MULTIFACTOR

AUTHENTICATION
FOR SECURE
ACCESS
INTRODUCTION
Latest technologies give people the power to work wherever and whenever
they choose. Access from anywhere everywhere results in spectacular gains
in productivity and employee satisfaction, but enterprises that use simple
passwords to protect that access also risk financial loss, data theft, and
worse.

However, these security systems were put in place long

before the world was impacted by COVID-19 and the 81% of
consequent need virtually the entire world to go into hacking-related
lockdown mode. As ‘work from home’ becomes the breaches leveraged
norm, employers and employees have had to rapidly either stolen and/or
adapt and search for new solutions across functions. weak passwords.
Passwords are the primary reason for many of the
infamous security breaches that happen across the
globe. According to the Data Breach Investigations
Report 2019, over 70% of employees reuse passwords at
work. The report finds a staggering “81% of
hacking-related breaches leveraged either stolen and/or
weak passwords.”

Why is the venerable password such a colossal security

failure?

The root cause, not surprisingly, is us: we are too trusting and too lazy.
Successful cybercriminals are expert social engineers who design attacks
that capitalize on these all-too-human weaknesses. They use techniques like
phishing or brute force to get access to such vulnerable systems. Employee
education and safe password practices for business  can mitigate these
attacks to some extent, but an effective solution lies in using multifactor
authentication.

This paper discusses authentication in general and multifactor authentication

solutions from ARX that combine ease of use with effectiveness – more so, in
a world battling the Coronavirus pandemic.
AN OVERVIEW OF AUTHENTICATION

Authentication mechanisms can be

categorized as either:

Something you have

(a token or mobile phone
for example).

Something you know Something you are

(a password or a PIN for (a fingerprint or other
example). biometric data for example).

Multifactor Authentication (MFA) or Two-Factor Authentication (2FA)

requires an user to authenticate via two or more authentication factors
(‘something you know’ combined with a ‘something you have’ for example).
Since the chances of both factors being compromised are very low, MFA
results in a higher level of assurance that the individual attempting to
authenticate is actually the individual in question.

Authentication mechanisms can also be distinguished by whether they use

the same channel where the user accesses the application, or a separate
channel that is dedicated for authentication.
 BUSINESS CHALLENGES
The advent of mobility and remote access (triggered by a global lockdown
because of COVID-19) offers a rich array of benefits for both workers and
companies, including substantial increases in productivity and reductions
in costs. But it isn’t all good news. The growing remote workforce has
created some very serious security challenges for companies, both large
and small. There is an urgent need to authenticate and manage the
identities of users attempting to acquire access to companies’
proprietary data and systems.

For many organizations, a simple query-password system remains the

primary means of user authentication. But it is an unfortunate irony that
the most effective passwords are the most difficult to remember. As a
result, many users resort to an easy-to-remember, easy-to-hack password.
And more complex passwords are far more likely to be written down
somewhere instead of trusted to memory, rendering them more
susceptible to theft. But even the most complex password stored only in a
user’s memory provides no more than a very primitive level of security,
easily foiled by today’s technologically sophisticated cybercriminals.
Advanced password theft techniques such as phishing provide
cybercriminals with the means to steal passwords away from
unsuspecting users.

Moreover, in today’s world, it is not just important to consider security

Adding an extra during initial login, but also while users execute certain critical or high
layer of security in value transactions. An MFA is a perfect solution to protect such high
the form of value transactions by presenting the user with an additional challenge like
two-factor a OTP, smart OTP or token system, security questions or biometric
authentication authentication.
certainly helps to
slow cybercriminals Authentication Mechanisms – Top Features to
by validating a Consider in a Two-Factor Authentication
second factor —
such as a user’s Solution
fingerprint or their
possession of a Maximizing the potential of a multifactor authentication methodology
trusted device – requires the installation of a system that delivers a full range of key
access security capabilities and usability features. The following, in particular, should be
becomes far more considered as must have features for multifactor authentication
robust solutions:
Passwords

A password is a shared secret known by the user and presented to the

server to authenticate him/her. Passwords are the default authentication
mechanism on the web today. However, poor usability and vulnerability to
large-scale breaches and phishing attacks make passwords an
unacceptable authentication mechanism in isolation.
 Hardware Tokens

These are small hardware devices that the owner carries to authorize
access to a network service. The device may be in the form of a smart card,
or it may be embedded in an easily-carried object such as a keychain or USB
drive. The device itself contains an algorithm (a clock or a counter), and a
seed record used to calculate the pseudo-random number. Users enter this
number to prove that they have the token. The server that is authenticating
the user must also have a copy of each key chain’s seed record, the
algorithm used and the correct time.

