Multi-Factor Authentication

MFA

IDM 360™ offers secure, comprehensive multi-factor authentication (MFA) at affordable costs.  IDM 360™ is ideal for organizations that wish to

  • Support MFA for thousands to millions of users
  • Add MFA to their web sites with minimal integration effor
  • Support multi-factors for legacy web sites that cannot be modified
  • Support multiple types of factors (one time password, soft token, security questions, CAC card, etc.)
  • Combine two-factor authentication with a variety of other sign-in methods (Custom login form, Single sign-on, Integrated windows authentication, etc.)
  • Have the option to ask for the 2nd factor before the first (e.g. ask for the PIN before asking for username and password)
  • Flexible rule configuration for determining and displaying factors.

Scalable to millions  of users

Unlike most two-factor services  IDM 360™ does not charge monthly fees per user.  A single monthly fee covers unlimited users and unlimited authentications.  IDM 360™ uses a “shared nothing” architecture which allows it unlimited scaling without single points of failure.  Storing users in the IDM 360™ high performance directory allows for sub-second response when looking up user 2nd factor information.  This combination of high speed, unlimited scaling and low cost makes IDM 360™ the ideal two-factor solution for customer facing applications that need to service large numbers of users.

Easiest Integration into web sites

Integration can be the most challenging part of adding a second factor to web applications.  Existing applications may be difficult or impossible to re-code to add the prompt for a second factor.  IDM 360™ provides the most integration options of any multi-factor solutions including completely touchless integration for legacy applications.  IDM 360™ supports integration with applications that support any standard single sign-on protocol including SAML 1.0, SAML 2.0, WS-Federation, Open ID, OAuth, and OpenID connect.  IDM 360™ seamlessly adds a second factor to any SSO enabled application.  For applications without SSO capability, IDM 360™ offers simple integration libraries that add 2nd factors with just a few lines of code.  Libraries are available for all major languages including Java, .NET, PHP, Ruby, Perl, and Python.  Additionally, adapters are available for major platforms including Liferay, Alfresco, GateIn, SalesForce, Remedy, MicroStrategies, NimSoft, Spring and Exo platform.

Support multi-factors for legacy web sites that cannot be modified

For applications that cannot be modified at all, IDM 360™ offers the only touchless option for multi-factor authentication the IDM 360™ Factor Guard™ proxy, intercepts requests to your applications and then invokes 2nd factors.  Factor Guard™ is available either as a software filter that runs on your Apache, Tomcat or .NET web server, or it can run as a stand alone proxy server in front of your applications.  Factor Guard™ detects login attempts into legacy applications and then collects additional factors.  The user is granted access to the applications only if the existing login and the 2nd factor are successful.

Support multiple types of factors

IDM 360™ allows numerous types of additional factors.  They include:

  • Pushing a pin number via SMS, email, or voice*
  • Soft tokens such as Google Authenticator time based one time pin (TOTP)
  • Asking one or more security questions (e.g. what was the name of your first pet)
  • Client certificates
  • CAC cards
  • Asking for arbitrary information from the user’s profile (e.g. phone number, birth day/month, zip code)
*voice calls incur message charges

The wide choice of factors assures that users can log in regardless of their location or device type.

Combine two-factor authentication with a variety of other sign-in methods

IDM 360™ allows the 2nd factor to be combined with a variety of first factors.  In addition to standard login forms, first factors can include:

  • Single sign-on.  If the user identity source uses single sign-on such as SAML, WS-Federation, OpenID, etc., IDM 360™ can use the SSO as the first factor and then prompt for a PIN, certificate, OTP, etc. as the second factor.
  • Integrated Web Authentication.  For users on Microsoft domains, IWA authentication can be used as the first factor, with IDM 360™ adding a second factor.
  • Custom Micro-sites.  IDM 360™ can present a unique login form to each customer depending on their company including colors, logos and contact information

Present the factors in any order

Some organizations prefer to present the user/password prompt and then ask for the 2nd factor.  Others prefer to ask for the 2nd factor first to prevent fishing for  valid user ids.  In the 2nd factor first scenario, the users is first prompted for their User Name, then asked for the 2nd factor (e.g. PIN number) and finally prompted for their password.  In the even of an invalid authentication, would-be attackers do not know if the user-id actually exists so they cannot map the users belonging to your system.

Flexible Rules for Displaying Factors

IDM 360™ has  powerful, rule-based control of how factors are presented.  This allows virtually unlimited configurations of multi-factor interactions.  Some examples of configurations include.

  • 2nd Factors can be presented only for subsets of users (e.g. from certain companies)
  • 2nd Factors can be presented only upon access to specific applications (such as financial apps)
  • 2nd Factors can be presented only for users in specific locations (such as outside the corporate intranet)
  • Factor types like pin or voice call can be offered to subsets of users
  • Any number of factors can be chained in a row
  • Factors can be prompted at specific intervals (such as once a day)

IDM 360™ provides the most flexible, scalable, and cost effective two-factor authentication system allowing the most rapid implementation of multi-factor for your customers.