Multi-Factor Authentication Mechanisms (2022)

Multi-Factor Authentication Mechanisms (1)

Multi-Factor Authentication Mechanisms (2)

Multi-Factor Authentication Mechanisms (3)

Multi-Factor Authentication Mechanisms (4)

Multi-Factor Authentication Mechanisms (5)

You are here:

This section describes the various Multi-Factor Authentication (MFA) mechanisms supported by VIA. For more information on VIA authentication, see “Authentication Methods Supported in VIA” on page 1.

The following table displays the MFA methods:

Table 1: Multi-Factor Authentication Mechanisms Supported by VIA

Authentication Mechanism Authentication Device Windows Linux Android iOS MacOS

Virtual Digital Badge in TPM

TPM certificate

Yes

--

--

--

--

Security Token

RSA SecureID token

Yes

No

Yes

No

Yes

Mobile authentication

Duo

Yes

Yes

Yes

Yes

(Video) What is Multi-Factor Authentication?

Yes

PKI - Smart Card (PIN-based)

Smart Card

Yes

Yes

No

No

No

Authentication using an RSA SecurID Token

RSASecurID is a hardware and software-based authentication mechanism that generates unique authentication (token) codes at a specified interval using an RSASecurID token. Security tokens can be used for IKEv1 XAUTH.

The prerequisites for this type of authentication are:

Access to an RSA SecurID server

Access to an RSA SecurID device (token)

User is enrolled and associated with the RSASecurID token

Each user is provided with a username configured on the RSA SecurID server.

When enrolling with RSASecurID, users must create a PIN to authenticate and connect VIA.

Configuring VIA with an RSA SecurID Token

To configure and connect VIA with security token authentication:

1. Map an authentication server to the RSA SecureID server:

a. In the Managed Network node hierarchy of your Mobility Master, navigate to Configuration > Authentication > L3 Authentication. Navigate to Configuration > Security > Authentication > L3 Authentication in the controller WebUI.

b. Expand VIA Authentication under the L3 Authentication list.

c. Select the Server Group entry below a VIA authentication profile.

d. Select the RSASecureID server from the Server Group drop-down list.

e. Click Save. Click Apply and Save Configuration to save your changes.

f. Select Pending Changes.

g. In the Pending Changes window, select the check box and click Deploy changes.

2. Run a AAA test to ensure RADIUS authentication is working:

(Video) Multifactor Authentication Mechanisms

a. In the Mobility Masternode hierarchy, select a Mobility Master and navigate to Diagnostics > AAA Server Test. Navigate to Diagnostics > Ping > AAA Test Server Test in the controller WebUI.

b. Select the RADIUS server from the Server Name drop-down list.

c. Set the authentication method to PAP.

d. Enter your username and password.

e. Click Begin Test.

3. Open VIA and download the VPN connection profile:

a. Select Click to download VPN profile from the home screen. The Download VPN Profile screen appears.

b. Enter the server URL and your login credentials. Under Username, enter the username configured on the RSA server. Under Password, enter your PIN followed by the unique token code displayed on the RSA token (no spaces).

c. Click Download.

d. In the Web Authentication Profile list, select the authentication profile for which you have assigned the RSA SecureID server as the authentication server.

4. Connect VIA by clicking the VPNconnection status ring on the VIA home screen. When prompted, enter your username and password:

a. Under Username, enter the username configured on the RSA server.

b. Under Password, enter your PIN followed by the unique token code displayed on the RSA token (no spaces).

c. Click Proceed. The VIA connection is established.

The token code used to download the profile should not be the same code used to connect VIA. Since a new token code is generated during each specified interval, allow the token code to change on the RSA SecureID device before entering the code to connect VIA.

Authentication using Duo

Authentication on mobile devices is supported by an application called Duo. Mobile device authentication can be used for IKEv1 XAUTH and IKEv2 EAP-MSCHAPv2.

