Navigating the access management space can bring forth a host of new challenges, one of which may be the migration to a new access management solution. This blog is aimed at those of you who are in the process of considering an exit from your current access management provider and evaluating the effort required to do so.

Let’s kickstart this discussion by showing you just how easy it is to migrate from Okta to OneLogin access management solutions. We are going to break up this topic into two parts, with part one focusing on your valuable end users.

When it comes to planning your migration from Okta to OneLogin, one of your top priorities will likely be minimizing disruption to your end users. Moreover, you will be concerned about ensuring that your existing identity security posture is at the very least maintained during the migration, and ultimately, increased once all services have been migrated over to your new OneLogin solution.

With these priorities in mind, we recommend you approach your migration project with the following five core principles as your guiderails for success.

1. Users should be able to use the same authentication factors they are using today, where possible, with the new OneLogin solution. (This includes passwords where password-based authentication is still in place.)
2. Users should be able to access the same set of applications and resources that they can access today when the new OneLogin solution is in place.
3. MFA re-registration, where required, should be strictly controlled. For example, users should be forced to perform Okta MFA before being allowed to register MFA factors with OneLogin.
4. User profiles in the Okta solution should be replicated in the new OneLogin environment (standard and custom attributes).
5. Users are given the same level of access within the integrated applications (i.e. licenses, groups, privileges, roles, etc.).

In this blog, we will cover the first four items. We will address the process of migrating applications in our next blog.

To deliver a successful migration project, we will need to identify the best approach to take when it comes to getting users into OneLogin and configuring the relevant authentication factors in a way that is as seamless and secure as possible. The approach taken will be based on how your current Okta environment is architected and whether you want to keep this kind of architecture with your OneLogin solution or use the opportunity to transform your environment to your desired end state.

Before we dive into these details, there are several general steps you should start with, regardless of how your current Okta environment is architected and what your desired OneLogin end state is. These include the following items:

• Set up branding in your new OneLogin environment to mirror the current branding elements from your Okta solution.
• Perform an attribute mapping exercise to identify the number of custom fields that will need to be created in your new OneLogin environment to be able to mirror your existing core user profiles.
• Create the required custom fields in OneLogin following the completion of your core user attribute mapping exercise above.
• Create the required number of roles in your OneLogin environment to correspond to your existing Okta groups. This can be done via the admin console or for large numbers of roles/groups, you can use the OneLogin Admin API or IaC tools, such as Terraform.
• Create OneLogin mappings to automatically assign roles to your users (when they are eventually created) to mirror the same logic currently in place with Okta group rules.
• Create a Trusted IdP connection between the OneLogin and Okta environments (using OIDC) and use this TIdP as an authentication factor in your OneLogin environment via our Trusted IdP as a factor capability. This factor can be used to redirect users to perform their existing MFA at Okta the first time they sign into OneLogin, ensuring that users must perform Okta MFA before being allowed to enroll in OneLogin MFA.
• Create a user security policy in OneLogin which will require the Okta MFA (via TIdP as a factor) and apply this to users the first time they sign in to OneLogin using our pre-authentication Smart Hook capability.
• Enable the required other authentication factors you will use in your OneLogin solution and create user security policies, as required, to meet the general day-to-day needs of different groups of users in your solution. Create another series of OneLogin mappings to automatically allocate these security policies (via OneLogin groups) when your users are created.

User Migration

With the above items in place, you are now ready to start loading your users into your new OneLogin solution. In the next section, we will present several different approaches you can take to achieve this task. The recommended approaches will be specific to the desired end state you have for your IDaaS solution.

Traditional Hybrid Identity as a Service (IDaaS) Architecture

In this case, your desired end state is to maintain a traditional approach to your new IDaaS solution whereby users will be synchronized into your new OneLogin environment from an existing on-prem directory such as AD or an LDAP directory. Users will also be required to perform password-based authentication against the on-premises directory. You may have an HR-driven identity solution in place which is supported by integrations between your HR directory and your AD/LDAP via an existing on-premises IGA tool.

In this scenario, there is a very simple path to get your users into your new OneLogin environment and ensure they can use the same set of credentials for password-based authentication.

1. Install Active Directory/LDAP Connectors in your environment and configure them to communicate to the same user stores that are currently supporting your Okta implementation.
2. Configure the required attribute mappings on your Active Directory/LDAP Connectors to ensure the required attributes are synced to the OneLogin Cloud directory to enable the core user profile to match what is currently in place in your Okta environment.
3. Sync several test users and validate that the user profile in OneLogin matches the profile in Okta and that the required OneLogin roles and groups have been automatically allocated to the user.
4. Inform your test users to log into the new OneLogin environment and validate that authentication against your AD/LDC is working as expected. The test users will be forced to complete Okta MFA before they can establish a session to OneLogin where they can now enroll securely to OneLogin MFA.
5. Sync the rest of your user base as required from your AD/LDAP into OneLogin and review your environment to ensure the number of users matches the expected outcome.
6. Plan your communications to instruct your users how to sign in to the new OneLogin App Portal with their existing Okta credentials and how to configure the required MFA factors on their OneLogin account.

So, six steps and you’ve got all your users in. That’s not so bad, right?

Cloud-Only IDaaS Architecture

In this case, your desired end state is to move to a solution with the OneLogin cloud directory being your IT directory source of truth and you want to use only cloud-based authentication factors in your solution. You may already have a cloud-only environment in Okta that you want to migrate over to OneLogin, or you may have a Traditional Hybrid IDaaS Architecture in place that you want to take the opportunity to move away from. For this scenario, we have two recommended options to allow your organization to perform a cloud-to-cloud based user migration (both include the migration of Okta passwords, when required).

1. OneLogin Smart Hooks User Migration Hook

With this approach, you can have your users drive the migration of their account simply by instructing them to sign into the new OneLogin environment using their existing Okta credentials. There is no requirement for any additional software to be deployed on premises or any kind of intermediary SaaS automation solutions in the middle to perform the cloud-to-cloud based user synchronization. The only thing required is to implement a user migration Smart Hook on your OneLogin environment. The Smart Hook will run as a fully customizable serverless JavaScript function which will be hosted on our platform on your behalf. It will execute an API call to Okta each time a login request is received for a user which does not currently exist in the OneLogin cloud directory.

The steps you will need to take include:

1. Define the logic required to be contained in the Smart Hook.
2. Define the mapping of user attributes sourced from the Okta API (post successful authentication from the user) into OneLogin standard and custom fields. This will control how attributes are mapped when the new user is created in OneLogin from the Smart Hook.
3. Implement the Smart Hook in a test environment and validate the function is working as expected.
4. Deploy the Smart Hook to the production environment and initiate your communications to users to sign into the new OneLogin environment with their existing Okta credentials to create their new account.
5. Remove the Smart Hook once all required users are migrated.

To assist with this approach, we have published an example Okta User Migration Smart Hooks in our public GitHub repo. You can also watch the video below to see how this user migration process works.

2. OneLogin Inbound SCIM Provisioning

With this approach, you can enable an inbound SCIM interface for your new OneLogin environment which can be used to create/update/delete users from any SCIM compliant client systems. It is simply a case of using the App provisioning capabilities built into your Okta solution to outbound provision your users out of Okta and into OneLogin. This solution can be configured to include the current Okta password in the SCIM payload sent to OneLogin or exclude it if required.

The steps involved in this approach are:

1. Enable the inbound SCIM interface for your OneLogin environment by engaging with your account manager.
2. Create a SCIM provisioning application in Okta to connect to your SCIM endpoint for your OneLogin environment.
3. Define the relevant attribute mapping on the SCIM Application in Okta and provision some test users to your OneLogin environment. Validate the test users.
4. Update the SCIM Application in Okta to provision all required users in your Okta environment to OneLogin. Review your OneLogin environment to ensure the number of users matches the expected outcome and initiate communications to instruct your users how to sign in to the new OneLogin App Portal with their existing Okta credentials and how to configure the required MFA factors on their OneLogin account.
5. Delete the SCIM Application in Okta and disable the SCIM endpoint on your OneLogin environment once all required users are provisioned.

We will be publishing a new KB article in the coming weeks outlining the detailed steps required to configure the inbound SCIM solution.

As you can see, there are three straightforward ways in which you can get your users into OneLogin as part of your project to migrate from Okta. Once you have your users loaded into OneLogin and the relevant authentication factors set up, you can then start to plan how to approach your application migration, which is the topic for part two of this blog series. Stay tuned for more on that soon!

