access to your applications and services.
But as any IT or security professional will tell you, it’s not enough
to be secure. You must also be compliant (to make regulators and
auditors happy), and prepared to accommodate new products and
services (to keep the business happy). Amidst all of this, MFA
technology is rapidly evolving.
These materials are © 2018 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.
Emerging Standards and Regulations
Regulators and standards bodies are eager to protect consumer
data by way of laws, regulations, and industry standards. As a
result, businesses must comply with new regulations like the
European Union’s Payment Services Directive (PSD) and the Gen
eral Data Protection Regulation (GDPR), as well as older, con
tinually evolving regulations like the Health Insurance Portability
and Accountability Act (HIPAA) and the Payment Card Industry
Data Security Standard (PCI DSS). There are nuances across these
regulations and standards, particularly as they apply to differ
ent industries. That said, regulators and auditors generally want
to see strong, documented, and auditable authentication policies.
MFA Applied
A next-generation MFA solution should support both current and
future use cases. Here are a few examples of how businesses can
apply MFA.
These materials are © 2018 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.
their limited capabilities. Instead of a user supplying a device with
credentials, that device must reach out of band and obtain autho
rization externally, in a decentralized manner. If this sounds like
an ideal scenario for a next-generation MFA platform, you’re
right. A mobile authenticator can serve as a secure gateway device
that allows users and devices to authenticate out of band.
Financial services
Fraud prevention is becoming an increasingly complex endeavor
for financial services firms. Customers want the ability to access
their accounts through multiple channels, but they don’t want to
remember a different authentication factor for each one.
Ecommerce checkout
Ecommerce businesses are also at risk for fraud, but the risk tends
to be highest during the checkout process. Organizations have to
weigh additional authentication, which can impact the user expe
rience and increase shopping cart abandonment rates, against the
risk of fraud.
Insurance
Insurance companies have long been the target of career criminals
who make a business out of filing fraudulent claims. In the past,
insurance companies have had the benefit of time to diligently
These materials are © 2018 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.
assess the validity of a claim. However, this advantage is quickly
disappearing. As insurance firms look for new ways to maintain
an advantage over competitors, one of the ways they do so is to
reduce the time for a claims payout. Speeding up this and other
processes reduces the amount of time firms can dedicate to vet
ting claims and preventing fraud.
These materials are © 2018 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.
IN THIS CHAPTER
»» Analyzing next-generation MFA
platforms
»» Decentralizing authentication
Chapter 9
Ten MFA Buying Criteria
A
next-generation multi-factor authentication (MFA) plat-
form addresses the problems that currently plague authen-
tication and is necessary for doing business in the digital
age. As more of your business moves online, and your customers
move with it, you’ll need to provide increasingly robust authenti-
cation and authorization services to protect user information.
Omnichannel Support
Not long ago, the need to authenticate customers was limited to
the contact center or the primary website (financial services insti-
tutions notwithstanding). Today, the increasing number of chan-
nels through which customers engage with a company expands
the need for user authentication.
These materials are © 2018 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.
high-risk requests because your site is the only place you can
deliver two-factor authentication (2FA).
User-friendly Controls
User experience is everything in today’s digital world. Users rou-
tinely abandon applications that aren’t intuitive or easy to use —
especially if users think they serve only to create bottlenecks in
their workflow.
Look for a platform with controls that are easy to enable through
the administrative interface and that allows users to select
their own authentication options (within the boundaries set by
administrators).
These materials are © 2018 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.
Compatibility with Existing
Authentication Services
Today, your authentication requirements may exist only for web-
sites and mobile applications, but tomorrow, they may include
smart devices and consoles. A next-generation authentication
solution must be compatible with both online and offline applica-
tions used for a variety of purposes.
Advanced Cryptography
As we discuss in Chapter 7, top-notch cryptography is a require-
ment in an MFA platform. If the platform you deploy doesn’t use
advanced cryptographic algorithms, you’re essentially leaving a
door propped open for attackers.
These materials are © 2018 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.
(see Chapter 4). A user doesn’t provide his credentials to an appli-
cation via a central public authentication layer; instead, the appli-
cation reaches out to the user and asks for authorization through
an independent authentication layer accessible only to that user’s
client.
Updatable Platform
An updatable MFA platform allows you to efficiently adapt to
future changes, whether they be evolving authentication tech-
nologies, new vulnerabilities, or evolving threats. Updates to MFA
authenticators must be capable of being released at the discretion
of the organization’s administrators, while the update process
itself must not introduce friction that might impact user adoption.
Developer Support
A next-generation MFA platform enables your developers to
extend all or part of the multi-factor experience into your com-
pany’s mobile applications to provide a seamless, consistent user
experience. Developers can achieve this goal by using configu-
rable software development kits (SDKs) and application program-
ming interfaces (APIs) that allow development teams to leverage
only the components and features they need.
These materials are © 2018 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.
Dynamic Administrative Controls
A dashboard serves as a control center where administrators can
carry out tasks related to the MFA platform, including creating,
monitoring, and managing integrations; configuring security
policies; and provisioning devices.
These materials are © 2018 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.
or specific approvals. You want a solution that allows you to tie
authentication and authorization to touchpoints throughout your
application or service. The solution should also allow you to use
real-time, interactive authorization for unique use cases that
include multiple users authorizing specific tasks or workflows.
These materials are © 2018 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.
These materials are © 2018 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.
WILEY END USER LICENSE AGREEMENT
Go to www.wiley.com/go/eula to access Wiley’s ebook EULA.