Search icon CANCEL
Subscription
0
Cart icon
Your Cart (0 item)
Close icon
You have no products in your basket yet
Arrow left icon
Explore Products
Best Sellers
New Releases
Books
Videos
Audiobooks
Learning Hub
Free Learning
Arrow right icon
Implementing Multifactor Authentication
Implementing Multifactor Authentication

Implementing Multifactor Authentication: Protect your applications from cyberattacks with the help of MFA

eBook
$18.99 $27.99
Paperback
$34.99
Subscription
Free Trial
Renews at $19.99p/m

What do you get with a Packt Subscription?

Free for first 7 days. $19.99 p/m after that. Cancel any time!
Product feature icon Unlimited ad-free access to the largest independent learning library in tech. Access this title and thousands more!
Product feature icon 50+ new titles added per month, including many first-to-market concepts and exclusive early access to books as they are being written.
Product feature icon Innovative learning tools, including AI book assistants, code context explainers, and text-to-speech.
Product feature icon Thousands of reference materials covering every tech concept you need to stay up to date.
Subscribe now
View plans & pricing
Table of content icon View table of contents Preview book icon Preview Book

Implementing Multifactor Authentication

On the Internet, Nobody Knows You’re a Dog

In the ever-evolving landscape of cybersecurity, ensuring that proper access is given for the right reasons at the right time for digital identities is no longer just an optional feature – it’s an indispensable component of securing modern applications. Moreover, as digital transformation accelerates, organizations must proactively protect their sensitive data and functions against persistent cybercriminals, hackers, and even insider threats.

To bring this critical topic to life, we invite you to join us on an engaging journey with ACME Software. This fictitious start-up grapples with the complexities of securing access to its business-critical data and functions. As ACME Software grows and expands, its workforce identities (corporate employees, contingent workers, and partners) and customer identities demand increasingly sophisticated authentication mechanisms to keep their information safe and sound.

Throughout this book, we will look at ACME Software while exploring its options and navigating the intricate world of modern authentication mechanisms. As we follow the start-up’s story, you will discover not only the essentials of multifactor authentication (MFA) but also its practical applications, benefits, and potential pitfalls. By delving into real-life examples and scenarios, we aim to make this subject more engaging, accessible, and relatable, transforming what might otherwise be a dry, technical topic into a captivating learning experience.

This book will cover the following themes:

  • The importance of securing digital identities in today’s interconnected world
  • An introduction to MFA, its principles, and its various forms
  • A detailed examination of ACME Software’s authentication requirements and the challenges it faces as it grows
  • A comprehensive exploration of various MFA solutions, as well as their strengths and weaknesses
  • Real-world examples of implementing and managing MFA solutions at ACME Software, demonstrating how to optimize security while maintaining user convenience
  • The future of authentication – emerging trends and technologies that will shape the next generation of identity and access management

As we follow ACME Software’s journey, we aim to equip you with the knowledge and understanding necessary to make informed decisions about MFA for your organization, empowering you to protect your valuable digital assets in a world of ever-increasing cyber threats.

In this chapter, we are going to cover the following topics:

  • Identity and digital identity
  • Additional authentication and security controls

Identity and digital identity

Identity is a universal concept that accompanies us throughout our lives, regardless of our cultural or national background. Immediately after birth, newborns around the world are identified in various ways. In some cultures, babies might receive bands on their wrists or ankles, while others may have different traditional identification methods. These methods often include the baby’s name, date of birth, and other crucial information that helps distinguish them from others.

Governments and communities across the globe maintain records of their citizens’ identities in various forms, such as birth certificates, family registers, or national ID systems. These records typically contain vital information such as names, birthdates, places of birth, and parentage.

Individuals from diverse cultures and nations rely on these records to establish and verify their identities. Moreover, the importance of these documents transcends geographical boundaries since people need them for various purposes, such as education, civic participation, and international travel. For example, these records may be required for enrolling in school, registering to vote, or obtaining necessary documents such as passports or driver’s licenses.

The documents used to identify a person may change, depending on the context. For example, I need documents establishing my identity and employment authorization to apply for a job. On the other hand, I may need a passport rather than a driver’s license when traveling abroad. And to open a bank account, I may require proof of residence and identification information. Collectively, these artifacts provide what is known as personally identifiable information (PII).

Let’s look at the process of opening a bank account before the internet. A customer had to drive to the bank, meet with a bank representative, and present the required documents to open an account. Only then would they be issued an account number and be allowed to make transactions via that account. After applying for and receiving an automated teller machine (ATM) or debit card in the mail, they could use it to access their account. Every time they wanted to perform a transaction, they would need to go to a branch and authenticate themselves to a teller that would verify that they were the person they claimed to be and that they were authorized to perform the transaction they wanted. With an ATM card, they no longer needed to show their picture ID to confirm who they were. Anybody with that person’s ATM card could do everything they were authorized to do at the ATM. When someone withdraws cash with an ATM card or makes a purchase with a debit card, the card reader takes information about the account from the card and sends it, along with the amount of the transaction, to the bank. To verify that the card was not stolen, the card reader requests the card’s personal identification number (PIN); once the PIN is entered correctly, the bank approves the transaction and withdraws the funds from the account.

