Multi-factor authentication solutions in roaming ๐Ÿ”’

ยท Lucas Videlaine

MFA is now a major topic within organisations, particularly as they move towards a remote working approach. You hear about it regularly but don't know exactly what it is? Would you like to find out more? You've come to the right place, because in this short, easy-to-understand article, we'll define the principles and issues related to MFA, particularly in the context of roaming.

# Key terms and concepts

Let's start with an overview of the existing vocabulary, so that we can better appreciate what follows!

  • Digital nomadism: Digital nomadism refers to any form of use of information technology that allows a user to access the IT system of their company/organisation or employer from remote locations that are not controlled by the entity.
  • 2FA - Two-Factor Authentication: Digital nomadism refers to any form of use of information technology that allows a user to access the IT system of their company/organisation or employer from remote locations that are not controlled by the entity.
  • MFA - Multiple Factor Authentication: Multi-factor authentication (MFA) is a security process that requires more than two verification factors to prove a user's identity. These can include biometric factors (facial recognition, fingerprint recognition, etc.), a unique code sent by SMS or email, a unique code generated by a dedicated application, etc.
  • OTP - One-Time Password: Multi-factor authentication (MFA) is a security process that requires more than two verification factors to prove a user's identity. These can include biometric factors (facial recognition, fingerprint recognition, etc.), a unique code sent by text message or email, a unique code generated by a dedicated app, etc.
  • Point of vigilance: Since 2021, ANSSI, the French National Agency for Information System Security, has distinguished between strong authentication and multi-factor authentication: strong authentication, in this definition, is based on cryptographic mechanisms considered strong but not necessarily on multiple authentication factors.

# The challenges

We can define two key objectives of MFA in the context of nomadic working, each of which can be adapted to the applicable context.

Calculate and reduce the degree of information exposure:

  • During business travel (at a hotel, at a client's premises)
  • During commuting (on public transport)
  • In public places (in coworking spaces, airports, stations)

Contain risks:

  • Loss or theft of equipment
  • Compromise of information contained in lost/stolen equipment
  • Compromise of equipment (user absent with workstation open)
  • Illegal access to the IS
  • Interception/alteration of information (data confidentiality/integrity)

The objective of a mobile IS is to achieve a level of security as close as possible to that of the internal IS, by addressing the most significant exposure risks.

# Regulatory developments

In order to prevent the risks associated with nomadism and regulate its use, it is important to integrate nomadism into the entity's Information System Security Policy (ISSP):

  1. Identify the professions eligible for nomadism and teleworking
    • Establish the level of sensitivity of data and activity
  • Establish regulatory constraints
  1. Ensure proper control of nomadic users
  • Ensure the management and revocation of accounts and rights of nomadic users
    • Manage mobile nomadic equipment
  1. Raise awareness and train nomadic users
  • Warn about the risks associated with theft or compromise of IT equipment
  • Warn about information leaks and other indiscretions
  1. Dedicate access equipment to an identified nomadic user
  • Link each piece of equipment to an identified and referenced nomadic user

# The main providers

The market for MFA solutions is quite extensive. We can quickly list the leaders in the field, but also a few products that also target SMEs.
Each manufacturer offers its own solution, which can be integrated more or less easily into an existing IT system, either on-premise and/or SaaS.

These include:

  • Microsoft MFA
  • Thales SafeNet Trusted Access
  • Okta MFA
  • OneLogin MFA
  • Cisco Duo MFA
  • Ping Identity
  • Fortinet FortiToken
  • inWebo MFA

The Recommendations on digital nomadism from ANSSI (French National Agency for Information System Security).