25 April 2019|2fA, Adaptive Authentication, ADFS, Identity Verification, Remote Access, Secure Gateway, VPN
Hands up if your organisation uses ADFS? ThreatPoint consultants routinely come across ADFS installations that are struggling to offer the authentication experience demanded by end users in todays organisations.
We share some ideas today and how to improve the ADFS authentication experience and add some much needed authentication intelligence to the equation.
Many organisations have already deployed and invested in an ADFS installation, providing basic authentication and access into cloud applications. Simple google searches will list a raft of organisations exposed ADFS services, open to attack – keep that in mind as you read on.
ADFS now supports limited MFA support via voice OTP, SMS OTP and Push to Accept technologies. This approach does provide a minimal approach to authentication, is it enough? The challenge is really bringing ADFS authentication up to world class levels, improving the ADFS authentication story, yet not having to replace ADFS.
The ability to leverage best of breed authentication techniques from security vendors without impacting an existing ADFS integration is a powerful combination.
As a security vendor it is imperative that we advise and consult on best practices to leverage existing investments, delivering value in the best way possible. Organisations should not always be restricted by the limitations of their existing platform, it should be possible to complement those existing deployments without ripping and replacing.
ADFS allows authentication requests to be processed by dedicated Claims providers. Typically, ADFS deployments are only ever configured to use Active Directory as the claims provider. However, it need not stop there!
Once we start to combine best of breed authentication platforms with ADFS we create a very powerful solution that is configured with minimal fuss, training or end user impact.
This approach would allow for the following immediate benefits:
- Best of breed authentication options – not just simple static 2fA
- Adaptive authentication workflows to adjust the user experience as required
- Pre-Authentication risk analysis to add detailed intelligence to the authentication flow – (Defence in depth approach using a layered approach)
- Additional SSO support for all common web SSO protocols
- No user experience impact
If we break this down into individual areas, we can see why this becomes a powerful combination with an existing ADFS installation.
Firstly, we should add pre-authentication risk analysis to the authentication flow – including:
- Device Recognition – from any device (with no domain joining requirements)
- A rich threat service (real time threat intelligence, Ip address interrogation)
- Directory lookup (from any structured data store or combination of)
- Email Validation
- Password breach checker
- Geo Location – Full geo ip – location mapping to detect access from known locations
- Geo Velocity- Improbable travel events
- Geo Fencing – Access requests coming from within/outside a geographical boundary
- Fraud Prevention – Reduce # of OTP’s, Block device class, detect sim swaps, ported numbers, block by carrier
- Identity Governance – detect high risk account access
- Behaviour Analytics – Detect anomalies of access
From these pre-authentication checks we are adding rich intelligence into the existing ADFS workflows. This intelligence forms decisions points, allowing decisions to be made as to how a user should (or indeed if they should) proceed.
Immediately we have achieved something impressive – ADFS authentication workflows / integrations have become truly adaptive. In other words, we are now in control of which authentication options make sense based on the risk score. Not only that but now we also have the ability to perform actions based on the risk score and intelligence capture. Actions such as:
- Resume Authentication
We are no longer restricted by the static nature of the ADFS workflows.
Based on the risk score and determined action points we can provide the best authentication options to the end user. (Of course as we have the intelligence provided by the layered risk analysis we can also step the user down as well.)
Available options could include:
- Voice OTP
- SMS OTP
- Email OTP
- Push to Accept
- Push OTP
- Symbol to Accept
- Soft Token (TOTP)
- Hard Token
- Smart Card
- X509 user / device certificate
- Device Fingerprint
- YubiKey – Legacy and Fido support
- Biometrics (Voice / Face / Fingerprint)
We can provide friction if we need to with the most appropriate option, backed by world class threat feeds and real time intelligence.
The workflows should be configured to act on a per user / identity basis, meaning the user experience can be completely tailored to suit.
The beauty of this integration is its simplicity. By simply adding a suitable security vendor as a claims provider trust within ADFS for a relying party(ies) an organisation benefits from the world class authentication techniques available through the vendors platform. No configuration changes are required at the relying party (application) end.
Of course we can talk about replacing ADFS to include all of the above and SSO in one solution, the point being that it may not be possible to do so based on a number of factors. Nor should it be necessary to do so if an organisation chooses.
Using the above complementary approach, you can still add the best adaptive security platform in the word to an existing ADFS deployment. Thus removing the authentication shackles and poor user experience imposed by solely relying on ADFS.