Prerequisites

Users are enrolled and registered with Duo

Duo application is installed on a device with the same mobile number that the user has registered

Configuring VIA using Duo

To configure and connect VIA with mobile device authentication:

1. Install the authentication proxy and connect it to AD(ike-v1-pap)/NPS(ike-v1-pap & ike-v2-eap-mschapv2) (https://duo.com/docs/radius). For example, if the proxy is 10.17.12.53, and the port is 2000, the sample file in C:\Program Files (x86)\Duo Security Authentication Proxy\conf\authproxy file, is as follows:

[ad_client]

host=10.17.12.53

service_account_username=Administrator

service_account_password=Aruba&123

search_dn=DC=patilqa,DC=com

[radius_server_auto]

ikey=DI45H91IZH4BE1J1HUOK

skey=WoqOi61AkCHo6W07p5tIyEy66lxYNtCz6oA5Eqgb

api_host=api-515e66d1.duosecurity.com

radius_ip_1=10.17.14.3

(Video) What is Multifactor Authentication & how does it work | Different MFA methods explained

radius_secret_1=aruba123

client=ad_client

port=2000

2. Configure the RADIUS server that is used as the proxy (as shown in step 1), and set it as the authentication server for the profile that is being used:

a. In the Managed Network node hierarchy of your Mobility Master, navigate to Configuration > Authentication > L3 Authentication. Navigate to Configuration > Security > Authentication > L3 Authentication in the controller WebUI.

b. Expand VIA Authentication under the L3 Authentication list.

c. Select the Server Group entry below the VIA authentication profile.

d. Select the RADIUS server that is being used as the proxy from the Server Group drop-down list.

e. Click Save. Click Apply and Save Configuration to save your changes.

f. Select Pending Changes.

g. In the Pending Changes window, select the check box and click Deploy changes.

3. Run a AAA test to ensure RADIUS authentication is working:

a. In the Mobility Masternode hierarchy, select a Mobility Master and navigate to Diagnostics > AAA Server Test. Navigate to Diagnostics > Ping > AAA Test Server Test in the controller WebUI.

b. Select the RADIUS server from the Server Name drop-down list.

c. Select an authentication method.

d. Enter your username and password.

e. Click Begin Test.

4. Open VIA and download the VPN connection profile:

a. Select Click to download VPN profile from the home screen. The Download VPN Profile screen appears.

b. Enter the server URL and your login credentials.

c. Click Download.

d. In the Web Authentication Profile list, select the authentication profile for which you set the authentication server as the Duo proxy. A Login Request message is sent to the Duo application on your mobile device.

e. Open the message, and then click Approve.

5. Connect VIA by clicking the VPNconnection status ring on the VIA home screen. If XAUTH is enabled, enter your username and password when prompted.

The VIA connection is established.

Authentication using a Smart Card

Smart cards provide two-factor authentication for IKEv1 Cert, IKEv2 Cert, and IKEv2 EAP-TLS using a certificate and PINnumber. Smart cards support a Smart Card Cryptographic Provider (SCCP for Windows or OpenSC for Linux) API in the operating system that causes the certificate embedded within the smart card to appear in the operating system’s certificate store automatically.

Smart card devices include:

Smart card

USB Token

Virtual SC

TPM Certificate

(Video) How does Multifactor Authentication work? | MFA and privacy explained

Windows

To configure and use VIA for smart card authentication in Windows devices:

1. Install the software drivers related to the smart card.

2. VIA does not support certificate import to the smart card. Use the smart card utility to install certificates on the smart card.

3. Open VIA and download a certificate-based VPN connection profile.

4. Click the VPNconnection status ring on the VIA home screen to connect VIA. The Select a Certificate screen appears.

5. Select a certificate from the list.

6. Click Proceed.

7. Enter your username and PIN number when prompted.

a. Under Username, enter the username configured on the smart card.

b. Under Pin, enter the smart card PINnumber.

The VIA connection is established.

If the Allow user to save passwords setting is enabled on the VIA connection profile, users are not required to enter the PIN number during subsequent connections.

Linux

To configure and use VIA for smart card authentication in Linux devices:

1. Install the software drivers related to the smart card.

2. VIA does not support certificate import to the smart card. Use the smart card utility to install certificates on the smart card.

3. Issue the following commands:

<cryptoki_lib_path>:

#cat /usr/share/via/via_config.xml

<via_config_profile>

...

<cryptoki_lib_path>/usr/lib/ libeTPkcs11.so</cryptoki_lib_path>

...

</via_config_profile>

4. Open VIA and download a certificate-based VPN connection profile.

5. To select the certificate from your VIA application:

a. Plug the card reader into your PC.

b. Click the VPNconnection status ring on the VIA home screen to connect VIA.

c. Navigate to the VIA Cert Store tab.

d. Select Storage as token-1. The list of available certificates appears.

e. Select the certificate, and then click OK.