The post User-Centric Identity: Ensuring a Seamless Migration to OneLogin appeared first on OneLogin Identity Management Blog.

We recently published a blog titled Defending Your Organization Against Session Cookie Replay Attacks. This blog thoroughly examined the menace of session cookie replay attacks, shedding light on the potential risks and consequences they pose to online security. The post delved into the intricacies of session cookie replay attacks, detailing their working mechanisms and the extensive damage they can inflict and emphasizing the imperative need to comprehend and fortify against such threats.

As a quick recap, session cookie replay attacks involve the malicious use of stored session cookies to impersonate a user on a targeted website, typically acquired through methods like malware, Man-in-the-Middle attacks or the compromise of support systems. The repercussions extend from hijacking user accounts to compromising sensitive data and even potentially taking over an entire access management system.

Given the continuously evolving cyber threat landscape, the urgency to establish robust defense strategies against session cookie replay attacks and other sophisticated security breaches has escalated. It is clear that fortifying cybersecurity defenses for these evolving threats cannot be accomplished fully with access management solutions alone. Organizations should adopt a multi-layered approach that also includes the advanced capabilities found in Privileged Access Management (PAM) and Identity Governance and Administration (IGA) solutions. This blog further explores this integrated approach to countering session cookie replay attacks and similar threats.

Defending against session cookie attacks by integrating access management, PAM and IGA using the Unified Identity Platform

Protecting vulnerable accounts from unauthorized access in the form of session cookie replay attacks may be best handled with a multi-layered approach including access management, Privileged Access Management (PAM), and Identity Governance and Administration (IGA) tools working together. These three layers can be summarized as follows:

Protect privileged accounts

Restrict access to sensitive or high-risk accounts, including admin accounts on your access management system, by requiring access through a Privileged Access Management (PAM) tool. Using a PAM system to control access to these accounts enables session recording and control, real-time monitoring of privileged access, password rotation and just-in-time privilege assignment.

Detect rogue actors

Control access to vaulted privileged accounts protected by the PAM solution by limiting SSO access to only authorized users in your access management system. Users must securely authenticate into the access management system to have access to the PAM tool. A user security policy for these admin and privileged users should be employed to restrict access to only trusted devices and to limit the session inactivity timeout to a small timeframe, such as five minutes. This will reduce the opportunity timeframe for attempted session cookie replay attacks to the shortest possible time.

Since access to these admin accounts are granted only through the PAM tool, the admin account should be deactivated and the session should be closed right after the administrative tasks are complete, so a short inactivity timeout would not cause undue inconvenience to the administrative users. Additionally, an application security policy should be employed to require reauthentication and MFA whenever the PAM application is launched.

Further, a module of the PAM system should apply user behavior analytics, which can distinguish the attacker from the authorized user of the account by analyzing keystrokes and mouse movement patterns. With this capability employed, the session can be terminated automatically when such an attack is detected.

Enforce and remediate

Use Role-Based Access Control (RBAC) from the Identity Governance and Administration (IGA) solution to assign access to the privileged accounts within the PAM system, and to assign access to the PAM application on the user’s access management dashboard to only authorized administrative and privileged users, creating a condition of least privilege. These RBAC policies should reduce the attack surface by revoking unneeded access for users who have been terminated or who have changed job roles, revoking PAM system’s privileged account access and assigning the PAM application in the access management tool.

Use policies to ensure the access control security policies in the access management system are correctly applied to users, admins and the PAM application. Additionally, use policies to detect rogue or orphaned accounts which may be vulnerable to attack. Employ regular access reviews in the form of attestations or certifications to ensure least privilege is maintained.

Conclusion

A successful unified approach uses the whole cybersecurity toolkit in an integrated fashion to create this multilayered approach to identity security. The One Identity Unified Identity Platform provides the necessary framework to most effectively defend against session cookie replay attacks and to ensure the organization remains protected.

Used together within the One Identity Unified Identity Platform, access management, PAM, and IGA can build a layered defense against session cookie replay attacks and other evolving cyber threats. This integrative approach enables the innovation needed to create best practices, empowering organizations to stay ahead in the face of emerging threats.

Call to Action

We urge organizations to consider the adoption of the One Identity Unified Identity Platform, including access management, PAM and IGA working together to fortify their defense mechanisms against emerging cyber threats. Embracing a comprehensive security strategy and adapting to the evolving threat landscape are critical steps toward safeguarding digital assets.

The post Strengthening Cyber Defenses: The Crucial Role of PAM and IGA Solutions appeared first on OneLogin Identity Management Blog.

In the current cyber threat landscape, where online security is paramount, the threat of session cookie replay attacks looms large. These attacks sidestep the conventional need for credentials and aim to hijack your online sessions, potentially compromising sensitive data and taking over user accounts. This blog post delves into the intricacies of session cookie replay attacks, shedding light on what they are, how they work, and the potential consequences they can unleash. Understanding these attacks is the first step in fortifying your online presence and ensuring the safety of your organization’s digital identity.

Understanding session cookie replay attacks

A session cookie replay attack is a cyber-attack that attempts to take over a particular user account without the need for the credentials associated with that account. That sounds pretty scary – how can that be? While identity-based attacks typically involve trying to validate or steal credentials, session cookie replay attacks focus on maliciously replaying a session cookie to a targeted web service. To fully comprehend the workings of this type of attack, it’s essential to have a solid grasp of how session cookies function.

A session cookie is a small digital marker stored in your web browser, allowing a website to customize the content it shows you. To give you a clear example of this customization, think of a scenario where a website serves specific content only after verifying your session, which is typically established during the user authentication process.

Now, imagine an attack that aims to acquire this session cookie and then use it to impersonate you on the targeted website, all from a different computer controlled by the attacker. This action of replaying the session cookie isn’t particularly complex and can be accomplished by importing the cookie into most popular web browsers using simple browser extensions. It is important to note that this doesn’t require sophisticated nation-state-level hacking tools.

Attackers employ several methods to acquire these valuable cookies. They may deploy malware on infected machines to collect cookies directly from web browsers. Alternatively, they might execute Man-in-the-Middle attacks, intercepting cookies from users by using a malicious server that sits between the user’s browser and the target service. Lately, we’ve also seen attackers compromise technical support systems, which conveniently contain recently-exported session cookies from users, originally intended for legitimate troubleshooting purposes.

How damaging can these types of attacks be?

In the simplest case, the user’s account in the targeted service can be taken over by the attacker, the user may lose access to that web service, and their sensitive data may be compromised. So that’s bad, but the blast radius from this kind of attack gets much larger if the targeted service is actually an Access Management solution providing single sign-on (SSO) access to multiple integrated services. That one session cookie can be the only thing needed to access hundreds, if not thousands, of systems integrated to trust the Access Management solution.

The blast radius can be even worse if that session cookie is associated with a user that has some type of administrative privilege on the targeted Access Management solution. In that situation, the attacker has the potential to not just overtake the user account associated with the cookie, but ultimately the entire Access Management system. At the same time, it can be used to impersonate any of the organization’s users in any of the integrated systems.

If I’m using FIDO2 MFA, I’m safe right?

Well, unfortunately, not quite. This attack relies on replaying a session cookie that’s already stored in the user’s browser. This means that the entire authentication process has already been successfully completed, and it doesn’t matter which type of MFA was used in that process. The authentication is essentially a thing of the past at this point.

Securing your Access Management solution

The key measures to defend against such attacks primarily focus on preventing the session cookie from falling into the wrong hands initially. These steps encompass security-awareness training, using endpoint protection software, implementing FIDO2-compliant Authentication Factors, controlling access to MDM-managed devices, implementing Adaptive Authentication, conducting security monitoring, and ensuring the safe handling of sensitive data, such as session cookies, when shared during technical support processes.

Once an attacker has acquired and replayed a session cookie against your Access Management solution, your focus should shift to detection and swift responses. It’s crucial to have a well-established response plan in place, particularly when there are signs of privilege associated with the targeted account within the Access Management solution.

For detection, your organization should set up rules within your SIEM (Security Information and Event Management) environment to identify irregularities, such as disparities between login events and suspicious post-login patterns for the same account. This can include unusual IP addresses, locations, or activity patterns.

When responding to such incidents, the minimum actions should involve disabling the compromised account to terminate all active sessions. Additionally, a thorough forensic examination of the activities conducted by the attacker with the stolen session cookie is essential. Engaging with your Access Management vendor for support can be valuable, as they may provide further information to aid your investigation and ongoing response efforts. Having a well-documented run book to follow during such incidents is vital for a timely and effective response.

