Enhancing Security with Multi-Factor Authentication in IAM
M
u
l
t
i
-
f
a
c
t
o
r
A
u
t
h
e
n
t
i
c
a
t
i
o
n
f
o
r
t
h
e
I
A
M
Sam Glendenning
STFC
•
Providing an additional login factor to verify your identity
•
One-time usage passcode or hyperlink
W
h
a
t
i
s
M
F
A
?
•
Login credentials alone may not be enough for account security
•
The IAM protects:
•
Sensitive accounts
•
Important online infrastructure
•
Sensitive research data
W
h
y
s
o
i
m
p
o
r
t
a
n
t
?
•
Easily enabled on any new or existing IAM instantiation
•
Customisable by an IAM admin based on wants and needs
•
Safe and secure
•
Adoptable by everyone
O
b
j
e
c
t
i
v
e
s
f
o
r
M
F
A
i
n
t
h
e
I
A
M
•
Individual users may decide whether or not they want MFA to be enabled
on their account
•
However,
an IAM administrator
may enforce MFA on all of their user
accounts if they wish
•
Once implemented, users will enable MFA in their account settings
•
They can then control their MFA settings through their account settings
page
W
o
r
k
f
l
o
w
•
MFA will initially be available through the use of an authenticator
app for mobile devices
•
Examples include Google Authenticator, Microsoft Authenticator,
Authy, etc.
•
These apps allow for a QR code containing an MFA secret (plus
additional account details) to be scanned and imported through the
device’s camera (alternatively, the user can manually enter this
information)
•
This secret can then be used by the app to generate time-based
one-time passwords every 30 seconds
•
The IAM also possesses this secret so both the user’s app and IAM
generate the same passwords at the same time
•
Thus, this can be used for verification of the user
M
u
l
t
i
-
f
a
c
t
o
r
s
e
c
r
e
t
k
e
y
•
To prevent account lockout in the
event of the user losing access to
their mobile device, emergency
scratch codes are generated for the
user’s account
•
These are single-use passwords
used in conjunction with the main
account password to restore access
•
They are regenerated when used
and can be regenerated whenever
the user wishes
•
Scratch codes can be viewed at any
time in the account settings
R
e
c
o
v
e
r
y
c
o
d
e
s
•
Multi-factor secrets and emergency scratch codes are stored in a secure
database
•
All sensitive information is hashed and/or encrypted to a high standard
•
Users have control over their multi-factor settings
•
Can enable/disable MFA as they please (if their federation allows it)
•
Can regenerate scratch codes at their leisure
•
Accounts will be locked after a number of failed attempts
•
Step up authentication - prompt for another one-time passcode if
performing certain actions
I
n
f
o
r
m
a
t
i
o
n
S
e
c
u
r
i
t
y
I am the primary developer implementing multi-factor authentication to the IAM.
•
Main work so far is a basic prototype of a user login system using multi-factor
authentication and scratch codes
•
Java
•
Spring Boot framework (highly customisable and flexible)
•
Entirely localised authentication (no need for external APIs for code verification
or QR code generation)
•
MFA using a soft token through an authenticator app
•
Accounts can choose to enable or disable MFA
This can then be implemented into the IAM codebase
C
u
r
r
e
n
t
p
r
o
g
r
e
s
s
•
Implement prototype work into IAM codebase
•
Solution needs to be flexible to allow:
○
Expansion of supported factors of authentication (email, YubiKey, WebAuthn,
etc.)
○
Individual identity providers to customise their MFA setup (if they choose to
enable MFA at all)
•
Analyse solution for security flaws and carry out risk assessments
•
Document and test
•
Communicate with end users to gather thoughts and feedback
•
Release in a few months
T
a
r
g
e
t
s
(
n
o
t
n
e
c
e
s
s
a
r
i
l
y
i
n
t
h
i
s
o
r
d
e
r
)
Q
u
e
s
t
i
o
n
s
?
