Critical Infrastructure Security

Really secure, multifactor SSO

There are lots of ways to do SSO, but most of them are costly – either in real money or in human resources – to deploy, provision and support. And that issue of “secure”? That usually, in today's systems, means multifactor. Of course, that drives the cost up a bit. So, we need a better way, apparently. What's the solution? An interesting company called Authentify has a good solution to the problem, called xFA, that addresses security and simplicity of management.

xFA enables a personal authenticator that permits an individual to have a single authentication for all uses. Once one has authenticated to the system, further authentication to individual applications is not necessary. And, because the authentication uses two-factor, out-of-band authenticators, it is quite secure. Sure, there are other two-factor authentication systems, but after looking this one over, we are pretty sure that it is a somewhat different paradigm, quite secure and really easy on the user.

xFA uses a technique called “zero trust PKI.” Here's how it works. Everything starts with enrollment. After enrolling, the user never needs a password again. All they need is a cell phone. Nothing is stored on the phone. Everything is in the Authentify xFA cloud. Nothing is stored on the highly stealable mobile device. The first step is enrollment. That is accomplished using a password and voice recognition. That is stored on the cloud server.

Application providers – cloud providers – must sign up with the Authentify program for users to deploy xFA. Once the app server is signed up, when the user goes to sign in they are presented with a QR graphic. Scanning that graphic prompts a call to a pre-determined mobile phone. The user repeats a phrase – “My voice is my passport. Authenticate me,” for example – and is authenticated to the server. The key is that the phone acts as a server, so there is server-to-server communication and nothing is left on the phone – providing nothing to be compromised. The voice recognition is a form of biometrics, but because it is cloud managed, it is scalable and reasonably priced.

This is a simple, engaging and secure way to authenticate and, given that the application in the cloud participates in the program, it provides a cost-effective solution to the management-intense approach to running a single sign-on system locally. More important, it provides secure authentication to cloud-based applications, which are considered among the more risky apps for businesses.

There are a lot of things to like about this service. First, it is simplicity itself to deploy and provision. The self-provisioning trend that we are seeing is a real enabler, especially for large organizations. This is no exception. Being able to self-provision a single sign-on application is a real plus. 

The only downside to this new service is that other cloud providers must sign on in order to make it useful. The company has several of the biggest, but Murphy's Law, being alive and well, is very likely to step in and help users select a provider that does not yet support xFA. Chances are that they will fairly soon, though. So, we don't necessarily see this as a show stopper. That said, the company has been around quite a while and is very experienced in multifactor authentication, so this feels like a solid, reliable offering that is both creative and technically sound. 

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.