How can organizations using OneLogin Access Management solutions protect themselves against session cookie replay attacks?

• Never assign privilege in your OneLogin production environment to standard/daily use user accounts. To put it simply, the more often you use an account, the higher the likelihood of it being abused by a session cookie replay attack. Reduce your risk exposure by allocating privilege to separate accounts, typically used less often than standard accounts, and thus lowering the chances of a session cookie with admin rights falling into the wrong hands. By providing separate accounts, this also allows you to assign more stringent security policies to these accounts, without impacting the day-to-day user experience of your Admins who also need to use the platform’s SSO capabilities.

• Automate the allocation of OneLogin user security policies to your separate Admin accounts using our Mappings capability by assigning groups (which have user security policies attached) based on conditions you define and maintain in your Mappings rule base. Ensure that session lifetime settings for high value admin accounts are configured to terminate after a maximum of 30 minutes. This change increases the difficulty for attackers in two ways: first, they must quickly obtain and transfer the session cookie to their attack machine, and second, they have limited time to maintain access with the stolen session cookie, if they can successfully replay it.

• Make certain you have a strongly controlled authentication factor registration process for Admin accounts and require at least two FIDO2 compliant factors to be registered for each admin account. Define a process to control how and when authentication factors can be registered by your users to their admin accounts. Furthermore, require admins to register two separate authentication factors against their admin accounts so in the situation where access to one authentication factors is lost, they can still access the OneLogin platform.

• Consider using our app policy “forced authentication” capability to break the SSO experience into specific high value applications just for your separated admin accounts. Should an attacker somehow acquire a valid session cookie for one of your isolated admin accounts and attempt to access an integrated application through the OneLogin portal, they will be forced to re-authenticate in order to access the target application. Their attempt to use the existing single sign-on (SSO) session will be unsuccessful. The stolen session cookie cannot be reused to bypass this request for a fresh authentication, as it is required in order to fulfil the application policy requirements.

• Maintain at least two “break-glass” accounts (the Account Owner User and one Super User account) which are tied to a corporate-owned group mailbox owned by the IAM team. These two accounts are the key components needed in any recovery plan in the event of a significant security or BCM incident. To safeguard the authentication factors linked to these critical accounts, often referred to as the “keys to the kingdom,” it is advisable to store them offline within a physical safe. This practice guarantees protection against online attacks, and it assures a reliable means of regaining access to your OneLogin environment, should you lose standard administrative access.

• Reduce the number of “ClickOps” admins who require access to your OneLogin production environment by leveraging IaC (infrastructure as code) approaches to configure and manage this environment. For example, a great way to achieve this is through using IaC approaches where the configuration for the most important components of your OneLogin service are stored as code in a secured GIT repository. Using this approach also allows an organization to reduce configuration drift between Production and Non-Production environments. This means that changes can be carried out first in a Dev/Test environment using an account with admin rights in that environment (via the admin console) to manually apply the change. Taking this approach also brings the added benefit of significantly reducing the number of admin accounts needed on Production as most changes will be applied programmatically to the environment via the OneLogin Admin API and in a controlled manner (e.g. once a week during a planned change window).

• For the remaining users still requiring admin privileges on your Production environment, leverage OneLogin’s fine-grained Delegated Administration capability to only allocate the exact privilege the user needs and nothing more. By adhering to the principle of least privilege, you can reduce the level of admin privileges granted to the account in question, minimizing the impact if a session cookie replay attack were to occur.

• Ensure the lifecycle for managing your separate OneLogin administrative accounts is tied to your current JML process for standard accounts. You do not want separate admin accounts associated to an employee that has left the organization or changed roles lingering around in your environment. As a standard, these should be disabled and removed during any JML events.

• Automate the allocation of OneLogin privileges to your separate Admin accounts using the OneLogin Mappings capability by assigning roles (which have delegated admin privileges attached) based on conditions you define and maintain in your mappings rule base. Our Mappings capability should be ideally managed and maintained by Terraform. With this approach you can ensure your mappings rule base always meets your desired state as defined in your configuration code in your GIT repository. Any mappings changes made directly to your environment via the Admin console (for example, by an attacker) will be automatically reconfigured to your desired state by scheduled Terraform runs.

• Configure a Passwordless policy and require FIDO2 compliant authentication factors at all times for all Admin accounts. Supplement this with Device Trust and IP address-based controls to further secure how and where admins can sign into the OneLogin platform. By implementing FIDO2 authentication factors, the risk of session cookie theft is minimized, as users won’t be able to complete the authentication process necessary to obtain session cookies when they are unwittingly directed to the OneLogin service via a malicious proxy. To strengthen security even more, consider limiting admin account access to specific locations, such as only allowing it from managed devices, dedicated management servers within your network, or through PAM Isolated browser environments.

• Enable Adaptive Authentication and, in particular, Smart Access on the user security polices allocated to all Admin accounts. With Adaptive Authentication in place and finely tuned for your admin users, you can reduce the attack vectors that can be leveraged by attackers to steal session cookies.

• Do not associate your Admin accounts with AD or any on-prem IdP in any way. With the ever-expanding array of attacks directed at Active Directory it makes perfect sense not to involve AD in your separated Admin accounts either from an authentication or directory sync perspective. This also aligns with Microsoft’s own advice on how to secure a Hybrid Cloud identity solution.

• Stream all OneLogin events to your SIEM/CASB platform using our webhooks capabilities or use our events API to periodically pull events in. Ensure events indicating privileged admin activity which are performed from unusual IP addresses outside of your organizations network boundaries are alerted upon and investigated immediately.

• Enable custom email notifications to be sent to users when privileged activities have been performed on your OneLogin environment from their respective admin user accounts. If users receive email notifications indicating activities performed which they do not recognize, they can immediately alert your security team to investigate and respond accordingly.

Final Thoughts

Session cookie replay attacks pose a considerable risk to digital security, allowing cybercriminals to exploit an unsuspecting user’s session information to impersonate them on a targeted website. The potential consequences are far-reaching, from compromising individual accounts to potentially gaining control over an entire Access Management system. While no security measure can be foolproof, a multi-faceted approach that combines strong user authentication, privilege management, monitoring, and rapid response can significantly reduce the vulnerability to session cookie replay attacks. Organizations must adapt and evolve their security strategies to stay one step ahead of these threats, ensuring the integrity and safety of their digital ecosystems.

Stay tuned for the second blog in this series where we will discuss how to supplement all of the controls outlined here with additional capabilities from One Identity Safeguard (PAM) and Identity Manager (IGA) solutions.

The post Defending Your Organization Against Session Cookie Replay Attacks appeared first on OneLogin Identity Management Blog.

In today’s education landscape, K-12 schools are hubs of learning and growth, filled with opportunities but often caught up in Identity and Access Management (IAM) challenges. Within this complex education environment, an unexpected hero emerges – the concept of ‘degeneracy,’ which we redefine here as simplifying complexity. In this blog, we explore how OneLogin exemplifies this by making IAM easier, more secure and user-friendly.

The Multifaceted Challenges in the Absence of Effective IAM

Envision a scenario where passwords proliferate at an overwhelming rate, each a distinct gateway to essential academic portals: grading infrastructures, communication platforms and learning management systems. Educators and students traverse this daunting expanse, frequently misplacing their credentials, leading to a cyclical turmoil of password retrieval, wasted academic hours and a tangible undercurrent of frustration.

Venture further into this metaphorical darkness, where unmitigated security risks dwell. In the absence of robust IAM, educational institutions, despite their size and stature, are parallel to vulnerable edifices with unsecured entrances. Data breaches, akin to digital predators, infiltrate with impunity, jeopardizing everything from sensitive personal data to the foundational integrity of educational environments.

The narrative is further complicated as administrative staff find themselves mired in the perpetual task of manually managing user access, akin to an endless manuscript that demands continual attention. This monumental task diverts precious resources from fostering educational advancement and institutional development.

Moreover, these institutions face the daunting challenge of limited visibility regarding user activity, like needing a detailed map yet lacking the key. This lack of transparency not only facilitates unauthorized access but also complicates compliance and security efforts.

However, even within these complexities, there lies the potential for transformation. As these institutional hurdles continue to impede collaborative and educational initiatives, the necessity for a comprehensive solution crystalizes. Herein, OneLogin emerges, wielding the power of strategic simplification in the domain of IAM.