Identity is a multifaceted concept encompassing the unique characteristics that define who or what a person or thing is. The amalgamation of physical, emotional, cultural, and social attributes creates the intricate tapestry of our individuality. In both the physical and digital realms, identity plays a crucial role in remembering, recognizing, and interacting with subjects, be they people or objects.

In today’s increasingly interconnected world, our identities extend beyond the tangible realm, forming an integral part of our digital presence. This digital identity is a virtual representation of our real-world selves, encompassing various elements, such as usernames, passwords, biometrics, and personal preferences. It enables us to navigate the vast expanse of the internet, engage in online transactions, and interact with digital services.

The process of authentication is vital in both physical and digital environments. By verifying the identity of a subject, we ensure that they are who they claim to be and grant them access to specific services or actions based on their authorization. This process is essential for maintaining security and trust and enabling the seamless functioning of our increasingly digital lives.

In digital transactions, the owner of a digital identity is often referred to as the security principal or simply the principal. This term highlights the significance of the individual or entity at the heart of the authentication inquiry. As we engage in various online activities, our digital identities are the foundation for creating trust and facilitating secure transactions.

Just like identity existed before the internet, two-factor authentication (2FA) and MFA existed as well. The PIN on an ATM or debit card is one example of MFA (and 2FA, which is a subset of MFA). To verify (authenticate) my identity, I need to present my ATM card (something I have) and enter my PIN (something I know). Similarly, showing my driver’s license to the bank teller is another example of MFA. The driver’s license is the first factor (again, something I have), while matching the picture on the ID to me is the second factor (something you are).

Establishing identities is also critical, if not more important, online. Even though a large number of countries have established some form of online digital ID (you can see a list at https://www.worldprivacyforum.org/2021/10/national-ids-and-biometrics/), it is still rare to encounter customer-facing applications that will accept those digital IDs outside of the country that issued the ID.

The New Yorker published a cartoon in July 1993 where a large dog was sitting in front of a computer, speaking to another dog on the floor to his side, saying, On the internet, nobody knows you’re a dog. It can be viewed here: https://i.kym-cdn.com/photos/images/original/000/427/569/bfa.jpg. Here’s Dalle-2’s interpretation of it:

Figure 1.1 – Dalle-2’s interpretation of “On the internet, nobody knows you’re a dog”

Figure 1.1 – Dalle-2’s interpretation of “On the internet, nobody knows you’re a dog”

The saying quickly became popular and has been used to describe the anonymous nature of life online. As more and more applications become available online, identifying users is essential for several reasons.

For privacy reasons, users that register at a site may not want or permit their information and activities to be seen by somebody else. Therefore, companies must verify the user when they return to the site and validate their identity.

Companies that sell services need to make sure that the user registering is legitimate and that they are authorized to use those credentials. As Microsoft’s investigation of the security breach by the group LAPSUS$ shows (https://www.microsoft.com/en-us/security/blog/2022/03/22/dev-0537-criminal-actor-targeting-organizations-for-data-exfiltration-and-destruction/), cybercriminals usually buy credit card numbers and other information on criminal underground forums and will also use the Redline password stealer, Loki, and other password stealers that are bought on the dark web or available for a subscription fee. They will use that information to open new accounts and spend money they don’t intend to pay for. Companies in the financial services industry may also have other regulations they need to follow to prevent money laundering, for example.

Especially after the COVID-19 pandemic started, companies began to hire employees without ever seeing them. Onboarding employees has completely changed. It is not always possible to verify an employee’s identity by looking at their physical documents (birth certificate, social security number, driver’s license, and so on) before or when they start working. Even though identity verification is not something that affects the authentication of that user, it affects what we are fundamentally discussing in this book. If you give valid credentials to a bad actor, all the security in the world will not prevent that user from doing what those credentials allow them to do.

The process of registration is a crucial step in creating and managing a digital identity. It involves collecting and verifying information about a subject (a person or an entity) and linking it to a unique identifier in the digital realm. This identifier can be a username, email address, or any other unique attribute that distinguishes the subject from others. The relationship between a subject and their digital identity is established during the registration process, and it sets the foundation for future authentication and authorization.

The first step in the registration process is to collect relevant information about the subject. Data collection may include personal details such as name, address, date of birth, contact information, and digital credentials such as a username and password. In some cases, biometric data or other unique attributes may also be collected.

After collecting the necessary information, the next step is to verify the authenticity of the data provided by the subject. For example, data verification may involve checking the validity of an email address, confirming a phone number via SMS, or comparing the provided biometric data to a pre-existing database. This verification process ensures that the subject is who they claim to be and helps maintain the integrity of the digital identity system.

Once the data has been verified, an individual account is created for the subject. This account serves as the digital representation of the subject and is linked to their unique identifier (for example, username or email address). In addition, the account may include additional information, such as preferences, interests, and other data to help personalize the subject’s digital experience:

Figure 1.2 – Application registration

Figure 1.2 – Application registration

With the account created and linked to the subject’s unique identifier, the subject can now use their digital identity to authenticate themselves when accessing online services.

The most common way of proving your identity online is by using a username and password:

Figure 1.3 – Application authentication

Figure 1.3 – Application authentication

As documents or other forms of identification are used to determine if a person is who they say they are, authenticators are used to assess the validity of claims from a subject engaged in a transaction online, confirming the digital identity of the subject.