Soft Tokens

These are software-based security token applications, typically running on a

smartphone, that generate an OTP for signing on. Software tokens have
some significant advantages over hardware tokens. Users are less likely to
forget their phones at home than lose a single-use hardware token. When
they do lose a phone, users are more likely to report the loss, and the soft
token can be disabled. Soft tokens are also easier and less expensive to
distribute than hardware tokens, which need to be shipped – a major
challenge when supply-chain logistics are interrupted as has happened
globally with the Coronavirus lockdown.

One-Time Password (OTP)

Passwords that reside in a user’s memory (or on a sticky note attached to

their desk or computer monitor) and are used over and over with each login
attempt are constantly exposed to theft. But one-time passwords are
another matter. Generated randomly, specifically and uniquely for each login
attempt, OTPs are used only once and then never again. So even if somehow
intercepted by a cybercriminal, an OTP will be useless in later attempting an
unlawful login attempt.
 Biometric and Push Authentication

Biometric authentication offers an unbeatable combination of security and

convenience. Many biometric applications, for example, require only that
the user press a fingertip to a scanner. Biometric verification is typically very
easy and convenient for users, and yet provides a very effective defense
against illicit login attempts. Similarly, push authentication also offers an
extra layer of security with minimal inconvenience to the user. Response to
a push authentication requires no more than a tap of the fingertip to the
user’s phone. A multifactor authentication solution should offer either
biometric or push authentication, with the best solutions offering a choice
of one or the other to accommodate the user’s preference.

Contextual Authentication

This process uses contextual information, such as geo-location, IP address,

time of day and device identifiers to determine whether a user’s identity is
authentic or not. Typically, a user’s current context is compared to a
previously recorded context in order to spot inconsistencies and identify
potential fraud. These checks are invisible to the authorized user so there are
no usability issues, but they can create a significant barrier to an attacker.

Risk-Based Authentication and User

Behavior Analytics
The ultimate goal of any security solution should be to maximize protection
while minimizing user inconvenience. While second-factor authentication
provides a substantial boost in security, that extra factor of authentication
isn’t always needed. The best two-factor solutions have the ability to
determine when and if an explicit second factor of authentication is
required. The solution might determine, for example, that a login attempt
from a registered device perfectly mirrors that user’s behavioral history,
making it safe to drop the second factor requirement. The ability to
intelligently apply the security policy assures that the protection potential of
a two-factor solution is fully realized, and yet customizes each login
experience to minimize inconvenience to the user.
THE ARX SOLUTION
ARX provides an enterprise grade identity and access management solution. ARX is an
integrated suite of security services, providing end-to-end security with regard to user
identification, authentication, single sign-on, authorization and entitlements. Its secure,
flexible multifactor authentication comes included as part of the identity and access
management suite. Designed to protect against today’s phishing attacks, stolen passwords,
and shared credentials, ARX’s MFA solution provides high security and easy, centralized
administration. The solution also integrates with existing third-party multifactor solutions
such as RSA.

Flexible, Secure Verification Options

Organizations can choose from a variety of second factor options in addition to password,
balancing the needs of their user base, the sensitivity of the applications they are protecting,
and overall ease of use.

Dynamic Password/Token-Based authentication

• Support integration with Third Party Token System like RSA, Vasco, Safeword, Entrust and
I-Sprint, etc, for dynamic soft and hard token-based authentication.

OTP Authentication

• Inbuilt OTP generation and validation engine, which can be integrated with an enterprise’s
messaging centre to send OTP over SMS to the user. An OTP is generated, based on the
policy defined in the system.
• Supports configurations based on transaction type for OTP length, OTP characters type,
OTP validity and OTP message template; can be configured based on transaction type,
multiple usage of OTP, resend OTP, time blocking for resent or regeneration of OTP,
blocking of OTP after exceeding invalid attempts.
TOTP/Soft Token Authentication

ARX Authenticator is a During TOPT User registers in ARX

smartphone application provisioning in ARX, a Authenticator using the
that implements secret seed is seed, which generates
two-step verification generated for each user. six digits TOPT and is
using the Time-based This seed is delivered to valid for 30 seconds.
One-time Password for a user as base32 string
authenticating users of or QR code.
software applications.

