The question of combining Multi-factor Authentication (MFA) and privileged access control is an important part of the company’s information security.
Let’s introduce the definition of MFA
Multi-factor authentication (MFA) is an authentication method in which a computer user is granted access only after successfully presenting two or more pieces of evidence (or factors) to an authentication mechanism: knowledge (something the user and only the user knows), possession (something the user and only the user has), and inherence (something the user and only the user is).
The use of multiple authentication factors is based on the premise that an unauthorized agent is not able to supply all factors required for access. If in an authentication attempt, at least one of the components is missing (or incorrect), the user’s identity is not established and access to the asset remains blocked.
According to the 2018 Global Password Security Report, 45% of organizations are already using two-factor authentication (2FA) and the 451 Group reports that 53% of businesses have adopted MFA. As these numbers continue to grow, new challenges are emerging relating to authentication, shared privileged accounts and creating a virtual MFA.
MFA and Shared Accounts
As a reminder, shared accounts are just that — accounts with one set of credentials that are shared across many users. There can be many reasons for shared accounts. Generally, these accounts are for IT admins or other types of privileged users to access specific platforms, network tools, such as servers, databases or third-party applications.
Take for example a billing department with multiple employees who need to access a variety of shared third-party client/customer accounting applications. The employees use shared credentials that allow them to access different systems and perform their job functions. Now add MFA into the mix — where each user needs an authentication token to access each individual system.
The MFA works by requiring a virtual MFA device that uses a time-based password on a smartphone or other hardware device be assigned to a specific IAM user or root account. Therein lies the problem with shared credentials and MFAs. Which IAM user and what phone number is the token sent to? The manager’s phone? An IT administrator’s phone or someone else’s? What does the person do if they receive the token and they didn’t request it? How do they know who on the team did?
I believe this scenario might just be the tip of the iceberg. Not only are we getting questions from customers about similar scenarios, we are also hearing from managed service providers who are tackling this same issue. For service providers who access hundreds of client systems, this can become a big headache.
One potential workaround in this scenario might be to give each employee individual credentials and have them install the appropriate MFA on their devices. But this can quickly get out of hand if the billing department is managing many customer accounts and accessing numerous systems. This could require setting up hundreds of individual credentials and installing MFA hundreds of times for one user. Multiply that by the number of team members and it’s easy to see why IT departments are searching for other solutions. And eliminating MFA isn’t an option as it’s now a part of many third-party applications and a valuable security feature.
The PAM Solution — MFA for privileged accounts
Emerging features in privileged access management (PAM) software help address the challenge of authentication for shared accounts. The goal is to have a virtual MFA with access control by using the PAM software to store the authentication key as a record in a reliable and safe location. This gives companies and managed service providers the option to enable MFA for shared privileged accounts. Using PAM software, the shared MFA token generation is granted to selected users using role-based access control as well as location, time and approval-based workflow.
At Xton, we are actively working with customers to help them incorporate virtual MFA for shared privileged accounts. In our latest release of Xton Access Manager (XTAM), we added support to store Google Authenticator App secret key in XTAM with the option to generate tokens for shared accounts.
How it works
Using XTAM, a user can safely store the Google Secret Key in an XTAM record, share this record with others and with a click of their mouse, XTAM will generate them a valid one-time-password (OTP) token. Because the Secret Key is stored in a secured record, the existing XTAM features including role-based permissions, approval workflows and auditing trails can be used to control, limit or report access.
This feature allows you to enforce the use of MFA when logging into the product and you can provide the ability to generate Google OTP tokens for those shared accounts that are being managed for “just in time” access.