In the physical world, governments and companies define the rules used to identify the users of their services or access to their systems. For example, a person must present a driver’s license or another form of identification to travel to domestic destinations or withdraw money from their local bank. However, they need to show a passport to be able to travel internationally. In addition, government-issued identification may not be enough when going to a company’s office, and badges may be required instead.

A digital identity is different. Even though it must be unique to the digital service it was created for, it does not uniquely identify the subject across all digital services.

Identity proofing, sometimes also referred to as identity verification, is required to validate that a subject is who they say they are. In a process similar to the one described earlier for the physical world, a person will present a driver’s license or password, or other documents accepted by the identity-proofing service, and the identity-proofing service will provide identity assurance (the degree of certainty that the identity can be trusted to belong to the person).

Similarly, companies define their own rules to register for online (or virtual) identities and use them. In some cases, a username or email address is all that is required to create a new account. Others will need more information and, depending on the objective of the identity, validate the data used to create the new identity.

For internal users, the process is usually more complex. Legal or regulatory requirements may specify the information required for each user. The employer verifies that the worker is authorized to work in the country by validating some documents, for example.

Another difference may be self-service, where users can create their own accounts.

When self-service is not used, there are two ways of creating new identities. First, when companies are in their early stages, and the number of employees is small, they use manual processes to create accounts for their employees. Later, as the number of employees grows and the number of applications that those users have access to grows, an identity management platform or product usually performs automated identity creation and management.

Controlling access to systems, applications, and software and who is authorized to do what is called access management.

Workforce identity

Before they can offer services and applications to external customers, companies must start their identity work with everyone in the organization – employees, their contingent workforce, and business partners. Workforce identity software is used to manage identities for employees and the contingent workforce. Businesses may also use workforce identity to manage temporary or permanent identities for the contingent workforce and partners. Identity federation is the trust relationship between the company and an external (workforce) identity system to authenticate users. Identity systems usually work together with access management in what is called identity and access management (IAM) software.

The following are the typical requirements for workforce identity products:

  • Secure and frictionless experience: Users need to be productive with their daily operations. The company must be able to use the product according to their required balance of secure and convenient access for workforce users.
  • Granular, centralized administration: A workforce identity solution must provide sufficient capabilities to control the life cycle of the company’s identities with a centralized administration giving full control to the identity infrastructure.

Customer identity

Businesses use customer identity and access management (CIAM) software to manage customer identities and offer a secure, seamless login experience for the company’s applications. When building an internet-facing application, there are common features and standard requirements that companies usually ask for:

  • Self-service: The first thing is self-service, account management, and many related features – starting with allowing users to sign up and sign in, managing their profile, changing their profile, changing their password, making account recovery, performing MFA, changing their authentication factors, and onboarding new devices. All of these things come under self-service account management. It would be best if you had a solution that allows you to do this for your customers and let your customers – the end users of your application – manage these profiles for themselves.
  • Scalability: The second point is that it scales to tens of millions of users and has a large global coverage. This is different from workforce identity since usually, you have thousands or maybe tens of thousands of users. In the consumer space, you have tens of millions. On Azure, AWS, or Google Cloud, some companies have hundreds of millions of customers, and that number is always increasing. A system must allow millions of identities to be created for a large enterprise with a global presence in different countries and locations. The system must also be able to distribute these users or position them in a country closer to them; they may do this for data residency reasons. For example, users in Europe must have their data only in Europe.
  • Ease of use: We usually want to attract as many users as possible in consumer identity. Ease of use is essential when onboarding customers in an online application. If the process is not user-friendly, it may discourage potential customers from completing the onboarding process and prevent them from using the application. The end users’ onboarding and authentication journey must be as easy as possible while providing various options.

Using social media accounts for onboarding can be convenient and efficient for users to create accounts and access online applications. In addition, this approach allows users to authenticate their identity and provide personal information while using their existing social media profiles rather than having to create a new account from scratch.

Again, this is different from workforce identity. The workforce is usually a captive audience that has to be created by an administrator and typically follows an HR process. Using the same process with external users will cause them to abandon the process. They will do business elsewhere. The journey to onboard end users has to be as seamless as possible.

One requirement that applies to customer or workforce IAM products is single sign-on (SSO). When access management (AM) products allow users to log in once for multiple applications, that is called SSO.

When there is a trusted relationship between separate organizations and companies that allow users to authenticate across domains, that is called federated SSO.

Different protocols are used for SSO. Some of them will be used in the practical implementation examples in this book, starting from Chapter 3:

  • SAML 2.0: Security Assertion Markup Language (SAML) is an open standard created in 2005 to provide cross-domain SSO. In SAML, you have an identity provider (IdP), which is responsible for authenticating users and managing identities, a relying party (RP), which is a service requesting and receiving data from the IdP, and a user agent (UA), which is the user requesting the services. SAML is used by several SSO products (including Azure AD, as shown in Chapter 3) to authenticate users to online Software-as-a-Service (SaaS) applications such as Salesforce, Slack, and others.
  • OAuth 2.0: OAuth allows users to share specific data with an application while keeping their credentials private. For example, a printing service can use OAuth to obtain permission from users to access their photos for printing. We are going to use OAuth for some examples in this book. The OAuth Playground website provides a detailed description of the steps involved in using OAuth, along with an example application that is free to use. OAuth Playground can be viewed at https://www.oauth.com/playground/client-registration.html:
Figure 1.4 – OAuth Playground client registration

Figure 1.4 – OAuth Playground client registration

After registering a new client on OAuth Playground, you can use the generated credentials to test the OAuth protocol:

Figure 1.5 – OAuth Playground test credentials

Figure 1.5 – OAuth Playground test credentials

To test these credentials, go to https://www.oauth.com/playground/authorization-code.html and enter the user account credentials that were generated in the previous step.