Security Question

Supports security question Security question Supports configuration

authentication for ‘forgot authentication can be for random display of
password’ option, user is forced used as 2FA at the time security question(s) at
to answer configured number of of login or transaction the time of
security question (s) on first-time authorization in authentication.
login, from questions configured
integrated application.
in the system.
Biometric Authentication

Fingerprint-based Supports integration with

biometric authentication fingerprint scanner and
for back office users. reader.

Grid Authentication

Grid Value is randomly

Grid Authentication to support generated and hashed using
grid number generation and SHA256 or SHA512 before
validation, available at the storing database.
back of cards.

PIN Authentication

PIN-based Supports configuration

authentication support for PIN length, PIN
PIN binding is done
for user authentication history, PIN expiry,
with device identifier locking user after
for mobile banking at the time of exceeding the invalid
application, instead of registration. PIN authentication
user id and password. attempts.
 Site Key Authentication

User identifies (not authenticates)

Site Key web-based himself to ARX by entering his user id
security system can be (but not his password) and ARX
configured on login authenticates itself to the user by
screen to prevent displaying an image and an
phishing vulnerability. accompanying phrase which the user
had earlier configured.

Risk-based Authentication

Detects browser/device and

performs step-up
authentication if it has not
been carried out in previous Step-up authentication
audit history of user as per (whether CAPTCHA or
count configured. OTP or security
question or any other
mechanism supported
by ARX) will be
Detects customer country performed, based on
risk score calculation
basis IP address and
as per configuration in
performs step-up
ARX.
authentication if the country
is in a grey or blacklist.

Detects invalid attempts

count and performs
step-up authentication if
it exceeds the threshold
configuration.
Centralized Policy Management

ARX’s security policy controls access to all applications, whether cloud-based or

on-premises. ARX provides administrators with centralized option to enable Multi-factor
Authentication (MFA). MFA can be configured at the channel level, application level, or at
the user level. Intelligent MFA policies can be based on geo-location and/or based on
device and IP addresses. Contextualisation of these policies is also possible and can be
configured for employees and customers separately.

Integration with Third-Party MFA Solutions

In addition to native ARX MFA support, it also integrates with a variety of existing MFA
solutions such as RSA, Vasco, Safeword. Customers have the option of using ARX’s native
MFA features or using it in conjunction with existing MFA products.

Conclusion

ARX provides an advanced multi-factor authentication solution for your cloud and
on-premises applications with an architecture designed for both, higher levels of security
and ease of use for users and administrators. ARX's MFA solution supports combining
various authentication types like OTP/token/biometric/risk-based etc. It also supports
integration with existing MFA solutions and protects business-critical data from the most
prevalent attacks on the Internet today regardless of where users access it in a COVID-19
lockdown environment.

About ARX
In today’s dynamic digital environment, cybersecurity challenges pose a grave risk.
Ransomware attacks and identity thefts are making headlines every day, pressing on
organisations to safeguard their important data. Data breaches are potentially damaging
for companies, resulting in financial loss and disrepute. Privacy management and data
security are vital components of every organisation’s infrastructure.

ARX, an integrated suite of security services, which provides end-to-end security with
regard to user identification, authentication, single sign-on and entitlements, has been
launched to ensure protection of your proprietary information and customer data, from
those who can abuse it. Built on the robust principles of Design Thinking at the R&D
Innovation Lab of Intellect, it is trusted by over 200 institutions worldwide and for the first
time, it is being offered as a standalone product for corporates.

ARX will give businesses the security they need to secure digital identities of users and
restrain unauthorised access. It's an enterprise-grade service, built for on-premise, but
compatible with any cloud deployment. With ARX, IT can manage any employees’ /
customers’ access to any application from any device.

This next-generation security solution, which is all set to redefine security with modern
identity, improves accuracy and real-time digital identity management.
To know more, contact:
Ramanan Venkata
CEO, India & South Asia
Intellect Design Arena Limited
[email protected] www.arxsuite.com