The Alchemy of Future Trends in IAM for K-12 Schools

Prophecy speaks of new dawns and evolving magics in the realm of IAM for K-12 schools:

1. Biometric Authentication: The arcane arts of fingerprint and facial recognition are no longer the stuff of legend. These technologies, once ensconced in the annals of fantasy, are now potent spells in our IAM grimoire, offering both enhanced security and a pinch of awe.
2. Cloud-Based Solutions: Gaze upon the cloud, not as a mystic would at tea leaves, but as a visionary understanding its boundless potential. The cloud’s alchemy transmutes the leaden troubles of traditional IAM into golden ease, scalability and cost-efficiency.
3. User Self-Service: In our enlightened age, even laymen claim agency over their digital identities. Gone are the days of waiting in line for the administrative wizards to wave their wands. Autonomy is the new elixir, and it’s a brew best served liberally, resulting in increased productivity and reduced IT costs.
4. Zero Trust Security: In an era of dragons and dungeons, the “trust, but verify” adage is quaint. Instead, the Zero Trust model, with its rigorous incantations, permits no entry without thorough scrutiny—even for those within the castle walls.

OneLogin: Mastering the Spellcraft of IAM

Password Management

OneLogin’s Single Sign-On (SSO) allows users to access multiple applications using one set of login credentials. In an educational setting, this means that neither students, faculty nor staff need to remember a multitude of passwords to access different learning resources and administrative tools. This ease of access not only reduces the “password fatigue” but also decreases the risk of security issues related to managing multiple passwords, such as unsafe password practices (like using the same password everywhere) or writing down passwords.

Enhanced Security

Multi-Factor Authentication (MFA) is a security system requiring more than one method of authentication from separate types of credentials to verify a user’s identity for a login or other transaction. OneLogin’s MFA goes beyond the basic 2-factor authentication by including a range of passwordless factors like SMS messaging, smart notifications, biometrics and third-party authenticators. In the context of K-12 schools, this means an extra layer of security for sensitive information, ensuring that only the verified user can access their account even if someone else knows their password.

Administrative Efficiency

OneLogin streamlines administrative tasks by automating user provisioning and deprovisioning. This feature enables schools to automatically create user accounts when new students or staff join and to immediately revoke access when they leave. This not only saves significant administrative time but also closes potential security gaps that can occur when former students’ or employees’ access is not removed promptly.

Visibility and Compliance

OneLogin provides detailed real-time insights into who is accessing what, when and how. For schools, this means being able to effectively monitor and audit user activities, helping them comply with regulatory standards like the Family Educational Rights and Privacy Act (FERPA) which requires the protection of student education records. Also, in the event of a data breach or any suspicious activity, schools can quickly identify and respond to these security threats.

Efficient Collaboration

OneLogin integrates with a plethora of educational applications and platforms, which allows for smooth transitions and collaborative efforts between different programs. For students and teachers, this means less time spent trying to access or share resources and more time on actual learning and teaching. This seamless integration fosters a collaborative environment conducive to effective education, regardless of the physical location of the participants.

The Bountiful Harvest of OneLogin in K-12

OneLogin’s sorcery in IAM is not just about flashy spellwork; it’s about the bounty it brings to the high tables:

Productivity Boost

OneLogin eliminates the need for repeated logins across various educational platforms by implementing Single Sign-On (SSO). This not only saves precious time but also reduces the cognitive load for educators and students. Not juggling a mental library of passwords means more time and mental energy to focus on educational goals and interactive learning.

Enhanced Security Posture

OneLogin fortifies security using Multi-Factor Authentication (MFA) and risk-based authentication for a dynamic security posture. These protocols ensure that user identities are verified with high confidence, significantly reducing the risk of unauthorized access. The system continuously evaluates risk and context, adjusting security requirements accordingly, to keep sensitive educational data protected around the clock.

Cost Savings

OneLogin mitigates the substantial costs associated with identity-related breaches by providing robust security features, thereby reducing potential financial liabilities. Additionally, its automated user provisioning and de-provisioning significantly cuts down on the administrative hours required to manually manage user lifecycles, resulting in substantial cost savings in labor and preventing over-provisioning of licenses.

User Satisfaction

With its intuitive user interface, OneLogin makes navigation a breeze for all users, regardless of their tech-savvy level. Its SSO capability leads to fewer login-related issues (such as password lockouts or forgotten passwords), dramatically reducing frustration and support requests from users. This smooth experience boosts overall satisfaction among students, staff and faculty.

Future-Proofing

OneLogin stays ahead of the curve by consistently integrating newer, advanced technologies and standards in identity management. Its scalable infrastructure means it can handle an increasing number of users and services, growing with the institution. Regular updates and a commitment to innovation ensure that educational institutions are always at the forefront of IAM technology, prepared for both current and emerging digital challenges.

Conclusion

In this narrative, ‘degeneracy’ undergoes a transformative renaissance, casting off its conventional associations to embody a higher calling: to streamline, to elucidate and to fortify. OneLogin emerges as the stalwart advocate in this journey, transmuting the intricate mazes of IAM in education into navigable routes of simplicity and fortification. Educational institutions, previously encumbered by various challenges, now stand resilient as bastions of learning and innovation, their futures securely inscribed in the continuum of educational advancement.

Call to Action

Ready to integrate the robust capabilities of OneLogin into your K-12 institution’s strategic approach to IAM? We invite you to connect with us for a bespoke consultation, commencing a collaborative journey toward comprehensive digital empowerment. With OneLogin, your school is elevated beyond a traditional learning environment. It becomes a vanguard of progress, a torchbearer of enlightenment amidst the ever-evolving digital era.

The post Simplifying Identity and Access Management (IAM) in K-12 Education appeared first on OneLogin Identity Management Blog.

Welcome to the second part of our blog series on the state of passwordless authentication. In the first blog, we focused on the new kid on the block, passkeys, and how this emerging technology will likely have a significant impact to the advancement of the identity and access management industry’s desire to finally eliminate passwords for good.

In this blog, we are going to look at alternative options which can be used if passkeys are never going to be an option for your organization or if you need to implement a passwordless solution for the short/medium term. This maybe be the case if you’re waiting on the passkey technology to mature a little more, or if you’re going through various digital transformation projects within your organization which will then open the door to modern technologies such as passkeys.

Getting a better understanding of passwordless

When we talk about passwordless solutions, we are essentially talking about using authentication factors which were traditionally associated with providing a multi-factor authentication (MFA) solution. That is, of course, usually supplementing the username and password authentication factor with additional authentication challenges such as a time-based one-time password (TOTP), a mobile app push notification, a physical security key, etc.

OneLogin supports a wide range of authentication factors that can be used for MFA use cases. These factors can be used in a traditional flow (e.g., after a username and password combination) or in a brute force protection flow (e.g., first an MFA factor followed by username and password combination). The good news is that the OneLogin platform also allows you to use any of the available MFA authentication factors for your organization’s passwordless solution.

Defining user security policies in a passwordless solution

Controlling your end user’s authentication experience with OneLogin is simply a case of defining a user’s security policy which is configured to meet your requirements and then allocating this policy to your users. There is always a one-to-one relationship between a user and a statically assigned user security policy. This makes it very easy to identify not only the current experience each user will be presented with, but also to change that experience by just assigning them an alternative policy.

The allocation of a user security policy to a user can be fully automated using the OneLogin mappings capability. Mappings will typically be used to allocate a OneLogin group to a user (based on rules defined in the mappings rule base) and this group will have a user security policy attached to it. You can configure this in the Admin Console, or you can also apply your mapping rules programmatically (pro tip – Try the OneLogin Terraform provider!) via the OneLogin mappings API.

One of the most significant configuration items in the user security policy is the sign-in flow, which offers three modes of operation. One of those modes is the passwordless sign-in flow. When this is enabled on a policy it simply means the end user will never again see the dreaded “Username and Password” dialog box we all love to hate. One little tick of a box and no password prompts ever again! Absolute bliss!

So, before we go rushing off to tick this box we need to think about a couple of things. The first thing we need to decide is what are we replacing the dreaded password with? As mentioned above, we have a wide range of authentication factors available on the OneLogin platform that can be selected to meet your specific needs. We will dive into some of these available options a little later in this blog. The next thing to consider is how and when we will allocate these new user security policies providing the bliss to your users. The main pre-requisite here is making sure that all your users have already registered the required authentication factors you want to use in your solution as you cannot allow registration of the required authentication factor within a passwordless user policy just requiring that factor itself because… well, that just wouldn’t be too secure now, would it?