Now that the basic terminology is out of the way, let’s dive into the main topic of this book: MFA.

Additional authentication and security controls

MFA is a method of verifying a user’s identity by requiring them to present more than one piece of information. By combining multiple layers of security, MFA decreases the chances of compromised online access to an account.

What are authentication factors?

Authentication factors are different ways of proving identity. There are three different categories of authentication factors:

  • Something you know (knowledge): Passwords, PINs, answers to pre-selected security questions
  • Something you are (being or inheritance): Face recognition, fingerprint scan, voice recognition
  • Something you have (possession): SMS codes, one-time passwords, smart cards, ATM cards, mobile phones, key fobs:
Figure 1.6 – Authentication factors

Figure 1.6 – Authentication factors

As can be seen in Figure 1.7, the three different authentication factors can be used individually, or combined, as part of the same authentication process. The process of combining two different factor types in the same authentication process is called 2FA or MFA. The process of combining three or more different categories of authentication factors used in the same authentication process is called MFA.

To be considered 2FA or MFA, the authentication factors should be from different categories.

Most websites use a username and password combination to verify users’ identities. Some will attempt to increase security and require an answer to a security question as well. This is not MFA. Even though the user provided two factors to authenticate (password and answer to security questions), the second factor is also from the knowledge category. This is considered a two-step authentication process but a single factor.

Going back to our ATM example, MFA enhances security because it requires the hacker to obtain the two factors of authentication before being able to access your money. If your wallet is stolen or you lose your ATM card, the person that has your card cannot use it without knowing the pin as well. Similarly, if someone shoulder surfs (steals your PIN by spying over your shoulder as you use an ATM) and can use your PIN, they still don’t have the ATM card needed to complete the transaction.

Most free email providers, such as Gmail, Outlook, iCloud, and Yahoo!, provide some form of 2FA:

Figure 1.7 – Gmail 2-Step Verification confirmation

Figure 1.7 – Gmail 2-Step Verification confirmation

As we discuss MFA throughout this book, it is important to consider the needs of the organization and the types of users that are going to be using the systems. An authentication system needs to balance its security needs with the usability and risks of the application being accessed.

In certain industries and the government, special standards and regulations may also require (or prohibit) the use of different types of MFA systems.

https://2fa.directory/us/ provides a list of websites for different industries and whether or not they support 2FA and is a good place to look to see what your competition is doing in this area.

Criminals can obtain user credentials in different ways. For example, they can buy user credentials on the dark web, try brute-force attacks, or use social engineering methods.

Another problem with passwords is that users reuse passwords across many different sites; they may share passwords with their colleagues. They may also write the passwords on post-it notes and attach them to their monitor at work or home.

All these issues make using passwords as the single method to identify users a significant security risk for companies.

If passwords are not enough, what else can organizations do? MFA, or at least 2FA, is the most common solution. Google, in their latest Hacking Google series, states “Add 2FA to your account, and we do the rest regarding security.” Microsoft says that 99.9% of identity attacks can be blocked by MFA (https://www.microsoft.com/en-us/security/blog/2019/08/20/one-simple-action-you-can-take-to-prevent-99-9-percent-of-account-attacks/).

On the other hand, MFA overuse may cause customers to choose to move to a friendlier site and do business with a different company or abandon a shopping cart or transaction completely. Therefore, the balance between usability and security has to be considered according to the risk involved with the transaction.

In some cases, the use of MFA is based on other signals that help the system decide when to ask for a second form of authentication – for example, detection that the user’s IP address has traveled impossible distances, thus limiting the number of login attempts and increasing the time after each failure, and bot detection, among others.

Other tools may create a profile of the browser or mobile phone used by the users and ask for additional authentication if the phone changes or screen dimensions change, among other characteristics.

Behavioral biometrics can also be used to create a profile of the user and perform continuous authentication of the user based on their behaviors, not only when they log in:

Figure 1.8 – Top five cyber attacks in 2022

Figure 1.8 – Top five cyber attacks in 2022

According to a report by HYPR (https://get.hypr.com/state-of-authentication-in-the-finance-industry-2022), cyberattacks persistently targeted financial service institutions in 2022, as evidenced by the fact that 94% of those surveyed experienced some form of attacks within the last year. As shown in the preceding figure, the most common type of attack continues to be phishing, accounting for 36% of incidents. Other frequently occurring attacks included malware, credential stuffing, MFA fatigue attacks, and Man-in-the-Middle (MitM) attacks.

Phishing

Employees frequently fall for emails that promise bonuses, an urgent request from their CEO, or a request from the Information Technology (IT) department. Those emails ask users to click on a website or verify their credentials. Unfortunately, the whole company may be compromised when the employee clicks on the link or enters their credentials where they shouldn’t.

