Without controlling cloud application access, organizations are at risk of a security breach. Attackers are relentless. They hunt, phish, scam, and social-engineer everybody including privileged users to infiltrate your organization. Once inside, they look for opportunities to elevate privilege and appropriate resources. Implementing 2FA solutions across users thwarts attacks and protects corporate data.
Two-Factor Authentication adds an additional layer of security. Typically, users are asked to prove their identity by providing simple credentials such as an email address and a password. A second factor (2F) adds an extra layer of unauthorized access protection by prompting the user to provide an additional means of authentication such as a physical token (e.g. a card) or an additional secret that only they know.
US Federal regulators recognize the following authentication factor options:
An additional authentication factor prevents someone from signing into your account, even if they know your password. Although you may think your password is safe, it can be compromised in a number of ways: Most individuals choose an easy-to-remember password and reuse it for several applications – those who know you can easily guess a pet’s name, a birthplace or an important date; Someone looking over your shoulder can decipher your password; Finally, a more sophisticated technique that can compromise your login credentials is a key logger that records all keystrokes and sends them to a third party.
If authentication requires both a password and, say, a USB token with a digital certificate on it, a criminal would need to know your credentials and be in possession of your USB token in order to sign into your account. Without being in possession of both, any unauthorized access would fail and also trigger a security event to let the admin know of a suspicious login attempt.
Authentication can be made even stronger by combining additional factors to achieve multi-factor authentication (MFA); you can add a PKI certificate in your browser or prompt the user for additional secrets. Or you can use OneLogin Desktop to increase security via an on-laptop certificate that delivers a second factor of authentication in the form of a trusted device, in effect multi-factor authentication for all application access.
There are a variety of second authentication factors that can be used for 2FA to secure application access. Here are some examples:
OneLogin’s two-factor authentication process is straightforward. The user is first authenticated using a username and password. OneLogin looks up the user and if additional authentication factors are required, the user will be prompted to enter them on the login page.
In the example above, all the user has to do is press the YubiKey button, which will send the generated one-time password straight to the input field in the browser, eliminating cumbersome and error-prone typing. OneLogin then validates that a) the YubiKey does belong to the user accessing the account and b) the code entered has not been used previously.
"As enterprises begin moving more and more sensitive data into the cloud and rapidly adopting Software-as-a-Service, organizations are more focused than ever on security. By leveraging RSA SecurID technology and OneLogin, organizations can help increase security and decrease the potential for unauthorized access to sensitive applications and data."
Stu Vaeth, Strategic Technology Alliances, RSA
"The easy of use of OneLogin and the YubiKey make them a perfect match. Customers benefit from a highly secure single sign-on solution to thousands of web applications without compromising security."
STINA EHRENSVÄRD, CEO & FOUNDER, YUBICO INC.
Yubico’s sleek USB key works with Windows, Mac and Linux without any client software required. By pressing the button on the key, a unique one-time password is generated and automatically entered in the browser.
Symantec VIP Access is supported on hundreds of mobile phones, including iPhone, Android, Windows Mobile and Blackberry. Every 30 seconds a new 6-digit PIN is generated, which is valid for only one minute.