6. Enter the smart card PIN number when prompted to Enter the StoragePin.

The VIA connection is established.

If the Allow user to save passwords setting is enabled on the VIA connection profile, users are not required to enter the PIN number during subsequent connections.

Was this information helpful?

(Video) What is Multifactor Authentication (MFA)?

Great! Thanks for the feedback

Sorry about that! How can we improve it? Send your comments and suggestions!

FAQs

What are the 3 methods of authentication? ›

Authentication factors can be classified into three groups: something you know: a password or personal identification number (PIN); something you have: a token, such as bank card; something you are: biometrics, such as fingerprints and voice recognition.

Which are the three 3 factor categories used in multi-factor authentication? ›

Three-factor authentication (3FA) is the use of identity-confirming credentials from three separate categories of authentication factors – typically, the knowledge, possession and inherence categories. Multifactor authentication dramatically improves security.

What is the best example of multi-factor authentication? ›

A common example of multi-factor authentication is using a password together with a code sent to your smartphone to authenticate yourself. Another example is using a combination of a card (something you have) and a PIN (something you know).

What are the four factors of multi-factor authentication? ›

Four-factor authentication (4FA) is the use of four types of identity-confirming credentials, typically categorized as knowledge, possession, inherence and location factors.

What are the 6 methods available for user authentication? ›

6 Common network authentication methods
  • Password-based authentication. Passwords are the most common network authentication method. ...
  • Two-factor authentication. ...
  • Multi-factor authentication. ...
  • CAPTCHAs. ...
  • Biometrics authentication. ...
  • Certificate-based authentication.
13 Dec 2021

What is the most common authentication mechanism? ›

Passwords are the most common methods of authentication. Passwords can be in the form of a string of letters, numbers, or special characters.

How many types of factor authentication are there? ›

The five main authentication factor categories are knowledge factors, possession factors, inherence factors, location factors, and behavior factors.

Which methods can be used to implement multifactor authentication? ›

Multi-Factor Authentication Methods
  • One-time password (OTP) ...
  • Short Message Service (SMS) ...
  • Email. ...
  • Smartcards. ...
  • Soft token Software Development Kits (SDKs)
  • This software can be embedded into mobile apps and utilizes cryptographic methods to authenticate a device. ...
  • Authenticator Apps.
22 Sept 2021

What are the two most commonly used authentication factors in multi-factor authentication? ›

The most commonly used MFA factors fall into one of three categories: Knowledge, aka something you know, such as a password or security question. Possession, aka something you have, such as an SMS code or physical key. Inherence, aka something you are, such as a fingerprint or face ID.

What are the three examples of two-factor authentication? ›

Understanding Two-Factor Authentication (2FA)
  • Something you know (your password)
  • Something you have (such as a text with a code sent to your smartphone or other device, or a smartphone authenticator app)
  • Something you are (biometrics using your fingerprint, face, or retina)

What is the safest MFA? ›

Purchasing a security key device (like YubiKey or Thetis) is the most secure way to receive your MFA code. It's not tied to a mobile number or mobile device that could be breached. Instead, the user uses a small device, about the size of a USB drive or smaller.

What is the difference between MFA and 2FA? ›

So, two-factor authentication (2FA) requires users to present two types of authentication, while MFA requires users to present at least two, if not more types of authentication. This means that all 2FA is an MFA, but not all MFA is a 2FA.

What are the 4 types of authentication? ›

The most common authentication methods are Password Authentication Protocol (PAP), Authentication Token, Symmetric-Key Authentication, and Biometric Authentication.

What are two examples of multifactor authentication choose two? ›

Something you know, such as a password, passphrase or personal identification number (PIN) Something you have, such as a token or smartcard. Something you are, such as a biometric like a fingerprint.

Which of the following are popular types of multifactor authentication? ›

The 5 most common multi-factor authentication (MFA) methods
  • Hardware OTP (one-time password) tokens.
  • Standalone OTP mobile applications.
  • Soft token Software Development Kits (SDKs)
  • SMS-based OTPs.
  • Smartcards and cryptographic hardware tokens.
7 Jul 2020

What are different authentication techniques? ›

Multi-Factor Authentication (MFA)

Like 2FA, MFA uses factors like biometrics, device-based confirmation, additional passwords, and even location or behavior-based information (e.g., keystroke pattern or typing speed) to confirm user identity.