Here are some other related attacks:

  • When a hack is done via a phone call, this is known as vishing
  • Similar to emails, SMS texts are sent to users in what is known as smishing
  • When code to redirect the original browser request to a malicious website – without the knowledge or consent of the user – is installed on a server or personal computer, the attack is called pharming

Credential stuffing

Credential stuffing attacks occur when many username/password combinations are tried against a website. Bots usually perform this type of attack.

Malware

Malware, or malicious software, is a term that describes a malicious program or piece of code that is harmful to the user’s computer.

Malware is normally used in conjunction with phishing to obtain the credentials from a user.

Account Take Over (ATO)

The reuse of credentials causes another typical attack. Most users commonly use the same email or username on many different apps. At the same time, passwords are also reused. If one account is compromised, bad actors can use the same credentials and try to log in to many other sites. Account Take Over (ATO) is usually the outcome of a successful credential stuffing attack.

MFA fatigue – push notification attack

A common way to prevent a credential stuffing attack is by using a second authentication step in addition to a username and password. For example, systems may require users to accept an app push notification or receive a phone call and press a key as a second factor. When an attack issues multiple MFA requests to the end user until the user accepts the authentication, this is called MFA fatigue. It is also known as a push notification attack.

Man-in-the-Middle attack

An MitM attack is a type of session hijacking attack. The attacker eavesdrops and interrupts an existing conversation by inserting themselves into the middle of the transfer.

The attacker pretends to be the other legitimate participant for both the user and the original web application, enabling them to intercept information and data from either side of the conversation. An MitM attack can be used for account takeover purposes or just for the duration of the session:

Figure 1.9 – MitM attack

Figure 1.9 – MitM attack

In Chapter 2, we will discuss different types of authentication factors and what types can be used to prevent different types of attacks.

In addition to knowledge-based authentication factors, other commonly used authentication factors will be described next.

One-time password

A one-time password (OTP) is a mechanism for logging into an application or service using a unique password that can only be used once. OTP can be generated by security tokens or applications such as Google Authenticator or Microsoft Authenticator. SMS-based OTP is not recommended because of its vulnerabilities.

FIDO Alliance

The Fast Identity Online (FIDO) Alliance is an open industry association with a single goal: to create authentication standards to help reduce the world’s reliance on passwords.

FIDO Universal 2nd Factor standard

Yubico and Google developed the FIDO Universal 2nd Factor (FIDO U2F) standard. After FIDO U2F was successfully tested with Google employees, the standard was contributed to the FIDO Alliance.

The WebAuthn specification

WebAuthn is a World Wide Web Consortium (W3C) specification that allows the creation and use of strong, public key-based credentials for authenticating users. It is designed to be a secure and convenient alternative to traditional username and password authentication methods and can be used to authenticate users on websites and other online platforms.

WebAuthn works with the FIDO Client To Authenticator Protocol version 2 (CTAP2) to securely create and retrieve credentials on a security key. The two standards work together. Developers only use the WebAuthn specification; they don’t have to worry about CTAP2. WebAuthn uses public key infrastructure (PKI) to create and manage the public keys that are used for authentication.

One of the main benefits of WebAuthn is that it allows users to authenticate using a variety of different devices, such as security keys, biometric sensors (such as fingerprint scanners or facial recognition cameras), and other types of hardware tokens. This makes it easier for users to authenticate securely and reduces the risk of password-based attacks such as phishing and brute-force attacks.

WebAuthn is supported by most modern web browsers and is becoming increasingly popular as a secure and convenient way to authenticate users on the web.

FIDO2

The FIDO2 specification includes World Wide Web Consortium’s WebAuthn specification and FIDO Alliance’s corresponding CTAP. The specifications are open and free for general use.

Passkeys

Passkeys are replacements for passwords based on FIDO Alliance and W3C standards. Passwords are replaced with strong credentials (cryptographic key pairs). In addition, passkeys are linked with the website or application they were created for, thus being safe from phishing. Passkeys are not a new thing, just a new name for WebAuthn/FIDO2 credentials, enabling a fully passwordless experience for the user. Even though passkeys are on a user’s devices (something they have) and the relying party (the service provider that processes access to the applications) can ask for user verification, which is done by a biometric or PIN (something the user is or knows), some regulatory bodies still do not recognize passkeys as MFA.

This completes our introduction to MFA, authenticator factors, and the types of attacks companies face.

Summary

In this chapter, you learned why (digital) identity and authentication are fundamental parts of security. We also covered the basic concepts and terminology that will be used throughout this book. Finally, we introduced MFA.

In the next chapter, we are going to discuss the different types of authentication factors, how cybercriminals attempt to bypass them, and when to use or not to use different types of authentication factors.

Left arrow icon Right arrow icon

Key benefits

  • Gain proficiency in using solutions like Okta, Ping Identity, and ForgeRock within the IAM domain
  • Thwart authentication breaches using pragmatic strategies and lessons derived from real-world scenarios
  • Choose the right MFA solutions to enhance your organization's security

Description

MFA has emerged as an essential defense strategy in the wide-ranging landscape of cybersecurity. This book is a comprehensive manual that assists you in picking, implementing, and resolving issues with various authentication products that support MFA. It will guide you to bolster application security without sacrificing the user experience. You'll start with the fundamentals of authentication and the significance of MFA to familiarize yourself with how MFA works and the various types of solutions currently available. As you progress through the chapters, you'll learn how to choose the proper MFA setup to provide the right combination of security and user experience. The book then takes you through methods hackers use to bypass MFA and measures to safeguard your applications. After familiarizing yourself with enabling and managing leading cloud and on-premise MFA solutions, you’ll see how MFA efficiently curbs cyber threats, aided by insights from industry best practices and lessons from real-world experiences. Finally, you’ll explore the significance of innovative advancements in this domain, including behavioral biometrics and passkeys. By the end of the book, you'll have the knowledge to secure your workforce and customers, empowering your organization to combat authentication fraud.

