While having a large pool of resources geared toward end user identity can be helpful, it can often lead to an identity crisis of its own.
End user identity started off manageable and easy back in the 90s: simply pick a username and password. However, over the years, what I consider to be an end user identity crisis has grown to a state of being unmanageable. Hundreds, if not thousands, of accounts on various websites all wanted stronger passwords. In response, we turned to password reuse, simple passwords, password databases, or whatever else we could think of to make life manageable. When a breach happens, and the credential used at 100 sites is compromised, it becomes password reset time for all your accounts. How exhausting!
The industry moved on, and everything became focused on multi-factor authentication (MFA). This way, when they steal your credentials (which they will do), it doesn’t matter because an MFA prompt will solve all your problems! Unfortunately, this can lead to MFA fatigue. I count at least 9 MFA applications hosting various one-time passcodes (OTP) on my phone. If I lose my phone, I can’t log in to anything anymore, so maybe the problem of end user identity isn’t solved.
The concept of centralized identity starts to trend in the right direction, but that leads to EVERYONE wanting to be your identity provider. Lots of sites like Microsoft, Facebook, and Google have adopted “bring your own credentials.” This removes the sites’ requirements to store credentials, which also means they can’t leak them in a breach. That’s a win! This change brings back sanity to end users! Fewer accounts and fewer MFA apps are a welcome sight!
While we’ve seen some end user identity success on a personal scale, on the corporate side, we are still playing a little catch-up! Depending on how MFA is adopted by your company and whether you use a centralized MFA service, your experience may vary! You could get prompted 50 times a day and think, “Man all this security isn’t convenient!”
Where are things moving now? How do I get a better and more secure end user experience? One thing I do is analyze every time I log into something. I find myself asking some of these questions: Why did I use a one-off account? Why didn’t I get prompted for MFA? Why did I get prompted for MFA? What did I eat for lunch? Identity providers of the world do a really good job of allowing you to integrate applications. Most SaaS-based applications have instructions for their applications to integrate into these various identity providers.
“Where are things moving now? How do I get a better and more secure end user experience? One thing I do is analyze every time I log into something. I find myself asking some of these questions: Why did I use a one-off account? Why didn’t I get prompted for MFA? Why did I get prompted for MFA?“
So, why is this important, and why should we care? When we have the means to centralize identity management with a solution like Microsoft’s Azure Active Directory (AAD), we can enable Single Sign-On (SSO) for so many applications in various ways. Anytime I evaluate software, I ask, “Does it support SSO via Security Assertion Markup Language (SAML) that works with AAD?” SAML is my favorite way to integrate applications, but there are others for sure.
By pursuing SSO in this manner, we can decrease the number of sign-ins required and even potentially decrease the number of MFA attempts. Say I have 20 enterprise applications all integrated into AAD via SAML. I normally would get prompted for authentication for the first one I accessed in a new browser, but it’s accessing applications 2-20 where I really notice it. Hey, I didn’t have to sign in again or provide MFA? Are things broken? The fact is, you already satisfied all the authentication requirements, so you can just be granted access to the applications! We can even publish these same applications to a centralized repository containing all of our enterprise applications using My Apps.
Centralized authentication allows us to review logs so we can look for patterns and things that aren’t natural like impossible travel. Take, for example, a successful login from the US and then five minutes later another successful login from Brazil. Suspicious right? We wouldn’t have visibility if we weren’t redirecting the authentication away from the SaaS provider to our own systems. We can also restrict access to AAD Enterprise applications with conditional access, which is just basically a rule set that you can configure in many ways. For example, you can only log in to certain enterprise applications from Trusted IP addresses that we define! Another could be we require extra authentication like doing MFA again just to be safe to access our HR software!
As you can see, there’s a lot to do on the backend to create and bring to life an identity plan that is convenient and secure for the end user. Feel free to reach out and have an identity conversation with us! We can certainly help enhance the corporate end user experience!
Written By:
Bryan Kerstiens
Senior Systems Consultant
Infrastructure Solutions Group
If you need any assistance with understanding the details within the advisory, understanding your current cybersecurity posture, your preparedness for a breach, or any other cybersecurity topic, we would love to have a discussion with you. Contact us today, and let’s chat about your environment and ways to lower your chances of becoming a victim of cybercrime.