You can also fully pre-register certain authentication factors on behalf of your users if you have trusted information you know to be correct such as a verified email address or verified mobile phone number if you want to use the email or SMS authentication factors in your passwordless solution. By pre-registering these authentication factors on behalf of the user, this means they will have an authentication factor configured against their account (and without any end-user involvement) which is all ready to go and the door to start using those blissful user security policies is opened wide. Alternatively, you need to allocate user security policies with the traditional, username and password followed by MFA, sign in flow to your users for a period of time to allow secure registration of the relevant authentication factors you would like to use in your passwordless solution.

Migrating to passwordless for increased protection and a better user experience

Now, you have reached the stage where you know which authentication factors you want to use in your passwordless solution, and all your users have registered such factors to their accounts, but how can you migrate to the new passwordless user experience to make the bliss a reality? Well, there are two options which you can take depending on your appetite for automation.

The first option is the “Admin-driven” approach whereby your OneLogin Admin team will need to initiate the process of switching user security policies assigned to users when it is fully confirmed that they have the required authentication factors registered against their account. This process can be semi-automated using the mappings capability mentioned earlier in this blog, but ultimately a OneLogin Administrator needs to trigger the re-assignment of the statically assigned user security policy when it is validated that a particular user is “ready to go” for the move to passwordless life.

The second option is to allow the OneLogin extensibility capability known as Smart Hooks to do the challenging work for you. With this approach, you can use the Pre-Authentication Smart Hook capability to dynamically apply an alternate user security policy to a user based on elements of the “context” of the incoming authentication request to the OneLogin Platform. The key to this approach is leveraging the “MFA Devices” context which is made available to the Smart Hooks service each time an authentication request starts. This context will provide a list of registered authentication factors for the specific user starting the authentication flow to the Smart Hooks service so that this information can be evaluated in the conditional logic you can include in your Pre-Authentication Smart Hook Java script function.

So, you can use this approach as your own customized “passwordless policy allocation engine” whereby your conditional logic will determine which passwordless policy is allocated to a particular user based on a wide variety of factors. You can also keep this logic extremely simple for simple requirements or as complex as you need and even store the whole Smart Hook configuration as code in your version control system and deploy it using DevOps approaches each time you need to make a change to the logic, if that is your preferred mode of operation. We have recently released a new public GitHub repository containing various automation solutions and within it you can find samples of Smart Hook configurations which you can use as starting points for your own implementation. You can learn more about the OneLogin Pre-Authentication Smart Hook here.

Watch this video to see how the OneLogin Smart Hooks capability can control the passwordless authentication user experience based on authentication factors registered to a user.

Taking an advanced authentication approach: Combining passwordless and adaptive authentication

Now that you have fully implemented the migration to your passwordless solution for all your users, what else can you do to improve your security posture against those persistent threat actors that may still try to attack your users even when the weakest link of the password has been removed from the equation? Well, you can supplement your solution with other security controls from the OneLogin Platform of course!

There are two main additional controls you can layer on top of your passwordless solution to move towards advanced authentication. These controls may be used independently or together – it depends on what works best for the needs of your organization. The first additional control you can apply is layering OneLogin’s adaptive authentication solution, SmartFactor Authentication. It uses machine learning to analyze a broad range of inputs, such as location, device, and user behavior, to calculate a risk score and determine the most appropriate authentication flow and security action to take for each login attempt. Depending on the detected level of risk, SmartFactor Authentication adjusts the authentication factors needed to log in. For example, it can dynamically switch the user (Smart Hooks is the master here!) into a different passwordless-based user security policy (which may require a less convenient/higher friction authentication factor) based on a calculated elevated risk level.

The second additional control you can layer on top of your passwordless solution is the OneLogin App Security policy capability. By using this capability with your passwordless solution, you can mandate that an additional passwordless authentication factor (different from the one required by the user security policy level) is required to access either specific applications integrated into your OneLogin environment or all applications. By using this approach, you can “chain together” two completely separate authentication factors into your combined passwordless solution where security requirements may be significantly high. You can also join the adaptive authentication and OneLogin App Security policy approaches together to only block access to specific high value applications if the risk level exceeds your risk threshold.

Pros and cons of native OneLogin passwordless authentication factors

We will now look at the pros and cons of some of the authentication factors available when using OneLogin and adopting passwordless.

OneLogin Protect

Details: OneLogin Protect is our free mobile solution that allows users to submit their one-time password (OTP) by pressing a button. Available on iPhone and Android.

Pros: Convenient tap and approve mobile app experience for users. Can enforce additional controls around mobile device security posture (e.g., require screen lock and/or biometrics, block jailbroken devices).

Cons: Access to mobile phone is required. Organization policy may require corporate managed mobile is provided to all staff. Organization may face resistance from users to install a “work app” on personal phone. It can be bypassed by advanced attacks such as man-in-the-middle (MITM) attacks or become the target of push notification storm attacks.

Summary: OneLogin Protect is a great candidate for a passwordless authentication factor for your workforce solution where your users have access to a smartphone at all times. You may wish to layer additional authentication factors on top of it, using the OneLogin App Policy capability for particularly sensitive environments or specific applications. It is not a good fit for CIAM solutions as customers are unlikely to want to install yet another mobile application on their phone.

OneLogin SMS

Details: A one-time password (OTP) is sent to the mobile phone number associated with a user over SMS.

Pros: It is a convenient solution for users that can access a mobile phone with cell network connectivity at all times.

Cons: Requires copying or typing a 6-digit code (Note: It can be less inconvenient if the user is using their mobile device anyway to access a service.) Can be bypassed by advanced threat actors like SIM swapping, carries a cost per authentication, requires an SMS Gateway provider.

Summary: OneLogin SMS is a good authentication factor for CIAM passwordless use cases, but does mean additional cost for the CIAM solution. For workforce identity, this authentication factor could be a good fit for limited use cases until a stronger authentication factor is available for the user. For example, a new user signs in for the first time via SMS. Then, the user is forced to register a stronger authentication factor which would be used for all subsequent authentication requests.

OneLogin Email

Details: OneLogin sends an automated email to the user’s email address to authenticate the user.

Pros: Convenient solution for users that can access a non-corporate email account at all times. The Magic Link option provides a better user experience compared to the OTP copy/type process.

Cons: Assumes the registered email account of the user has not been compromised which may not be the case.

Summary: This is a good authentication factor for CIAM passwordless use cases where security requirements are not particularly high, especially with the Magic Link approach. Similar to OneLogin SMS, this authentication factor could be a good fit for very limited use cases until a stronger authentication factor is available for the user.

Additional passwordless authentication factors

OneLogin also offers several authentication factors leveraging external partner solutions which can be used in your passwordless solution. These include factors like legacy YubiKeys, Google & Microsoft Authenticator Apps, Duo Security and the ability for OneLogin to act as a Radius client to an External Radius server solution. While some of these solutions may fit niche use cases in your passwordless solution, we recommend that any organization in the process of designing a new passwordless strategy should prioritize the native OneLogin provided authentication factors mentioned above (along with Passkeys as mentioned in our first blog of course!).

Organizations should also factor into passwordless design considerations the newest authentication factor made available on the OneLogin platform – the BYOD MFA/Trusted IDP as a factor capability.

The post From friction to freedom: Automating Passwordless Authentication appeared first on OneLogin Identity Management Blog.

As part of our blog series on Advanced Authentication, we have discussed what it is and how it can help organizations, provided best practices in deploying this authentication approach and highlighted the benefits of FIDO2 and WebAuthn within this context. In this blog, we will explore how organizations can deliver frictionless user experiences while delivering a strong level of advanced authentication protection.

In today’s digital landscape, finding the right balance between a frictionless user experience and strong security is crucial for organizations. Users expect seamless access to applications, while businesses must keep their valuable assets safe from cyber threats. From convoluted login processes to forgotten passwords, even minor obstacles can lead to frustration and decreased efficiency. Beyond immediate frustration, a consistently poor user experience can have far-reaching consequences. It can lead to disengagement, decreased user adoption, and potential customer attrition. The delivery of frictionless user experiences is essential to enhancing productivity and satisfaction. At the same time, companies should never compromise security to do so. So, how do organizations strike the proper balance?

Organizations can strengthen their security posture by adopting an access management approach that utilizes strong factors combined with risk-based, adaptive authentication. The access management mechanisms and authentication factors used as part of the authentication process must take users on a frictionless journey from authentication to access, ensuring that employees remain productive, and that customers have easy access to resources to help drive customer retention and business growth.