Who is this book for?

This book is for developers, system administrators, security professionals, white-hat hackers, CISOs, and anyone interested in understanding and enhancing their access management infrastructure. While basic knowledge of authentication and IAM is helpful, it is not a prerequisite.

What you will learn

  • Evaluate the advantages and limitations of MFA methods in use today
  • Choose the best MFA product or solution for your security needs
  • Deploy and configure the chosen solution for maximum effectiveness
  • Identify and mitigate problems associated with different MFA solutions
  • Reduce UX friction with ForgeRock and behavioral biometrics
  • Stay informed about technologies and future trends in the field

Product Details

Country selected
Publication date, Length, Edition, Language, ISBN-13
Publication date : Jun 28, 2023
Length: 550 pages
Edition : 1st
Language : English
ISBN-13 : 9781803246963
Category :
Concepts :
Tools :

What do you get with a Packt Subscription?

Free for first 7 days. $19.99 p/m after that. Cancel any time!
Product feature icon Unlimited ad-free access to the largest independent learning library in tech. Access this title and thousands more!
Product feature icon 50+ new titles added per month, including many first-to-market concepts and exclusive early access to books as they are being written.
Product feature icon Innovative learning tools, including AI book assistants, code context explainers, and text-to-speech.
Product feature icon Thousands of reference materials covering every tech concept you need to stay up to date.
Subscribe now
View plans & pricing

Product Details

Publication date : Jun 28, 2023
Length: 550 pages
Edition : 1st
Language : English
ISBN-13 : 9781803246963
Category :
Concepts :
Tools :

Packt Subscriptions

See our plans and pricing
Modal Close icon
$19.99 billed monthly
Feature tick icon Unlimited access to Packt's library of 7,000+ practical books and videos
Feature tick icon Constantly refreshed with 50+ new titles a month
Feature tick icon Exclusive Early access to books as they're written
Feature tick icon Solve problems while you work with advanced search and reference features
Feature tick icon Offline reading on the mobile app
Feature tick icon Simple pricing, no contract
$199.99 billed annually
Feature tick icon Unlimited access to Packt's library of 7,000+ practical books and videos
Feature tick icon Constantly refreshed with 50+ new titles a month
Feature tick icon Exclusive Early access to books as they're written
Feature tick icon Solve problems while you work with advanced search and reference features
Feature tick icon Offline reading on the mobile app
Feature tick icon Choose a DRM-free eBook or Video every month to keep
Feature tick icon PLUS own as many other DRM-free eBooks or Videos as you like for just $5 each
Feature tick icon Exclusive print discounts
$279.99 billed in 18 months
Feature tick icon Unlimited access to Packt's library of 7,000+ practical books and videos
Feature tick icon Constantly refreshed with 50+ new titles a month
Feature tick icon Exclusive Early access to books as they're written
Feature tick icon Solve problems while you work with advanced search and reference features
Feature tick icon Offline reading on the mobile app
Feature tick icon Choose a DRM-free eBook or Video every month to keep
Feature tick icon PLUS own as many other DRM-free eBooks or Videos as you like for just $5 each
Feature tick icon Exclusive print discounts

Frequently bought together


Stars icon
Total $ 119.96 129.97 10.01 saved
Implementing Multifactor Authentication
$34.99
Information Security Handbook
$44.99
Practical Cybersecurity Architecture
$39.98 $49.99
Total $ 119.96 129.97 10.01 saved Stars icon
Banner background image

Table of Contents

16 Chapters
Part 1: Introduction Chevron down icon Chevron up icon
Chapter 1: On the Internet, Nobody Knows You’re a Dog Chevron down icon Chevron up icon
Chapter 2: When to Use Different Types of MFA Chevron down icon Chevron up icon
Part 2: Implementing Multifactor Authentication Chevron down icon Chevron up icon
Chapter 3: Preventing 99.9% of Attacks – MFA with Azure AD and Duo Chevron down icon Chevron up icon
Chapter 4: Implementing Workforce and Customer Authentication Using Okta Chevron down icon Chevron up icon
Chapter 5: Access Management with ForgeRock and Behavioral Biometrics Chevron down icon Chevron up icon
Chapter 6: Federated SSO with PingFederate and 1Kosmos Chevron down icon Chevron up icon
Chapter 7: MFA and the Cloud – Using MFA with Amazon Web Services Chevron down icon Chevron up icon
Chapter 8: Google Cloud Platform and MFA Chevron down icon Chevron up icon
Chapter 9: MFA without Commercial Products – Doing it All Yourself with Keycloak Chevron down icon Chevron up icon
Part 3: Proven Implementation Strategies and Deploying Cutting-Edge Technologies Chevron down icon Chevron up icon
Chapter 10: Implementing MFA in the Real World Chevron down icon Chevron up icon
Chapter 11: The Future of (Multifactor) Authentication Chevron down icon Chevron up icon
Index Chevron down icon Chevron up icon
Other Books You May Enjoy Chevron down icon Chevron up icon

