Really secure, multifactor SSO

Share this article:
Really secure, multifactor SSO
Really secure, multifactor SSO

There are lots of ways to do SSO, but most of them are costly – either in real money or in human resources – to deploy, provision and support. And that issue of “secure”? That usually, in today's systems, means multifactor. Of course, that drives the cost up a bit. So, we need a better way, apparently. What's the solution? An interesting company called Authentify has a good solution to the problem, called xFA, that addresses security and simplicity of management.

xFA enables a personal authenticator that permits an individual to have a single authentication for all uses. Once one has authenticated to the system, further authentication to individual applications is not necessary. And, because the authentication uses two-factor, out-of-band authenticators, it is quite secure. Sure, there are other two-factor authentication systems, but after looking this one over, we are pretty sure that it is a somewhat different paradigm, quite secure and really easy on the user.

xFA uses a technique called “zero trust PKI.” Here's how it works. Everything starts with enrollment. After enrolling, the user never needs a password again. All they need is a cell phone. Nothing is stored on the phone. Everything is in the Authentify xFA cloud. Nothing is stored on the highly stealable mobile device. The first step is enrollment. That is accomplished using a password and voice recognition. That is stored on the cloud server.

Application providers – cloud providers – must sign up with the Authentify program for users to deploy xFA. Once the app server is signed up, when the user goes to sign in they are presented with a QR graphic. Scanning that graphic prompts a call to a pre-determined mobile phone. The user repeats a phrase – “My voice is my passport. Authenticate me,” for example – and is authenticated to the server. The key is that the phone acts as a server, so there is server-to-server communication and nothing is left on the phone – providing nothing to be compromised. The voice recognition is a form of biometrics, but because it is cloud managed, it is scalable and reasonably priced.

This is a simple, engaging and secure way to authenticate and, given that the application in the cloud participates in the program, it provides a cost-effective solution to the management-intense approach to running a single sign-on system locally. More important, it provides secure authentication to cloud-based applications, which are considered among the more risky apps for businesses.

There are a lot of things to like about this service. First, it is simplicity itself to deploy and provision. The self-provisioning trend that we are seeing is a real enabler, especially for large organizations. This is no exception. Being able to self-provision a single sign-on application is a real plus. 

The only downside to this new service is that other cloud providers must sign on in order to make it useful. The company has several of the biggest, but Murphy's Law, being alive and well, is very likely to step in and help users select a provider that does not yet support xFA. Chances are that they will fairly soon, though. So, we don't necessarily see this as a show stopper. That said, the company has been around quite a while and is very experienced in multifactor authentication, so this feels like a solid, reliable offering that is both creative and technically sound. 

Share this article:

Sign up to our newsletters

More in First Looks

Covering all the SAP bases

Covering all the SAP bases

X1 is an agentless SAP auditing tool that is able to map out entire SAP landscapes and display any insecure configurations on the individual elements of the landscape.

Digital forensic incident response in a box

Digital forensic incident response in a box

CIRT from AccessData Group is a full lifecycle forensic tool - from detecting to analyzing to remediating - and it's all in a single package.

iScan, uScan, we allScan... and its cheap and easy to do

iScan, uScan, we allScan... and its cheap ...

iScan uses a really neat approach to vulnerability and PAN (looking for credit card, etc.) scanning.