It’s widely held knowledge that using a single factor for authentication to wireless networks is less than secure and easily exploitable by hackers. Many organizations recognize this and utilize Multi-Factor Authentication (MFA) to provide an extra layer of protection. Each additional layer of protection adds significant difficulty to any potential data thief looking to infiltrate a secure wireless network.
Recent Microsoft statistics show that well over 99% of compromised accounts didn’t use MFA, proving that a single factor (like a password) leaves networks vulnerable to cyber attacks. The best factors for authentication require little to no user interaction, like a digital certificate. SecureW2 is developing an MFA prompt for Azure users on our Cloud RADIUS platform, which is set to release in the Summer of 2021. We also bolster MFA by making it easy for organizations to switch from passwords to certificates, a far better security method. Read from one of our customers how easy it was to switch from passwords to certificates.
MFA can help alleviate issues with SSO and AD FS, which we cover below.
What is SSO?
Single-sign on (SSO) is a login method in which users have one set of credentials to access multiple applications. The main benefit of SSO is the streamlined approach. With one set of credentials, users can access numerous web applications.
However, while this makes SSO user friendly, using one set of credentials for widespread access is a major security risk. If an attacker were to gain access to the SSO system with stolen credentials, they would have access to all the applications tied to those credentials.
What is AD FS?
Active Directory Federation Services (AD FS) is a Microsoft component that performs SSO. It provides authentication access for Windows applications that don’t support Integrated Windows.
AD FS is a “free” solution, but requires multiple hardware components, additional Microsoft software, and extensive configuration and maintenance. Organizations that use AD FS have issues with SAML configurations because AD FS is an on-prem legacy solution that was built before SAML. Admins have to spend time troubleshooting and finding workarounds.
The Perks of MFA
Using MFA for wireless access will result in a more secure and rapid authentication process and make it easier for users to transition from the office to their home.
MFA is great for stopping cyber attacks because it requires two or more authentication factors, with those factors being:
- Something you know (such as credentials)
- Something you are (such as biometrics)
- Something you have (such as App/SMS/digital certificate)
The extra authentication factor means MFA is over 90% effective against cyber attacks, including phishing attempts and automated bot attacks.
Alternatives to AD FS
Shibboleth Solution
Shibboleth is an SSO system and potential replacement for AD FS. Shibboleth provides authentication and supports AD just like AD FS. However, unlike AD FS, Shibboleth also supports many LDAP and SAML types, meaning more client integration.
While it’s an improvement over AD FS, Shibboleth is open-source. That means it can be difficult to implement because admins have to do it themselves. Admins will need to be experts in open-source software or else they’ll be spending a lot of time trying to get it working.
Okta Solution
Okta Adaptive MFA is Okta’s cloud MFA solution that provides Okta networks with dynamic policy changes and step-up authentication when a user’s context is changed. It can enforce MFA across thousands of web applications, securing every app, not just mission critical apps.
MFA with Certificate-Based Authentication
For the best security possible, it is best to avoid using credentials as a factor for MFA. Credentials don’t provide accurate identification. A recent survey shows that 69% of respondents admit to sharing their passwords.
Digital certificates have proven to be more effective for authentication purposes because they eliminate over-the-air credential theft entirely. An organization can create and administer approved certificates to every network device and use them to authenticate users rather than credentials.
Leverage AD FS for Certificate Enrollment
Certificate enrollment can be a tedious and difficult process that often stumps the average user. Our JoinNow MultiOS onboarding software allows users to self-configure via a few simple steps designed for a user uninitiated with certificates.
With SecureW2, you can leverage AD FS to enroll for certificates. By utilizing AD FS for identification, a certificate is tied to the identity of a user and device for the life of the certificate. The certificate cannot be transferred to another device, so the users on your network are always correctly identified.
Many admins are hesitant because provisioning a certificate to every network entity doesn’t seem like an easy task; but that’s where CloudRADIUS comes in.
Secure MFA Authentication with CloudRADIUS
The standard use case for an AD FS server is to authenticate and securely connect users to Wi-Fi, but that feature can extend to VPN access for businesses needing to connect remote workers to the office network. An AD-domain network’s security can be upgraded by integrating SecureW2’s CloudRADIUS.
CloudRADIUS is built on certificate-based EAP-TLS authentication, the most secure authentication protocol around. Users are administered unique certificates to their devices and authenticated with those certificates rather than credentials. The weakest point of network security is usually the end user, so supplying them a certificate to handle automatic authentication rather than having them create and input several passwords provides better overall security.
If you’re wondering how to get a certificate onto every network device, don’t fret. CloudRADIUS is coupled with SecureW2’s Managed PKI, a turnkey service which simplifies the certificate enrollment process. Not only can admins set up the PKI in any environment within an hour, but admins can set up automatic certificate enrollment for all network devices with ease.
Admins can map user attributes and access levels to certificates. Once users are enrolled for a certificate, CloudRADIUS can use the certificate to verify the user and their permissions. Admins can create security groups to segment users based on their network resource access levels, controlling who has VPN access.
Secure Authentication with MFA and CloudRADIUS
CloudRADIUS can be configured with your network to implement secure certificate-based authentication, combined with MFA, to securely authenticate users for Wi-Fi, VPN, Web Apps and Desktop Logon. CloudRADIUS works with any vendor and comes at an affordable price for organizations of all sizes. Check out our pricing page to see how we can help secure your network.