Customer reviews

Top Reviews
Rating distribution
Full star icon Full star icon Full star icon Full star icon Half star icon 4.8
(8 Ratings)
5 star 75%
4 star 25%
3 star 0%
2 star 0%
1 star 0%
Filter icon Filter
Top Reviews

Filter reviews by




esgar jimenez Jul 18, 2023
Full star icon Full star icon Full star icon Full star icon Full star icon 5
This book does a great job describing how to properly use and deploy Multifactor Authentication (MFA). MFA is a good tool to help prevent unauthorized access to user accounts. Since cyber crime has been on the rise it has increased the need to protect users from having their credentials stolen. This has resulted in the rise in popular use of MFA. MFA helps to secure user access by forcing a second form of authentication. It could be a simple code sent to the user's phone or email. It could be a code from an app like Authenticator or Authy. This extra layer of protection helps prevent unauthorized access to an account and helps with alerting the user of a possible credential breach. overall this is a great read and a very helpful guide.
Amazon Verified review Amazon
GUNDERSTONE Jul 07, 2023
Full star icon Full star icon Full star icon Full star icon Full star icon 5
In today's digital age, security is of utmost importance. Cyber threats constantly evolve, and breaches can have devastating consequences for businesses and individuals. These threats are why Multifactor Authentication (MFA) is becoming increasingly popular as an effective strategy to secure accounts and applications. MFA goes beyond the traditional username and password combination, adding an extra layer of security that makes it much harder for attackers to access sensitive information. However, mastering MFA can be daunting, especially for those new to the cybersecurity world. Because of these challenges, hands-on guides like "Implementing Multifactor Authentication" can be helpful."Implementing Multifactor Authentication" takes you through a fictitious company and its experiences as they adopt various MFA products and mechanisms. This is a practical and engaging way to learn about MFA while still mastering it in no time. The book aims to help you fortify your digital fortress by reducing the risk of cyber threats.This book offers step-by-step explanations, practical examples, and hands-on implementations of MFA concepts and technologies. It covers a range of Identity and Access Management (IAM) products and includes crystal-clear explanations that will make you an expert in no time. The book teaches you how to enable secure Single Sign-On (SSO) for enterprise and customer-facing applications."Implementing Multifactor Authentication" is designed to help you select the ideal products for your users, partners, and customers. You will be given instructions on obtaining free trial versions of the products used in the examples and how to build SaaS applications that use the security provided by the solutions demonstrated in each chapter. This will enable you to make empowered decisions to fortify your digital fortress, enhance your applications' security and reduce the risk of cyber threats.The book also explores Multiple Factor Authentication (MFA) mechanisms such as biometrics, smart cards, tokens, and mobile devices. MFA mechanisms are essential for enterprises as they add another layer of security. Acme Software's journey will show you how to effectively balance security, cost and user experience. The book also looks at IAM products such as Okta, Microsoft Azure, AWS IAM, LastPass, and OneLogin.-----------------ABOUT THE AUTHOR - Having shifted gears from software engineering to cybersecurity, Marco Fanti's professional journey is as impressive as inspiring. His innate knack for designing state-of-the-art security tools transformed his career, positioning him as a distinguished figure in the security sphere. Marco's collaborative efforts span from assisting startups, to joining forces with industry leaders like Oracle and Accenture, ultimately leading to the creation of solutions that ensure the safety of millions globally. As a perpetual learner, Marco's credentials include two MSc degrees from NYIT and NYU, and an MBA from UF, providing him the aptitude to deliver tailored solutions for his clients, blending the optimum aspects of various products. A Brazil native, Marco now resides in Florida with his wife, consistently pushing the boundaries in cybersecurity.-----------Audience Overview of This BookThis book is crafted to serve a broad spectrum of readers:IT Administrators, System Operators, and Security Specialists: The book targets system administrators, network administrators, security engineers, and other IT personnel tasked with the establishment and maintenance of secure authentication systems. It offers a comprehensive exploration of Multifactor Authentication (MFA).Cybersecurity Specialists: This book is an excellent resource for security consultants, researchers, analysts, and other professionals engaged in the cybersecurity sector seeking to augment their understanding of MFA. It aids in staying updated with the most effective strategies for safeguarding critical data and systems.Software Professionals: Software developers and engineers tasked with developing applications with stringent authentication requirements will find this book invaluable. It provides in-depth knowledge on MFA, shares best practices, and illustrates effective techniques to incorporate it into their applications seamlessly.Business Leaders: For executives, managers, and business proprietors who are accountable for their organization's data and infrastructure security, this book serves as a reliable guide to MFA. It aids in gaining a solid understanding of the concept, thereby facilitating judicious decisions regarding its implementation.In addition, the book contains sections that highlight examples of Software as a Service (SaaS) applications crafted utilizing Software Development Kits (SDKs) for an array of authentication products. Although the book thoroughly explains the process of constructing and launching these applications, readers with a basic grounding in programming will find it easier to grasp the material and apply this knowledge to their endeavors.-------------In conclusion, "Implementing Multifactor Authentication" is a comprehensive guide that delves deep into the world of MFA, providing you with all the information you need to make informed decisions and elevate your security game. By immersing yourself in the practical, engaging learning experience of the fictitious Acme Software, you will master MFA in no time. You will be equipped with the knowledge to select the ideal IAM products for your requirements and implement secure SSO for your applications.
Amazon Verified review Amazon
Shrinivas Shenoy Aug 24, 2023
Full star icon Full star icon Full star icon Full star icon Full star icon 5
A worthy purchase for those seeking an in-depth understanding of multifactor authentication implementation across various platforms. Concepts are well explained keeping all levels of audience in mind. A must-have for people trying to break into the IT Infrastructure and Cybersecurity domain.Thank you.
Amazon Verified review Amazon
Rio Jul 03, 2023
Full star icon Full star icon Full star icon Full star icon Full star icon 5
This book is great if you would like to learn "Everything MFA"! Takes you through the basics to the extensive deployment of 3rd party integration. Would highly recommend you create a sandbox tenant and follow along with the implementations steps. This book is also great if you're studying for the AZ-500.
Amazon Verified review Amazon
Brandon Lachterman Jul 05, 2023
Full star icon Full star icon Full star icon Full star icon Full star icon 5
This is a must have for security engineers, and software appsec and devops alike. I was delighted to see how in depth the author went into many different methods of implementation without making it overly dense and difficult to understand. Nice work!
Amazon Verified review Amazon
Get free access to Packt library with over 7500+ books and video courses for 7 days!
Start Free Trial