Streamline user authentication & application access with Single Sign-On (SSO)

Single Sign-On (SSO) redefines the user experience by connecting users to multiple applications with a single set of credentials. That means no more juggling numerous passwords or enduring repeated logins. This streamlined access not only boosts productivity but also enhances overall satisfaction. Beyond the convenience it offers, SSO significantly strengthens security, reduces the attack surface and mitigates the risk of password-related vulnerabilities by providing centralized user authentication. This duality of providing a seamless experience while fortifying security highlights how SSO exemplifies the delicate balance between user-centric design and enhanced protection. 

The video below showcases how OneLogin SSO offers organizations a comprehensive solution that improves both user engagement and satisfaction as well as data protection.

Empower users with self-service password management 

Conventional approaches to password management frequently lead to frustration and hamper productivity. When users encounter forgotten passwords, they find themselves caught in a laborious loop of contacting IT support for password resets. This process disrupts their workflow and places avoidable pressure on IT teams.

An access management solution that provides self-service password reset capabilities empowers employees, partners and customers alike to independently reset forgotten passwords without requiring IT assistance. Through a user-friendly interface, users can swiftly regain access to their accounts, ensuring a seamless and efficient experience while maintaining robust security measures. Organizations seeking a stronger authentication access management approach should incorporate passwordless authentication (e.g. passkeys, biometrics, etc.) into their authentication flows, fortifying security and eliminating the need for password resets.

Watch this video to learn how a user can easily reset his password using OneLogin.

Strengthen protection and increase ease of use with passwordless authentication 

Passwordless authentication introduces a transformative leap forward in user identity verification. This authentication approach modernizes security while enhancing user experiences by eliminating the need for traditional passwords. Instead of relying on easily compromised passwords, passwordless authentication leverages advanced methods such as biometrics, push notifications, or security keys. These modern techniques create a unique and nearly impenetrable layer of defense, ensuring that only authorized users gain access to resources.

Beyond heightened security, passwordless authentication dramatically simplifies the user journey. No more fretting over forgotten passwords or struggling with complex username and password combinations. Instead, users can seamlessly authenticate themselves through methods they are already familiar with, such as using their fingerprints, facial recognition, or a quick tap on their smartphones. This streamlined experience reduces friction and bolsters user confidence, ultimately fostering a more positive relationship with the authentication process. By balancing robust security and user-centric design, passwordless authentication paves the way for a future where access is both effortless and secure. 

Let’s take a look at how OneLogin delivers passwordless authentication for organizations.

Elevate security with Adaptive Multi-Factor Authentication (MFA) 

Adaptive multi-factor authentication (MFA) provides a cutting-edge approach to user verification that goes beyond traditional methods. It leverages contextual and adaptive factors to ensure enhanced security without compromising user convenience. By analyzing a range of dynamic elements such as device, location, time and behavior patterns, adaptive MFA tailors the authentication process to the unique context and risk-level of each login attempt. 

Through this process, adaptive MFA dynamically adjusts security requirements. For instance, an organization using OneLogin SmartFactor Authentication can allow streamlined access if a user is accessing an application from their usual location and device during their typical work hours. However, if an unusual geo-location or device is detected, OneLogin can prompt the user for additional authentication steps which may include stronger authentication factors. This approach to adaptive MFA bolsters security against potential threats and creates a seamless experience for users. 

This video demonstrates how OneLogin’s SmartFactor Authentication provides the best of both worlds – comprehensive protection and a seamless user experience. 

Adopt advanced threat detection practices using OneLogin SmartFactor Authentication 

OneLogin SmartFactor Authentication can perform advanced threat detection by scrutinizing various factors, including geo-velocity and suspicious browser usage, to calculate and adjust a user’s risk score. Geo-velocity refers to the speed at which a user’s location changes, which can indicate suspicious or unauthorized activity. If a user’s login attempt occurs from a geographically distant location in an unusually short period of time, their risk score increases.

Similarly, using suspicious browsers that are often associated with anonymizing web traffic, such as Tor browsers, could suggest potential malicious intent. These events impact a user’s risk score by contributing to a more comprehensive assessment of their login attempt. Each factor, like geo-velocity and Tor browser usage, carries a certain weight in the risk calculation. When such events occur, they elevate the calculated risk score, signaling a potential threat and triggering a stronger authentication flow.

Depending on the security policy in place, this increased risk score can prompt the user to perform Multi-factor authentication (MFA) or even deny the user access altogether. OneLogin SmartFactor Authentication effectively adapts its response to the evolving risk landscape, proactively safeguarding sensitive data and resources. 

View this video to learn how harnessing these sophisticated detection mechanisms can help your organization remain vigilant of emerging threats and ensure robust and dynamic protection. 

Automate identity lifecycle management

OneLogin Identity Lifecycle Management streamlines the entire user journey from onboarding to offboarding. It simplifies access by seamlessly provisioning new users, ensuring they have the correct permissions. As users change roles within an organization, the system adjusts their access and permissions effortlessly. When the time comes to depart, OneLogin Identity Lifecycle Management ensures a secure offboarding process, revoking access promptly. This holistic approach enhances user convenience and fortifies security by maintaining precise control over user access throughout their lifecycle.

View this video to find out how OneLogin Identity Lifecycle Management manages employee onboarding, provides seamless access and swiftly removes employee access rights when the employee leaves the organization.

Now, more than ever, the delicate balance between a seamless user experience and robust security is of utmost importance for organizations looking to adopt advanced authentication protection. The expectation of unhindered access to applications is met with the necessity of safeguarding invaluable business assets from cyber threats. Striving for a frictionless user experience is pivotal in boosting productivity and satisfaction. However, it’s crucial to underscore that companies don’t need to compromise security to achieve this goal.

In this blog, we’ve delved into strategies that synchronize these seemingly opposing forces. From SSO, passwordless authentication and adaptive MFA to streamlined identity lifecycle management, each facet represents a step forward in achieving synergy between enhanced user engagement and comprehensive data protection. OneLogin Advanced Authentication suite of products provides the much-needed balance between ease of use and protection that empowers users while fortifying defenses. Embrace these solutions and embark on a journey where the user experience is frictionless and your business assets are well protected.

To learn more about OneLogin Advanced Authentication and how it can benefit your organization, visit www.oneidentity.com/solutions/advanced-authentication.

The post Balancing ease of use and security with Advanced Authentication appeared first on OneLogin Identity Management Blog.

The quest for impenetrable locks

Ever since the invention of the first lock, humans have strived to expose and exploit the vulnerabilities of these safety devices. In 1777, Joseph Bramah, the father of modern pneumatic systems, posted a sign on the window of his London storefront with a unique challenge. The challenge was simple: come inside and open a lock. He would reward you with the modern-day equivalent of $30,000 if you could do it. Bramah even published and distributed a pamphlet explaining the workings of his lock design, such was his confidence in its impregnability.

Bramah’s lock was designed with precision levers, arranged so that lifting them to the correct height would meet a shear line, permitting the key to turn and unlocking the padlock’s shackle. The substantial reward offered was a magnet for the gifted, but during Bramah’s lifetime, no one managed to pick the lock. Therefore, anyone who safeguarded their property with a Bramah’s lock was practically guaranteed safety. This perfect lock proved very profitable, and Bramah’s sons, who inherited the business, also benefited from their father’s ingenious invention. 

Bramah’s unparalleled innovation and the ensuing challenge didn’t just pique the interest of hopeful lock-pickers but also other inventors and locksmiths of the era. Among them was Jeremiah Chubb, a man inspired by Bramah’s creation. Seizing the opportunity to advance the design further, Chubb introduced a notable modification. His version could detect unauthorized tampering attempts, signaling when someone had tried to pick the lock. Christened the “Detector Lock,” Chubb’s ingenious tweak was a testament to the fluid nature of innovation. While Bramah had laid a robust foundation for the modern lock, it was clear that the quest for the ultimate security device would always drive artisans to refine and reimagine existing designs. The success of both these locks underscored an era of unparalleled security advancements, setting the stage for future innovations in the realm of protective mechanisms. 

From unbreakable to unlocked: The 52-hour feat 

A.C. Hobbs, an American locksmith with a burgeoning reputation, confidently approached Bramah’s sons. Known in the U.S. for his unique skillset—cracking safes and subsequently selling banks his improved designs—Hobbs had recently made waves in England. At a world convention, he astoundingly defeated the Chubbs security lock in just 25 minutes, a feat that stunned the locksmith community. Bolstered by this triumph, he challenged the Bramah legacy, claiming he could breach their renowned lock. Intrigued, Bramah’s sons granted him a space above their store, setting a 30-day limit. If Hobbs failed within this timeframe, he’d have to concede defeat. A mere 52 hours in, he emerged victoriously with the open lock in his hand. 

