Multi Factor Authentication (MFA) sometimes called two-step verification or two-factor authentication (2FA) is an authentication process, in which user has to provide Multi factors in order to gain access to the resources. Multi-factor authentication (MFA) validates user identity with passwords and an additional layer of authentication like a security token or a biometric factor. miniOrange provides 15+ authentication methods to fit every need. OTP over SMS and Email, Mobile Authentication, Phone Verification these are some of our popular authentication methods.
Why Multi Factor Authentication (MFA) ?
Passwords are everywhere, we use them to access our money, our communication, and even our social lives. At first, we used one password for everything but that wasn’t good enough so we started making our passwords more complicated with a combination of numbers, uppercase/lowercase letters & even special characters.
Most of the people use password managers to organize dozens or hundreds of unique passwords. But no matter how complex your password or the password management system is, it is never enough to prevent account takeover because all it takes is one simple phishing email or database breach and your password is out in the world. So, if passwords are impossible to protect, how do you protect your account ?
That’s where multi-factor authentication comes in. Multi Factor Authentication or MFA adds another method of identity verification in order to secure your accounts.
- First thing you know – Your username and password.
- Something unique that you have – Your phone or fingerprint.
By combining your username and password with the second method your access becomes more secure and impossible for an attacker to pass it even if they have your password.
How does Multi Factor Authentication (MFA) Works ?
The most common MFA systems use the unique One Time Passcode also commonly known as OTP with every login attempt that you make. This OTP is tied with your account and generated by an authenticator app on a smartphone or sent to you by SMS or email.
miniOrange also provides a more modern and secure form of MFA which is “Push notification” on your smartphone. A push notification is sent to your registered smartphone and in order to gain access to your account, you have to approve that notification.
The authentication process using Multi Factor Authentication ( MFA ), takes place in the following steps:
- User navigates to the application login page. For instance www.example.com/login.
- User enters a username and password. This is called the first factor of authentication. When a user submits the login credentials it is checked whether the user exists in the database.
- If the login credentials match with the user the second factor of authentication is shown to the user. E.g Pop up asking for OTP sent over SMS /Email
- When the user enters the second factor like OTP or Push notification it is checked against the database system if the second factor is correct.
- After successfully completing the second-factor user is granted access to the system.
Different Multi Factor Authentication ( MFA ) Methods:-
miniOrange supports a variety of methods for Multi Factor Authentication ( MFA ). We support following authentication methods that ensure you to have secure access to your site.
- OTP Over SMS
- Out of Band SMS
- Google Authenticator
- Mobile Authentication
- Push Notification
- Soft Token
- OTP Over Email
- Out of band email
- Display Hardware token
- Yubikey hardware token
- Security Questions
- Phone verification
- Voice verification
Multi Factor Authentication ( MFA ) Use Cases
There are multiple use cases where multi-factor authentication is used. miniOrange provides the solution for various use cases, some of them are, Multi Factor Authentication (MFA) for VPN login, Multi Factor Authentication (MFA) for Stripe and Multi Factor Authentication (MFA) for office 365 using Yubikey.
1.Multi Factor Authentication (MFA) for VPN login:
miniOrange provides Multi Factor Authentication (MFA ) on top of VPN Authentication. This secures the access to protected resources instead of relying on only the VPN username & password. To accomplish this miniOrange uses the RADIUS Protocol.
RADIUS stands for Remote Authentication Dial-In User Service, it is a client/server protocol that provides client authentication and authorization.
RADIUS server is responsible for authenticating the users, while RADIUS clients are nothing but the Network Access Servers (NAS) which authenticate users with RADIUS servers and based on responses from RADIUS server grants/denies the access.
The Multi Factor Authentication (MFA) for VPN login takes places as shown in the above figure. If you take a look at the steps below you will get a clear understanding of how it happens.
- The user enters the login credentials to the VPN.
- RADIUS Clients sends the login details to the miniOrange RADIUS server.
- User details are check with the help of Active Directory.
- When the AD finds the user it sends the response to the miniOrange RADIUS server. First-factor authentication is completed here.
- A challenge response is sent to RADIUS clients for second Factor Authentication.
- RADIUS client prompts the user with MFA challenge. (e.g.OTP over SMS/Email).
- When the user validates himself with MFA. The authentication response is sent to the miniOrange RADIUS server.
- After checking the response RADIUS server grants access to the user.
2.Yubikey as a Multi Factor Authentication (MFA) for Microsoft Office 365:
Microsoft provides MFA only via their default application with limited MFA methods and you can not configure any additional MFA authentication method.
If you are looking to use Yubikey or any other hardware token as an authentication method while accessing Office 365, it is supported by miniOrange and can be integrated quickly.
miniOrange allows you to use Yubikey (or any other method from 15+ available MFA methods) as the multi factor to login into your Office 365.
3.Integrating MFA/OTP Verification for Payment Gateways:
According to the recent guidelines, new requirements for authenticating online payments is introduced in Europe as a part of the second Payment Services Directive (PSD2).
All online businesses will have to ensure they’re compliant with the Payment Services Directive 2 (PSD2) legislation. The EU directive mandates that any online transaction over €30 requires Strong Customer Authentication (SCA).
To meet new EU regulations, payment gateways/businesses will need to build an extra layer of authentication (MFA) into online card payments.
miniOrange has helped many businesses and payment gateways to integrate MFA in their applications. We provide access to our MFA APIs with which, MFA can be integrated into any application very quickly without much effort.
Payment gateways that operate in Europe like SecurionPay, Skrill, Stripe, PayU, Authorize.Net, Amazon Pay, PayPal will be enforcing Strong Customer Authentication (SCA) very soon.
Benefits Of Multi Factor Authentication (MFA):-
When Multi Factor Authentication (MFA) enabled on your system, it prevents an attacker from accessing the resources even though they know your username and password. As you have an additional layer of authentication attacker has to pass that layer which is not possible.
- Enhanced security: By requiring the multiple factors of identification, Multi Factor Authentication (MFA) decreases the chances that an attacker can mimic a user and can gain access to the system. miniOrange Multi Factor Authentication (MFA) solution allows users to log in using Username and OTP thus, preventing the need to enter Password.
- More productivity and flexibility Organizations are accepting mobility as it helps in increasing productivity. With mobile MFA employees can securely login and access corporate applications and resources from virtually using any device and from any location, without putting the company network to the risk.
- Fraud Prevention: Multi Factor Authentication verifies you are who you say you are before letting you move forward. It prevents unauthorized access to your website by providing an additional layer of authentication.