For a long time, it was believed that the classic authentication method based on a combination of username and password is very reliable. However, it is no longer possible to assert this. It’s all about the human factor and the presence of great opportunities for attackers to “hijack” the password. It’s no secret that people rarely use complex passwords, let alone change them regularly. Unfortunately, it is a typical situation when the same password is used for different services and resources. Thus, if the latter is picked up by brute force or stolen using a phishing attack, then the attacker will have access to all resources for which this password was used. An additional identity verification factor can be used to solve the described problem. Solutions based on this method are called two-factor authentication (2FA) or multi-factor authentication (MFA) systems. One such solution is Multifactor from the Multifactor company… This system allows you to select one of the following tools as the second factor: hardware token, SMS messages, calls, biometrics, UTF, Google Authenticator, Yandex.Key, Telegram or a mobile application. It should be added that this solution is offered only as a service, when the customer installs only software agents, and the system core is located on the vendor’s side, thus relieving the customer’s specialists from problems with making changes to the infrastructure and resolving issues on organizing a communication channel with providers for receiving calls and SMS-messages.
Functionality of the Multifactor system
The Multifactor system has the following key functional features:
A wide range of authentication methods: Telegram, biometrics, U2F, FIDO, OTP, Google Authenticator, Yandex.Key, Multifactor mobile application, calls and SMS messages.
Providing an API to manage users from external systems.
Logging of user actions when gaining access.
Managing the resources being accessed.
Managing users from the administration console.
Ability to import users from CSV or plain text files.
A large list of resources with which Multifactor integration is possible: OpenVPN, Linux SSH, Linux SUDO, Windows VPN, Windows Remote Desktop, Cisco VPN, FortiGate VPN, Check Point VPN, VMware vCloud, VMware Horizon, VMware AirWatch, Citrix VDI, Huawei.Cloud (in Russia – SberCloud), Outlook Web Access, and others.
Management of Multifactor system functions through a single administrator console.
Informing the system administrator about potential incidents in the field of information security.
Active Directory and RADIUS support. The ability to return attributes based on a user’s group membership.
Multifactor system architecture
As already mentioned, Multifactor is a service product. Thus, the computing power and network infrastructure required for the operation of the system are located in Moscow, in the Dataline data center. The data center is certified according to PCI DSS (Level 1) and ISO / IEC 27001: 2005 standards. On the customer’s side, only the following open source software components are installed:
RADIUS Adapter (for receiving requests via RADIUS protocol)
IIS Adapter (to enable two-factor authentication in Outlook Web Access)
Self-service portal (for self-management of authentication tools by users).
Multifactor system requirements
For the correct functioning of Multifactor, the manufacturer has established separate system requirements for each of the system components. Table 1 lists the minimum resources for the RADIUS Adapter.
Table 2 shows the metrics you need to meet to install the Self-Service Portal.
The Multifactor uses the RADIUS (Remote Authentication Dial-In User Service) network protocol to interact with most of the switching facilities and services for access. The system relies on this protocol in the following scenarios:
A two-factor authentication scheme, where the user uses a password as the first factor, and a mobile application, Telegram or one-time code (OTP) as the second;
A one-factor authentication scheme, where the user uses a login, and a second factor is entered instead of a password (for example, a push notification).
In order to be able to use the RADIUS protocol, it is necessary to provide an unimpeded connection of the access device (server, firewall or other means of network switching) to the address radius.multifactor.ru via UDP port 1812. Accordingly, this port and the web address must be located in list of allowed.
In addition, RADIUS can be used to secure SSH connections, use the SUDO command, and other operations that require strong access control. Also, the RADIUS network protocol comes in handy as an additional Windows authentication tool for connecting to a Remote Desktop.
For full use of the RADIUS protocol, Multifactor uses the Multifactor RADIUS Adapter software component. Multifactor RADIUS Adapter implements the following features:
receiving requests for authentication via the RADIUS protocol;
checking username and password in Active Directory or NSP (Microsoft Network Policy Server);
checking the second factor of authentication on the user’s mobile device;
configuring access based on the user’s membership in a group in Active Directory;
enabling the second factor based on the user’s group membership in Active Directory;
using the user’s mobile phone from Active Directory to send a one-time code via SMS.
In addition to RADIUS, Multifactor also uses the SAML interaction protocol, which, in addition to two-factor authentication, provides single sign-on (SSO) technology to corporate and cloud applications, where the first factor may be the login and password from an account in Active Directory or in Google or Yandex. When using SAML protocol in Multifactor, you can configure interaction for authentication with the following applications and services: VMware, Yandex.Cloud, SberCloud, Salesforce, Trello, Jira, Slack, etc.