How do I upgrade our legacy security architecture without just complicating things?
Once you’re past a certain size, starting from scratch ceases to be an option.
Teams that scale their Identity & Access Management processes the right way all have one thing in common:
They integrate identity authentication across all their services with an interoperable solution.
The alternative is not pretty – it’s a mess of services and 3-letter acronyms that hurts productivity and wrecks the user experience.
Many legacy systems do not support strong authentication or federated login. These typically rely on a username and password, which are susceptible to many forms of compromise.
There are several ways to strengthen the login of these types of systems:
- Introduce identity-based authentication to replace usernames and passwords and implement biometric authentication.
- Introduce more factors (2FA or MFA) to the existing login process.
This document discusses the MFA capabilities of the BlockID platform, including one-time passwords, external hardware tokens, and push messages.
Examples are provided from real-world applications such as Verizon ID, which is built on top of the BlockID platform.
What is 2FA?
Two-factor authentication (2FA) is a specific type of multi-factor authentication (MFA) that strengthens system access by requiring two methods (also referred to as authentication factors) instead of just username and password.
These factors typically include:
- Something you know – like a username and password (knowledge factor)
- Something you have – like a smartphone app or disconnected or connected hardware token (possession factor)
2FA protects against social engineering, phishing, and password brute-force attacks and secures your logins from attackers exploiting weak or stolen credentials.
Get the Complete Whitepaper
MFA - Moving beyond 2FA.
The BlockID platform offers virtually unhackable factors to let an organization protect sensitive assets.
- Something you are – like a fingerprint, face, or other biometric methods (inherence factor). BlockID offers this via a “LiveID” face scan and “VoiceID” voice recognition.
- Somewhere you are – a particular network, geolocation, or on a specific device.
Why do systems need 2FA?
Two-factor authentication (2FA) is a foundational element of a zero-trust security model.
To protect sensitive data, you must verify that the user trying to access that data is who they say they are.
When organizations cannot implement proper identity-based login, 2FA is an effective way to protect against many security threats that target usernames and passwords, such as phishing, brute-force attacks, and weak or copied credentials.
For example, suppose you use a username and password as the initial authentication into an application. In that case, you will want to use a different out-of-band method to complete the second factor.
By approving a push notification sent to a phone over the mobile network, you experience enhanced security and a user experience with minimal friction.
2FA from 1Kosmos
The best type of security solution is one that is easy for your users.
The 1Kosmos BlockID platform offers several forms of built-in 2FA, including the BlockID mobile app, 3rd-party tokens, and offline authenticators.
The BlockID mobile app is available for iPhone and Android and allows for several built-in authentication methods:
- “LiveID” advanced biometric authentication
- Device biometrics such as TouchID and FaceID
- U2F – Universal Second Factor
These methods vary in their security level, but each of them will protect against man-in-the-middle (MITM) attacks.
1Kosmos strongly recommends leveraging our on-device U2F or push-based authentication. However, with our flexible and customizable platform, you’ll be able to find the best adaptive authentication method that meets the unique needs of your diverse application ecosystem.
Types of MFA supported by BlockID
Time-based One-Time Password (TOTP)
This method generates a key locally on the device that the user is trying to access.
This key is in the form of a QR code that the user scans with their mobile device.
The mobile then generates a series of codes that can be used by any requesting system to gain access.
TOTP is part of the Open Authentication (OAUTH) security framework and therefore is based on the OAUTH security architecture.
The one-time password is generated on the user’s mobile app and rotates every 30 seconds. This provides the convenience of not having to carry an extra device. However, it does not mitigate all of the risks around phishing and man-in-the-middle attacks.
SMS and e-mail 2FA
SMS and e-mail two-factor authentication relies on a security code being sent to a user via traditional text or email messaging.
This code is entered into the requesting application.
SMS and e-mail are not recommended due to the risk of SIM-jacking and man-in-the-middle attacks.
This approach is superior to sending a one-time passcode via SMS and is truly the most secure method of 2FA.
The experience for push authentication is straightforward. When logging in, the user receives a notification on the trusted devices (either mobile or desktop) associated with the user account.
The user is presented with a simple “accept” or “deny” message to allow or prevent the login.
Accompanying this action is information about where the request comes from, such as the location, application, or device type.
Universal 2nd Factor (U2F) is an open authentication standard that strengthens and simplifies two-factor authentication using specialized USB or near-field communication (NFC) devices.
One example of a U2F token is the Yubikey.
The BlockID platform supports Yubikey and several other types of hardware key-based authenticators.
The Web Authentication API is a specification that enables strong, public-key cryptography registration and authentication.
It was created by the FIDO (Fast IDentity Online) Alliance and W3C and allows third parties like 1Kosmos to tap into built-in biometric authenticators on laptops and smartphones, letting users authenticate quickly and with the tools they already have at their disposal.
The BlockID desktop agent is used to generate a one-time passcode on a predetermined computer such as a desktop or laptop.
This is useful in scenarios where a mobile device cannot be used.