Multi-Factor Agony

June 7th, 2013   /     /   Smarter Identity

I just love security. After all, it’s what we do here at OneLogin. But I love security even more when it doesn’t get in my way of getting work done.

Evernote recently joined the growing list of cloud applications that support multi-factor authentication. Google Apps added multi-factor authentication in 2011 and Dropbox and Box followed suit earlier this year.

What is Multi-Factor Authentication?

To quickly recap, multi-factor authentication is an effective way of preventing unauthorized access by someone who manages to guess your password, such as a colleague or a hacker. By requiring an extra authentication factor during login, simply knowing your password is not enough to gain access. There are three different kinds of authentication factors:

  • Something you know – password, PIN, your mother’s maiden name
  • Something you have – a key fob, a mobile phone, a certificate
  • Something you are – fingerprint, voice pattern, iris

We all use passwords on a daily basis and many of us have used physical fobs for accessing buildings or establishing a VPN to the corporate network. Biometric authentication still doesn’t have mass market adoption because of technical issues, but is being used in certain industries. A fast-growing trend is to use your smartphone as an authentication factor, which is very convenient, since most people carry it on them all the time.

Multi-Factor Authentication at the App Level is the Wrong Approach

The problem with enforcing multi-factor authentication at the application level is that it gets annoying very quickly. Say you are using Google Apps, Dropbox and Evernote for work. In order to get into your accounts, you will have to use multi-factor authentication three times. If your session times out, you will have to use multi-factor authentication again. And this is just three applications. What about the dozen other apps you use. Will they ultimately support multi-factor authentication as well?

Another problem for enterprises is that multi-factor authentication at the application level still does not provide the governance and control they need to control access to corporate data. Employees can still go directly to an application’s login page and sign in with their personal password and personal mobile phone without the enterprise having any control or trace that it took place.

A superior approach is leveraging single sign-on via an enterprise identity management solution like OneLogin. An increasing number of applications support the SAML single sign-on standard. Mature applications like Google Apps, Salesforce, WebEx, Concur have supported SAML for years and a growing number of up-and-coming apps are joining the ranks. Over the past two years, more than 70 SaaS vendors have adopted OneLogin’s free SAML toolkits and Dropbox is just one of the recent additions.

SAML First

By leveraging SAML together with OneLogin, the enterprise can centralize access control and enforce that all users are authenticated using the policies mandated by the enterprise, for example using a strong password and a second authentication factor, such as a mobile phone. Only then are the employees allowed to sign into the corporate applications.

Not only is this solution more secure for the enterprise, it is also more user-friendly for the employee who only has to authenticate once and not once for every application. So while I applaud Evernote’s focus on security, I’d much rather see support for SAML.

About the Author

Thomas Pedersen, founder and CEO of Onelogin, has more than 15 years of experience in building and selling carrier-grade billing systems for phone companies, initially at Cisco-backed Digiquant in Denmark and later at Intec Telecom Systems in the US. After having helped Zendesk grow to 5,000 customers as VP Business Development, he is now laser-focused on making OneLogin the most widely deployed identity management solution in the cloud.

View all posts by Thomas Pedersen