FAQs

What is included in a Packt subscription? Chevron down icon Chevron up icon

A subscription provides you with full access to view all Packt and licnesed content online, this includes exclusive access to Early Access titles. Depending on the tier chosen you can also earn credits and discounts to use for owning content

How can I cancel my subscription? Chevron down icon Chevron up icon

To cancel your subscription with us simply go to the account page - found in the top right of the page or at https://subscription.packtpub.com/my-account/subscription - From here you will see the ‘cancel subscription’ button in the grey box with your subscription information in.

What are credits? Chevron down icon Chevron up icon

Credits can be earned from reading 40 section of any title within the payment cycle - a month starting from the day of subscription payment. You also earn a Credit every month if you subscribe to our annual or 18 month plans. Credits can be used to buy books DRM free, the same way that you would pay for a book. Your credits can be found in the subscription homepage - subscription.packtpub.com - clicking on ‘the my’ library dropdown and selecting ‘credits’.

What happens if an Early Access Course is cancelled? Chevron down icon Chevron up icon

Projects are rarely cancelled, but sometimes it's unavoidable. If an Early Access course is cancelled or excessively delayed, you can exchange your purchase for another course. For further details, please contact us here.

Where can I send feedback about an Early Access title? Chevron down icon Chevron up icon

If you have any feedback about the product you're reading, or Early Access in general, then please fill out a contact form here and we'll make sure the feedback gets to the right team. 

Can I download the code files for Early Access titles? Chevron down icon Chevron up icon

We try to ensure that all books in Early Access have code available to use, download, and fork on GitHub. This helps us be more agile in the development of the book, and helps keep the often changing code base of new versions and new technologies as up to date as possible. Unfortunately, however, there will be rare cases when it is not possible for us to have downloadable code samples available until publication.

When we publish the book, the code files will also be available to download from the Packt website.

How accurate is the publication date? Chevron down icon Chevron up icon

The publication date is as accurate as we can be at any point in the project. Unfortunately, delays can happen. Often those delays are out of our control, such as changes to the technology code base or delays in the tech release. We do our best to give you an accurate estimate of the publication date at any given time, and as more chapters are delivered, the more accurate the delivery date will become.

How will I know when new chapters are ready? Chevron down icon Chevron up icon

We'll let you know every time there has been an update to a course that you've bought in Early Access. You'll get an email to let you know there has been a new chapter, or a change to a previous chapter. The new chapters are automatically added to your account, so you can also check back there any time you're ready and download or read them online.

I am a Packt subscriber, do I get Early Access? Chevron down icon Chevron up icon

Yes, all Early Access content is fully available through your subscription. You will need to have a paid for or active trial subscription in order to access all titles.

How is Early Access delivered? Chevron down icon Chevron up icon

Early Access is currently only available as a PDF or through our online reader. As we make changes or add new chapters, the files in your Packt account will be updated so you can download them again or view them online immediately.

How do I buy Early Access content? Chevron down icon Chevron up icon

Early Access is a way of us getting our content to you quicker, but the method of buying the Early Access course is still the same. Just find the course you want to buy, go through the check-out steps, and you’ll get a confirmation email from us with information and a link to the relevant Early Access courses.

What is Early Access? Chevron down icon Chevron up icon

Keeping up to date with the latest technology is difficult; new versions, new frameworks, new techniques. This feature gives you a head-start to our content, as it's being created. With Early Access you'll receive each chapter as it's written, and get regular updates throughout the product's development, as well as the final course as soon as it's ready.We created Early Access as a means of giving you the information you need, as soon as it's available. As we go through the process of developing a course, 99% of it can be ready but we can't publish until that last 1% falls in to place. Early Access helps to unlock the potential of our content early, to help you start your learning when you need it most. You not only get access to every chapter as it's delivered, edited, and updated, but you'll also get the finalized, DRM-free product to download in any format you want when it's published. As a member of Packt, you'll also be eligible for our exclusive offers, including a free course every day, and discounts on new and popular titles.