How many authentication protocols are there? ›

EAP - Extensible Authentication Protocol

More than 40 EAP-methods exist, the most common are: EAP-MD5. EAP-TLS.

Is Passwordless MFA? ›

MFA vs Passwordless Authentication

Passwordless authentication simply replaces passwords with a more suitable authentication factor. On the other hand, MFA (multi-factor authentication) uses more than one authentication factor to verify a user's identity.

What is LDAP authentication? ›

LDAP authentication involves verifying provided usernames and passwords by connecting with a directory service that uses the LDAP protocol. Some directory-servers that use LDAP in this manner are OpenLDAP, MS Active Directory, and OpenDJ.

Which authentication mechanism is not secure? ›

HTTP basic authentication and form-based authentication are not very secure authentication mechanisms.

Why do we need multi-factor authentication? ›

Multi-factor authentication is important, as it makes stealing your information harder for the average criminal. The less enticing your data, the more likely that thieves will choose someone else to target. As the name implies, MFA blends at least two separate factors.

Which of is these is the strongest form of two-factor authentication? ›

Physical Security Key (Hardware Token)

The strongest level of 2FA online account protection and the best phishing attack prevention is a physical security key.

Which type of authentication is best? ›

Biometric Authentication Methods

Biometric authentication relies on the unique biological traits of a user in order to verify their identity. This makes biometrics one of the most secure authentication methods as of today.

What is MFA in cyber security? ›

Multi-factor authentication is a layered approach to securing data and applications where a system requires a user to present a combination of two or more credentials to verify a user's identity for login.

What does MFA protect against? ›

When you enable MFA in your online services (like email), you must provide a combination of two or more authenticators to verify your identity before the service grants you access. Using MFA protects your account more than just using a username and password.

What is not an example of multifactor authentication? ›

Fingerprints, facial recognition, iris scans and handprint scans. It should be emphasised that while requiring multiple examples of a single factor (such as needing both a password and a PIN) does not constitute MFA, although it may provide some security benefits over a simple password.

What are the 3 factors of authentication and provide at least 3 examples for each? ›

The three authentication factors are: Knowledge Factor – something you know, e.g., password. Possession Factor – something you have, e.g., mobile phone. Inherence Factor – something you are, e.g., fingerprint.

Is Captcha two-factor authentication? ›

CAPTCHA cannot be considered as the second factor. It is used to verify that you are a real person, not a robot.

What is better than two-factor authentication? ›

As you can see in the infographic below, adaptive authentication provides many advantages over standard 2FA. Adaptive authentication allows MFA to be deployed in a way that evaluates a user's risk profile and behaviors and adapts authentication requirements to different situations.

Why is MFA more secure? ›

It was developed to add extra security steps to the login process, to keep your accounts safe. It means that users are properly verified before they can gain access to accounts. MFA uses multiple different categories of validation to verify users' identity, more than the two commonly used for most accounts.

Can Google Authenticator be hacked? ›

Authenticator apps

The authenticator method uses apps such as Google Authenticator, LastPass, 1Password, Microsoft Authenticator, Authy and Yubico. However, while it's safer than 2FA via SMS, there have been reports of hackers stealing authentication codes from Android smartphones.

Is SSO a type of MFA? ›

SSO is all about users gaining access to their resources with a single sign-on authentication. Two-factor authentication uses just two of these methods to verify and authorize a user's login attempts, whereas MFA uses two or more of these checkpoints.

Is SAML considered MFA? ›

It is important to note that MFA for SAML does not add MFA to SAML itself because SAML is not an authentication protocol. Instead, SAML MFA adds MFA for Active Directory, LDAP, or RADIUS users and strengthens these users' SSO logins with secondary authentication such as Mobile Push or WebAuthn/U2F Security Keys.

What are the 4 types of authentication? ›

The most common authentication methods are Password Authentication Protocol (PAP), Authentication Token, Symmetric-Key Authentication, and Biometric Authentication.

What are the different types of authentication methods? ›

What are the types of authentication?
  • Single-Factor/Primary Authentication. ...
  • Two-Factor Authentication (2FA) ...
  • Single Sign-On (SSO) ...
  • Multi-Factor Authentication (MFA) ...
  • Password Authentication Protocol (PAP) ...
  • Challenge Handshake Authentication Protocol (CHAP) ...
  • Extensible Authentication Protocol (EAP)
30 Sept 2020

What is authentication explain its types? ›

The main objective of authentication is to allow authorized users to access the computer and to deny access to unauthorized users. Operating Systems generally identify/authenticates users using the following 3 ways: Passwords, Physical identification, and Biometrics. These are explained as following below.