One can only imagine the dread of those who had purchased a lock of this design. For over 70 years, they had basked in the promise of absolute security—a locked door equated to a secure door. Although 52 hours might seem like a long time, the days of absolute physical security were unquestionably over. 

The digital door: Cybersecurity in the modern era 

Consider the deadbolt on your front door. You might be surprised to learn that its principles are essentially the same as those of the lock A.C. Hobbs picked in 1851. Spend enough time on the internet, and you’ll likely encounter videos of several amateur locksmiths skillfully defeating your exact model in less than a minute. 

This poses a critical question: Are you secure because the locks on your doors are effective, or are you safe merely because those around you are unaware of their failings or too lazy to rob you? It’s a pertinent question and extends to other aspects of our lives, notably cybersecurity. 

We’ve transitioned from a world of physical doors and locks to one of digital portals and GUIs. Personally, I’d rather have someone break into my house and steal a few possessions than hack into my bank account, open credit cards in my name or use my identity for illicit activities on the dark web. The security measures we can manage ourselves – usernames and passwords – are precarious for various reasons. With ever-increasing, affordable computing power accessible to all, most people’s password-protected accounts would be defenseless against brute-force attacks. The solution? Multi-factor authentication. You’ve heard the spiel: something you know, something you have and something you are. 

Modern threats: When MFA is not enough 

While Multi-factor Authentication (MFA) stands as a barrier in today’s digital defense strategy, evolving cyber threats prove that no system is invincible. Notably, phishing techniques—where attackers masquerade as trusted entities to deceive individuals into revealing sensitive information—have grown more sophisticated. 

Central to this evolution is the Man-In-The-Middle (MITM) attack. In this method, attackers secretly intercept and relay communications between two parties. When a victim believes they are inputting their credentials or MFA code into a trusted site, the attacker captures this data in real time, allowing them to bypass even the most robust authentication processes. The fact that these credentials are being intercepted during a legitimate session makes it a particularly insidious threat. 

Recent developments in phishing show attackers prompting users to enter their MFA codes under the guise of “security checks” or “account verifications.” Unwary users, thinking they are fortifying their security, are unwittingly handing over the very codes meant to protect them. 

In some advanced MITM attacks, hackers seamlessly automate the entire process. Upon entering their credentials on a fake site, the attacker simultaneously enters the user’s information into the real site, gaining instant access and making it almost impossible for the user to realize they’ve been compromised until it’s too late. 

For a clearer picture of how this all plays out, the video below showcases a real-time MITM attack in action, emphasizing the pressing need for continuous vigilance and education in the realm of cybersecurity. 

Unlocking digital fortresses: WebAuthn & FIDO2

To stay true to our lock analogy, think of the evolution in cybersecurity as a reflection of the world of locksmithing. Just as one would dream of a lock that changes its mechanism every time it’s accessed, rendering conventional keys and techniques obsolete, FIDO2 and WebAuthn have come to life with this exact promise in the digital realm, offering passwordless authentication. 

Now, why are FIDO2 and WebAuthn the digital locksmithing wonders of our era? Imagine designing a lock where each key is not just unique but metamorphoses after each use. Even if a crafty thief somehow duplicates your key (much like stealing your static password), it’s rendered useless almost immediately after. 

The digital locks of yesterday relied largely on static passwords. But with the advent of FIDO2 and WebAuthn, we’ve taken a leap in authentication sophistication, closely resembling the innovative locksmithing analogy. At their heart, FIDO2 and WebAuthn aim to eliminate phishing, man-in-the-middle and replay attacks by introducing the ability to adopt advanced authentication. 

FIDO2: This standard, set by the Fast IDentity Online (FIDO) Alliance, incorporates two main components – the client (typically a web browser) and the authenticator (which can be a security key, a mobile phone or another device). When accessing a service, the service challenges the authenticator. Instead of sending back a static password or key, the authenticator signs the challenge using a private key with a corresponding public key registered with the service. As the private key never departs from the authenticator and each challenge is unique, it can’t be reused even if an attacker intercepts the signed response. 

WebAuthn: As part of the FIDO2 project, WebAuthn is a web standard championed by the World Wide Web Consortium (W3C). It provides an API that lets web applications use public key cryptography, also known as passkeys, for user authentication. When a user registers on a site, the WebAuthn API enables the creation of a new public-private key pair on the user’s authenticator. Only the public key is sent to the server, with the private key securely residing on the user’s device. On subsequent logins, the server issues a challenge, signed by the authenticator using the private key, and the resulting signature is cross verified with the stored public key. 

The genuine magic of FIDO2 and WebAuthn lies in their compatibility with a vast array of authenticators, from biometrics such as fingerprints or facial recognition to external hardware tokens. This adaptability, coupled with the robust security of public key cryptography, makes them a powerful alternative to traditional username-password systems. While they don’t change the ‘lock mechanism’ literally after each use, they ensure the keys provided are transient and unique, making conventional attacks obsolete. 

The WebAuthn & FIDO2 blueprint: A masterclass in locksmithing

FIDO2 and WebAuthn take a page out of this book but with a sprinkle of modern magic. They’ve proven their mettle against phishing because they veer away from the pitfalls of shared secrets. Remember the old-school method of typing in a password? Once it’s out in the wild, it’s fair game. FIDO2 and WebAuthn sidestep this with a cryptographic handshake. Authenticating only on the genuine website brings the website’s origin into the authentication dance. Snag the data mid-move? Well, it won’t waltz to the rhythm of another website, making phishing a dance of futility. 

And it doesn’t end there. Picture a challenge-response mechanism like a secret handshake. The server throws a move (challenge), and only the rightful participant (with the correct private key) knows the countermove (response). Any eavesdropper trying to mimic the sequence in another session finds themselves stumbling. It’s akin to a key that dissolves post-use in our lock metaphor. 

Digital locksmithing evolved: Twarting the cleverest of bypasses

Extending our lock analogy, the older MFA methods feel like putting a padlock on an already locked door – a bit more secure but hackable by a persistent burglar. FIDO2 and WebAuthn have scrapped the old door and replaced it with one made of an unyielding, ever-changing alloy, turning security from passive to proactive. If traditional MFA stands as the Bramah lock, these modern protocols are the promise of a lock with uncharted intricacies that are part of an advanced authentication approach. 

Lastly, complacency isn’t an option. Today’s cyber-world brims with ingenious threats, ever ready to expose a chink in the armor. No system, no matter how advanced, offers an eternal promise of security. But, our best bet is to evolve and adapt, embracing the FIDO2s and WebAuthns of the digital world. After all, the treasures of our digital realm – our identities, stories and secrets – are worth their weight in gold. Guard them with nothing but the best. 

Learn how OneLogin by One Identity can help you kickstart your journey towards Advanced Authentication and provide stronger protection for your organization.

The post Modernizing cybersecurity: FIDO2 and WebAuthn as dynamic digital locksmiths appeared first on OneLogin Identity Management Blog.

Stuart Sharp, OneLogin VP of Product, introduced us to the topic of Advanced Authentication in his blog Advanced Authentication – The way forward, but what does this actually mean in the enterprise and what best practices can we follow to ensure that we are both managing and deploying it effectively?

As a reminder, and to borrow some words from Stuart, “Advanced Authentication is a cybersecurity approach that requires the use of additional security methods, beyond the traditional ones, to authenticate a user’s identity. Advanced Authentication makes it more difficult for hackers to gain unauthorized access to an organization’s accounts and information.”

Users come in many forms and are not just our traditional internal workforce (B2E). External customers need to be considered within the Customer Identity and Access Management (CIAM) space for B2C and B2B use cases too. Simple and adaptable tools are needed to ensure ease of use and deployment to increase the likelihood of repeat visitors.

In this blog, I will explore some best practices that can be adhered to when deploying Advanced Authentication, ensuring that we can authenticate users in a reliable, robust and secure way.

Best practices to deploy Advanced Authentication

1. Conduct a risk assessment.

Conducting a comprehensive risk assessment is an essential first step in implementation. By identifying potential threats and vulnerabilities, determining the level of protection required for different applications, assets and data, and establishing stronger authentication workflows for individuals with access to more sensitive information, organizations can enhance their security posture and mitigate risks effectively.

We first need to identify any potential threats and vulnerabilities. This involves assessing the organization’s existing authentication infrastructure, systems and processes to identify any weaknesses or loopholes that can be exploited by malicious actors. This could include outdated software, weak authentication methods, bad code, or unencrypted communication channels. By understanding these potential risks, organizations can develop appropriate countermeasures to address them.