F
a
c
e
b
o
o
k
:
S
c
i
e
n
c
e
a
n
d
T
e
c
h
n
o
l
o
g
y
F
a
c
i
l
i
t
i
e
s
C
o
u
n
c
i
l
T
w
i
t
t
e
r
:
@
S
T
F
C
_
m
a
t
t
e
r
s
Y
o
u
T
u
b
e
:
S
c
i
e
n
c
e
a
n
d
T
e
c
h
n
o
l
o
g
y
F
a
c
i
l
i
t
i
e
s
C
o
u
n
c
i
l
Multi-Factor Authentication (MFA) is crucial for protecting sensitive accounts, online infrastructure, and research data within Identity and Access Management (IAM) systems. MFA adds an extra layer of security by requiring additional verification factors like one-time passcodes and recovery codes. Users and administrators can customize MFA settings, enabling secure access control and reducing the risk of unauthorized account access.
Download Presentation
Please find below an Image/Link to download the presentation.
The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author.If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.
You are allowed to download the files provided on this website for personal or commercial use, subject to the condition that they are used lawfully. All files are the property of their respective owners.
The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author.
E N D
Presentation Transcript
Multi-factor Authentication for the IAM Sam Glendenning STFC
What is MFA? Providing an additional login factor to verify your identity One-time usage passcode or hyperlink Why so important? Login credentials alone may not be enough for account security The IAM protects: Sensitive accounts Important online infrastructure Sensitive research data
Objectives for MFA in the IAM Easily enabled on any new or existing IAM instantiation Customisable by an IAM admin based on wants and needs Safe and secure Adoptable by everyone
Workflow Individual users may decide whether or not they want MFA to be enabled on their account However, an IAM administrator may enforce MFA on all of their user accounts if they wish Once implemented, users will enable MFA in their account settings They can then control their MFA settings through their account settings page
Multi-factor secret key MFA will initially be available through the use of an authenticator app for mobile devices Examples include Google Authenticator, Microsoft Authenticator, Authy, etc. These apps allow for a QR code containing an MFA secret (plus additional account details) to be scanned and imported through the device s camera (alternatively, the user can manually enter this information) This secret can then be used by the app to generate time-based one-time passwords every 30 seconds The IAM also possesses this secret so both the user s app and IAM generate the same passwords at the same time Thus, this can be used for verification of the user
Recovery codes To prevent account lockout in the event of the user losing access to their mobile device, emergency scratch codes are generated for the user s account These are single-use passwords used in conjunction with the main account password to restore access They are regenerated when used and can be regenerated whenever the user wishes Scratch codes can be viewed at any time in the account settings
Information Security Multi-factor secrets and emergency scratch codes are stored in a secure database All sensitive information is hashed and/or encrypted to a high standard Users have control over their multi-factor settings Can enable/disable MFA as they please (if their federation allows it) Can regenerate scratch codes at their leisure Accounts will be locked after a number of failed attempts Step up authentication - prompt for another one-time passcode if performing certain actions
Current progress I am the primary developer implementing multi-factor authentication to the IAM. Main work so far is a basic prototype of a user login system using multi-factor authentication and scratch codes Java Spring Boot framework (highly customisable and flexible) Entirely localised authentication (no need for external APIs for code verification or QR code generation) MFA using a soft token through an authenticator app Accounts can choose to enable or disable MFA This can then be implemented into the IAM codebase
Targets (not necessarily in this order) Implement prototype work into IAM codebase Solution needs to be flexible to allow: Expansion of supported factors of authentication (email, YubiKey, WebAuthn, etc.) Individual identity providers to customise their MFA setup (if they choose to enable MFA at all) Analyse solution for security flaws and carry out risk assessments Document and test Communicate with end users to gather thoughts and feedback Release in a few months
Questions? Facebook: Science and Technology Facilities Council Twitter:@STFC_matters YouTube: Science and Technology Facilities Council
