Published in · 4 min read · Apr 30, 2021
--
In the previous article, I have shared what I have learned about SAML, The history behind it, and its working mechanism. But it did not end there, I wanted to know more about it, then I saw that it is also using while configuring and integrating MFA solutions with IDP as an additional layer of authentication Mechanism. So let’s learn more about it.
Firstly, What is MFA ( Multi-Factor Authentication)?
Multi-Factor Authentication is nothing but an additional level of authentication where we need to provide one more factor which might be an OTP, numeric code from an App( Google Authenticator), or a Hard token for claiming that we are who we are. This will not only enhance security but also reduces the risk of identity theft.
How MFA works?
MFA's working mechanism is similar to the user-password mechanism. In the above picture, we can see an interlink. First, the user needs to enter his credentials. Once his identity is verified, then he needs to provide his identity one more time in the form for MFA which can an OTP or a token from an app or device.
Like the way how user credentials are stored in the database and used for verification, the MFA device which has its own unique device id as an identifier also needs to be configured to the user profile in order to verify the identity of the user.
Types of MFA
For a user to authenticate, a Password is a mandatory factor of authentication. When it comes to additional layers, a traditional method used to be in the form of One time SMS which will be sent to our email, Mobile device.
MFA comes in the form of Hard Tokens and Soft Tokens.
- Hard Token: Hard Tokens are a form of authenticating using a physical device like a Biometric, OTP Auth token, etc. The best example is RSA Secure Auth Token.
- Soft Token: Soft Tokens are a form of using “Phone-as-a-token”. In general, using mobile applications or devices are used as soft tokens. The most common ones are Google authenticator, Microsoft authenticator which has the OTP and also pushes notifications as a soft token.
How to configure MFA
Several Websites are mandating their users to configure MFA while accessing their website. Most of these websites are supporting some MFA soft tokens like Google Authenticator.
- MFA using Soft token App
Users need to configure this MFA by scanning a QR code or a device link code with their Mobile device. Then the Google Authenticator’s Unique device ID will be linked to the user’s profile.
While enterprises use different approaches to configure MFA based on the requirements. If an enterprise uses Azure active directory solution, Azure provides the feature to configure MFA directly in the portal which can be in the form of SMS, Phone Call, or Microsoft Authenticator Push Notifications. This adds an additional layer of security when Single Sign-on ( SSO) gets enabled.
- MFA using SAML configuration
As mentioned in a previous article, SAML is used for authentication and also it helps to enable SSO. SAML can also be used to configure MFA between different devices.
In an enterprise where we have different SPs used by multiple hosts. By using SAML we can enforce MFA in any of the below ways.
- No MFA
- MFA based on host-to-host
- MFA for all.
In Some cases, where re-authentication is required for applications with high-security requirements we can use SAML to break the SSO session and initiate re-authentication.
Conclusion:
By enforcing MFA across enterprise applications and devices, it’s better to manage identity of users and reduce risk of identity theft. MFA can be enforced directly in Active Directory for Enterprises or can be enforced in Applications if they are connected as a federal identity. Also, we can configure the federal connection using SAML.
Thanks for reading this :)
If you like my work, please support me.
Additional Resources: