Iraje 2 Factor Authentication manual version 7.5

Introduction

This document is the user manual for the 2 Factor authentication(2FA). It explains the 2 Factor Authentication modes provided by Iraje PAM and how to use them.

Purpose

Train the users on how to use the 2 Factor Authentication modes, these authentication modes are a second layer of security to protect an account or system. Users must go through two layers of security before being granted access to an account or system.

Target Audience

Admins & End Users Using Iraje PAM.

The 2FA Conundrum

IT departments across all verticals are fighting a continuous battle to protect company networks from hackers and fraudsters. 2 Factor authentication (2FA) is one of the effective ways – and increasingly important security feature in the company’s security armour.

2FA delivers an extra layer of protection for user accounts that, while not impregnable, significantly decreases the risk of unauthorized access and system breaches.

In recent times, there has been a renewed focus by IT managers on protecting network vulnerabilities due to a stream of hacking attacks on organizations and governments

Enhanced security

As we all know, users have the habit of keeping weak passwords. Analysis of hacked passwords show that large proportions of people keep simple passwords such as ‘12345678’ and ‘passw0rd’, with requirements for alphanumeric passwords scarcely improving the situation. Used in combination with a password, 2FA greatly enhances security.

This variety of categories allows for a wide range of authentication techniques and technologies to be used, most of which are far superior to a password. These include sending a pin code to a mobile phone or separate device, adding a biometric key such as a fingerprint, using a code-generating application on a smart phone or computer, or sending the pin by another secure email account.

Protect against fraud

Identify theft is rising at an alarming rate. Introducing non-password-dependent 2FA greatly enhances security and reduces the risk of identity theft.

Role Based Access Control - RBAC

Through RBAC, we can control what users can do at both, broad and granular levels. We can designate whether the user is an administrator or a special user, and align roles and access permissions with the person’s role in the organization. Permissions are allocated only with limited access as needed for employees to do their jobs. By adding a user to a role group, the user has access to all the roles in that group. If they are removed, access is restricted. Users may also be assigned to multiple groups in an event where they need temporary access to a certain data or programs and then access is removed once the project is complete.

Benefits of RBAC

Managing and auditing access is essential to information security. Access can and should be granted on a need-to-know basis. With few hundreds of admins, security is more easily maintained by limiting un-necessary access to sensitive information based on each user’s established role within the organization

Workflow for 2 FA

The Multi Factor Authentication module is the most comprehensive module offering multiple options for configuring the Two Factor authentication out of the box in Iraje PAM.

The following options are available

  • Email TOTP [Time Based One Time Password]
  • SMS OTP
  • App Based OTP
  • Workstation Biometric
  • Centralized Biometric
  • PKI Token
  • Hard / Soft Tokens

User Experience after 2 Factor Authentication Option is Enabled

When accessing the PAM through dashboard, the user authenticates with a first factor, typically a user id and password. To validate the user further, Multi-factor authentication or two-factor authentication(2FA) has been provided

Multi Factor Auth

Iraje supports multiple 2 Factor Authentication methods to log in into PAM dashboard.

Biometrics

User needs to register the fingerprint for the first time while using the biometric option as a 2 factor authentication method. The fingerprint gets stored in the PAM active directory. We have configured two devices i.e. Morpho and SecuGen, which are used for biometrics.

When the user logs in into the PAM dashboard and scans his fingerprint, the product verifies the fingerprint with the one that is stored in the PAM active directory. If it matches then the user is able to access the PAM dashboard.

Mobile (Soft Token/OTP)

The user will recevie OTP via email/SMS or on both when the credentials entered by the user are valid. The user then needs to enter the PIN/OTP in the popup window. The OTP will be sent to the mobile number or the email ID which is registered for that particular user in Iraje PAM.

Google Authenticator

User needs to scan the QR Code for Google Authenticator Registration which can be done in applications like Google Authenticato r as well as Authy. You can scan QR code or enter it manually.

Applications which generate token for Google Authentication

Google Authenticator

The user needs to install Google authenticator on his Mobile phone. For registering account on Google Authenticator

Authy

Authy app generates secure 2 step verification tokens on your device. It provides secure cloud encrypted backups so you will never lose access to your tokens again.

Multi Device Synchronization:

With Authy the users can simply add devices to their accounts and all of their 2fa tokens will automatically synchronize.

Offline:

Authy generates secure tokens offline from the safety of any Android device, this way the user can authenticate securely even when their device is in airplane mode.

All accounts:

Authy support most major multifactor authentication accounts including Facebook, Dropbox, Amazon, Gmail, and thousands of other providers. It also support 8 digit tokens.

There are 3 ways to integrate Authy with your system:

  • Desktop Application.

  • Mobile Application.

  • Chrome Extension.