What is authentication example? ›

Authentication with Username and Password

Username and password combination is the most popular authentication mechanism, and it is also known as password authentication. A well-known example is accessing a user account on a website or a service provider such as Facebook or Gmail.

Is Passwordless MFA? ›

MFA vs Passwordless Authentication

Passwordless authentication simply replaces passwords with a more suitable authentication factor. On the other hand, MFA (multi-factor authentication) uses more than one authentication factor to verify a user's identity.

What is LDAP authentication? ›

LDAP authentication involves verifying provided usernames and passwords by connecting with a directory service that uses the LDAP protocol. Some directory-servers that use LDAP in this manner are OpenLDAP, MS Active Directory, and OpenDJ.

How does LDAP authentication work? ›

In short, a client sends a request for information stored within an LDAP database along with the user's credentials to an LDAP server. The LDAP server then authenticates the credentials submitted by the user against their core user identity, which is stored in the LDAP database.

What is an example of an authentication factor? ›

Something you know, such as a password, passphrase or personal identification number (PIN) Something you have, such as a token or smartcard. Something you are, such as a biometric like a fingerprint.

Which is better pap or chap? ›

CHAP is a stronger authentication method than PAP, because the secret is not transmitted over the link, and because it provides protection against repeated attacks during the life of the link. As a result, if both PAP and CHAP authentication are enabled, CHAP authentication is always performed first.

What are the steps of authentication? ›

There are two main steps in authentication: first is the identification, and the second is the central authentication. In the first step, the actual user's identity is provided in user ID and validation. However, just because the first step is successful, doesn't mean that the user have been authenticated.

What are authentication systems? ›

Authentication systems are security measures put in place to secure data and systems by requiring additional input beyond username and password for users to access a system. By providing this additional input, authentication systems help ensure that users are who they say they are.

What is difference between authentication and authorization? ›

Authentication verifies the identity of a user or service, and authorization determines their access rights. Although the two terms sound alike, they play separate but equally essential roles in securing applications and data. Understanding the difference is crucial. Combined, they determine the security of a system.

What is the most secure authentication method? ›

Experts believe that U2F/WebAuthn Security Keys are the most secure method of authentication. Security keys that support biometrics combine the Possession Factor (what you have) with the Inherence Factor (who you are) to create a very secure method of verifying user identities.

What are the types of user authentication? ›

There are three basic types of authentication. The first is knowledge-based — something like a password or PIN code that only the identified user would know. The second is property-based, meaning the user possesses an access card, key, key fob or authorized device unique to them. The third is biologically based.

How do I authenticate a user? ›

In authentication, the user or computer has to prove its identity to the server or client. Usually, authentication by a server entails the use of a user name and password. Other ways to authenticate can be through cards, retina scans, voice recognition, and fingerprints.

Videos

1. Multi-factor Authentication - SY0-601 CompTIA Security+ : 2.4
(Professor Messer)
2. Multi-Factor Authentication (MFA)
(SecurityGuy)
3. Hacking Two Factor Authentication: Four Methods for Bypassing 2FA and MFA
(The CISO Perspective)
4. Multi-factor Authentication as Fast As Possible
(Techquickie)
5. How to configure and enforce multi-factor authentication in your tenant
(Microsoft Security)
6. You're probably doing it wrong | Multi-Factor Authentication Explained
(Side Of Burritos)

Top Articles

Latest Posts

Article information

Author: Kelle Weber

Last Updated: 01/15/2023

Views: 5976

Rating: 4.2 / 5 (53 voted)

Reviews: 92% of readers found this page helpful

Author information

Name: Kelle Weber

Birthday: 2000-08-05

Address: 6796 Juan Square, Markfort, MN 58988

Phone: +8215934114615

Job: Hospitality Director

Hobby: tabletop games, Foreign language learning, Leather crafting, Horseback riding, Swimming, Knapping, Handball

Introduction: My name is Kelle Weber, I am a magnificent, enchanting, fair, joyous, light, determined, joyous person who loves writing and wants to share my knowledge and understanding with you.