It is essential to determine the level of protection needed for different assets and data. Not all applications and data require the same level of security. For example, sensitive customer information, intellectual property or financial applications may require stronger authentication protection compared to accessing a line of business employee application or browsing the latest targeted offers. By categorizing applications and data based on their sensitivity and assigning appropriate protection levels, organizations can allocate their resources effectively and prioritize security measures accordingly.

Establishing stronger authentication workflows for individuals with access to more sensitive information is another critical aspect of deploying Advanced Authentication and this of course also involves considering implementing role-based access controls (RBAC), governance and attestation programs to ensure that individuals only have access to the information and systems necessary to complete their tasks. By assigning specific roles and permissions to users, organizations can limit the potential damage caused by compromised credentials or insider threats.

2. Implement Multi-Factor Authentication (MFA).

Incorporating MFA into every deployment is an implicit necessity in the realm of Access Management today, considering the insufficient security offered by relying solely on passwords.

Requiring at least two enrolled strong authentication factors ensures an extra layer of security beyond simply a password. Factors I would recommend include:

• Physical tokens or security devices, such as Yubikey or Google Titan tokens, generate digital signatures that provide an additional layer of identity security.
• Biometric factors like fingerprints or facial recognition, using readers and cameras that are now standard on most modern laptops and mobile devices.
• Trusted Devices through device enrollment, or the presence of an issued and verifiable certificate on the device. This gives us the next level of security, as we can ensure that only users we know, using devices we trust, can access organizational assets.

The first two factors above provide unique device fingerprints that can offer an elevated level of security, with the last one giving us the ability to provide a ‘belt and braces’ approach to further secure your environment.

When choosing authentication factors, it is important to consider the sensitivity of the data being protected. For highly sensitive information, using a combination of multiple factors, for example both physical token and Trusted Device, can provide the highest level of security. However, for less sensitive data, a combination of a strong password and a TOTP (Time-based One-Time Passwords) mobile authenticator app code or PUSH, may be sufficient.

Looking beyond using a password and towards the paradigm of Passwordless authentication, we can leverage a combination of some of the strong factors described above in place of the password to provide end-users and customers with a robust and simple authentication flow.

While security is paramount, it is also important to consider user experience, especially in the CIAM world. Organizations should strive to strike a balance between security and accessibility to encourage user adoption. Factors that are easy to use and readily accessible, such as mobile-based authentication or biometrics on commonly used devices, can improve the overall user experience while maintaining a high level of security. Furthermore, by adding Machine Learning (ML) technologies into the mix, we can have our cake and eat it too. This, of course, leads me onto my next point.

3. Adopt Adaptive Authentication.

With hacking and account takeover techniques getting increasingly advanced, deploying adaptive authentication is becoming crucial in modern security practices, to not only provide a higher level of security but also to maintain a positive user experience. Adaptive authentication allows organizations to tailor their authentication levels based on dynamic risk calculations, enabling them to skip multi-factor authentication (MFA) when the risk is low, apply step-up authentication when needed or deny access altogether.

The importance of adaptive authentication lies in its ability to provide a more dynamic and flexible approach to security. By leveraging machine learning along with contextual information such as trusted devices and locations, known risky access methods and user behavior patterns, solutions can now provide the ability to make informed decisions about the appropriate level of authentication required. This not only streamlines the user experience but also minimizes unnecessary authentication steps, reducing friction and enhancing productivity.

Furthermore, adaptive authentication enables organizations to set appropriate rules and policies for authentication decisions on a per-user group basis. This involves leveraging a solution that allows the creation of automatic authentication workflows based on risk assessment. By defining specific rules and policies, organizations can determine when to trigger step-up authentication based on certain risk indicators. For example, if an unusual login attempt is detected from an unfamiliar location or device, the system can automatically prompt the user for additional authentication measures, such as MFA or biometrics.

4. Regularly monitor and analyze authentication activities and patterns.

While IAM (Identity and Access Management) platforms usually contain their own logging data and dashboards, more detailed and centralized data correlation can be achieved through integration with a Security information and Event Management tool (SIEM), for example Splunk or Sumologic.

With real-time alerting of suspicious or abnormal behavior, organizations can quickly identify potential security threats and take appropriate actions. These alerts can notify administrators or security teams of unauthorized access attempts, unusual login patterns, or any other suspicious activities, enabling them to investigate and mitigate potential risks promptly.

Regular monitoring and analysis of authentication activities helps to ensure the ongoing effectiveness of security measures, providing valuable insights for enhancing and adapting the overall authentication process.

5. Train and educate to minimize breaches.

Providing end users and customers with the knowledge and training they need is crucial when deploying advanced authentication. It helps minimize breaches, enhances overall security, and drives adoption of stronger authentication practices.

One key aspect of end-user training is to provide clear, user-friendly and comprehensive documentation on how to set up and use advanced authentication methods. This documentation should include step-by-step instructions, screenshots, and troubleshooting tips to ensure users can easily understand and enroll in these security measures.

In addition to documentation, raising awareness about the importance of security and the benefit of advanced authentication is crucial. This can be achieved through training sessions, online tutorials, or regular security awareness campaigns. Organizations should educate users on the risks associated with weak authentication practices, such as password reuse or sharing sensitive information. By emphasizing the benefits of advanced authentication, such as increased protection against unauthorized access and data breaches, users can better understand the value of these security measures and become more motivated to use them. When it comes to CIAM, many of these methods can be utilized, but targeted in different ways: for example email campaigns, interstitial screens or blog posts.

To gain traction and understanding, organizations should highlight real-world examples and case studies of security breaches and their consequences. By promoting a culture of security awareness and vigilance, organizations can foster a sense of responsibility among users and encourage proactive participation in protecting sensitive information.

Organizations should update training materials regularly and conduct ongoing refresher sessions to keep everyone informed about emerging threats and evolving best practices. While training and documentation of what to look for is important, you should also provide channels for users and customers to seek support or report any suspicious activities, ensuring that they have the resources to address any concerns or incidents effectively.

Overcoming deployment challenges

When deploying advanced authentication, organizations will need to overcome three primary challenges to ensure successful implementation.

1. User experience: It is essential to strike a balance between security and accessibility to provide a positive user experience. Advanced authentication methods should be user-friendly, intuitive and easy to use. Organizations should prioritize solutions that offer a seamless authentication process, minimizing the number of steps and reducing user friction. Clear instructions, user-friendly interfaces, and options for self-service contribute to a smoother user experience. This is even more important when we look at CIAM deployments as we want customers to keep on coming back to purchase the goods and services we are providing.
2. Integration with existing systems: We should always consider compatibility with systems already in place, especially when we look at legacy systems and applications. This ensures a cohesive authentication framework across our entire infrastructure, reducing complexity, and enhancing overall security. Adhering to industry standard authentication methods is key here, so recoding application frontends to adopt OIDC (OpenID Connect) or SAML (Security Assertion Markup Language) flows may well be needed. Of course, many vendors provide toolkits to make this process easier.
3. Addressing potential vulnerabilities: Regular updates and patching of applications and code is essential to address potential vulnerabilities. Organizations should stay up to date with the latest security patches, firmware updates, and software releases from their authentication solution providers. Conducting penetration testing and vulnerability assessments periodically helps identify any weaknesses or vulnerabilities in the authentication infrastructure, enabling organizations to take timely corrective actions. Using IDaaS (Identity as a Service) tooling bypasses much of this work as vendors provide much of the authentication architecture as a service and, therefore, keep on top of testing and updating themselves.

So, what next then? Well, in conclusion, Advanced Authentication is of paramount importance in today’s cyber security landscape. By reviewing its significance, we can see that Advanced Authentication is an essential measure to protect sensitive applications, assets and data from potential threats and vulnerabilities. It offers several benefits, including enhanced security, improved user experience, and of course, ensuring compliance with regulatory requirements.

Adopting and deploying technologies to support Advanced Authentication is key to reinforce these advantages. As such, organizations should emphasize the importance of Advanced Authentication as a fundamental component of their overall security strategy. By adopting these methods, not only can organizations significantly enhance their security posture, reduce the risk of unauthorized access or data breaches, and protect valuable assets and data, but they can also deliver a better user experience, mitigate risks effectively and maintain trust with their users, customers and stakeholders in an increasingly digital world.

The post Best practices when deploying Advanced Authentication appeared first on OneLogin Identity Management Blog.