Search icon CANCEL
Subscription
0
Cart icon
Your Cart (0 item)
Close icon
You have no products in your basket yet
Arrow left icon
Explore Products
Best Sellers
New Releases
Books
Videos
Audiobooks
Learning Hub
Conferences
Free Learning
Arrow right icon
Implementing Multifactor Authentication
Implementing Multifactor Authentication

Implementing Multifactor Authentication: Protect your applications from cyberattacks with the help of MFA

eBook
$18.99 $27.99
Paperback
$34.99
Subscription
Free Trial
Renews at $19.99p/m

What do you get with Print?

Product feature icon Instant access to your digital eBook copy whilst your Print order is Shipped
Product feature icon Paperback book shipped to your preferred address
Product feature icon Download this book in EPUB and PDF formats
Product feature icon Access this title in our online reader with advanced features
Product feature icon DRM FREE - Read whenever, wherever and however you want
Product feature icon AI Assistant (beta) to help accelerate your learning
OR
Modal Close icon
Payment Processing...
tick Completed

Shipping Address

Billing Address

Shipping Methods
Table of content icon View table of contents Preview book icon Preview Book

Implementing Multifactor Authentication

On the Internet, Nobody Knows You’re a Dog

In the ever-evolving landscape of cybersecurity, ensuring that proper access is given for the right reasons at the right time for digital identities is no longer just an optional feature – it’s an indispensable component of securing modern applications. Moreover, as digital transformation accelerates, organizations must proactively protect their sensitive data and functions against persistent cybercriminals, hackers, and even insider threats.

To bring this critical topic to life, we invite you to join us on an engaging journey with ACME Software. This fictitious start-up grapples with the complexities of securing access to its business-critical data and functions. As ACME Software grows and expands, its workforce identities (corporate employees, contingent workers, and partners) and customer identities demand increasingly sophisticated authentication mechanisms to keep their information safe and sound.

Throughout this book, we will look at ACME Software while exploring its options and navigating the intricate world of modern authentication mechanisms. As we follow the start-up’s story, you will discover not only the essentials of multifactor authentication (MFA) but also its practical applications, benefits, and potential pitfalls. By delving into real-life examples and scenarios, we aim to make this subject more engaging, accessible, and relatable, transforming what might otherwise be a dry, technical topic into a captivating learning experience.

This book will cover the following themes:

  • The importance of securing digital identities in today’s interconnected world
  • An introduction to MFA, its principles, and its various forms
  • A detailed examination of ACME Software’s authentication requirements and the challenges it faces as it grows
  • A comprehensive exploration of various MFA solutions, as well as their strengths and weaknesses
  • Real-world examples of implementing and managing MFA solutions at ACME Software, demonstrating how to optimize security while maintaining user convenience
  • The future of authentication – emerging trends and technologies that will shape the next generation of identity and access management

As we follow ACME Software’s journey, we aim to equip you with the knowledge and understanding necessary to make informed decisions about MFA for your organization, empowering you to protect your valuable digital assets in a world of ever-increasing cyber threats.

In this chapter, we are going to cover the following topics:

  • Identity and digital identity
  • Additional authentication and security controls

Identity and digital identity

Identity is a universal concept that accompanies us throughout our lives, regardless of our cultural or national background. Immediately after birth, newborns around the world are identified in various ways. In some cultures, babies might receive bands on their wrists or ankles, while others may have different traditional identification methods. These methods often include the baby’s name, date of birth, and other crucial information that helps distinguish them from others.

Governments and communities across the globe maintain records of their citizens’ identities in various forms, such as birth certificates, family registers, or national ID systems. These records typically contain vital information such as names, birthdates, places of birth, and parentage.

Individuals from diverse cultures and nations rely on these records to establish and verify their identities. Moreover, the importance of these documents transcends geographical boundaries since people need them for various purposes, such as education, civic participation, and international travel. For example, these records may be required for enrolling in school, registering to vote, or obtaining necessary documents such as passports or driver’s licenses.

The documents used to identify a person may change, depending on the context. For example, I need documents establishing my identity and employment authorization to apply for a job. On the other hand, I may need a passport rather than a driver’s license when traveling abroad. And to open a bank account, I may require proof of residence and identification information. Collectively, these artifacts provide what is known as personally identifiable information (PII).

Let’s look at the process of opening a bank account before the internet. A customer had to drive to the bank, meet with a bank representative, and present the required documents to open an account. Only then would they be issued an account number and be allowed to make transactions via that account. After applying for and receiving an automated teller machine (ATM) or debit card in the mail, they could use it to access their account. Every time they wanted to perform a transaction, they would need to go to a branch and authenticate themselves to a teller that would verify that they were the person they claimed to be and that they were authorized to perform the transaction they wanted. With an ATM card, they no longer needed to show their picture ID to confirm who they were. Anybody with that person’s ATM card could do everything they were authorized to do at the ATM. When someone withdraws cash with an ATM card or makes a purchase with a debit card, the card reader takes information about the account from the card and sends it, along with the amount of the transaction, to the bank. To verify that the card was not stolen, the card reader requests the card’s personal identification number (PIN); once the PIN is entered correctly, the bank approves the transaction and withdraws the funds from the account.

Identity is a multifaceted concept encompassing the unique characteristics that define who or what a person or thing is. The amalgamation of physical, emotional, cultural, and social attributes creates the intricate tapestry of our individuality. In both the physical and digital realms, identity plays a crucial role in remembering, recognizing, and interacting with subjects, be they people or objects.

In today’s increasingly interconnected world, our identities extend beyond the tangible realm, forming an integral part of our digital presence. This digital identity is a virtual representation of our real-world selves, encompassing various elements, such as usernames, passwords, biometrics, and personal preferences. It enables us to navigate the vast expanse of the internet, engage in online transactions, and interact with digital services.

The process of authentication is vital in both physical and digital environments. By verifying the identity of a subject, we ensure that they are who they claim to be and grant them access to specific services or actions based on their authorization. This process is essential for maintaining security and trust and enabling the seamless functioning of our increasingly digital lives.

In digital transactions, the owner of a digital identity is often referred to as the security principal or simply the principal. This term highlights the significance of the individual or entity at the heart of the authentication inquiry. As we engage in various online activities, our digital identities are the foundation for creating trust and facilitating secure transactions.

Just like identity existed before the internet, two-factor authentication (2FA) and MFA existed as well. The PIN on an ATM or debit card is one example of MFA (and 2FA, which is a subset of MFA). To verify (authenticate) my identity, I need to present my ATM card (something I have) and enter my PIN (something I know). Similarly, showing my driver’s license to the bank teller is another example of MFA. The driver’s license is the first factor (again, something I have), while matching the picture on the ID to me is the second factor (something you are).

Establishing identities is also critical, if not more important, online. Even though a large number of countries have established some form of online digital ID (you can see a list at https://www.worldprivacyforum.org/2021/10/national-ids-and-biometrics/), it is still rare to encounter customer-facing applications that will accept those digital IDs outside of the country that issued the ID.

The New Yorker published a cartoon in July 1993 where a large dog was sitting in front of a computer, speaking to another dog on the floor to his side, saying, On the internet, nobody knows you’re a dog. It can be viewed here: https://i.kym-cdn.com/photos/images/original/000/427/569/bfa.jpg. Here’s Dalle-2’s interpretation of it:

Figure 1.1 – Dalle-2’s interpretation of “On the internet, nobody knows you’re a dog”

Figure 1.1 – Dalle-2’s interpretation of “On the internet, nobody knows you’re a dog”

The saying quickly became popular and has been used to describe the anonymous nature of life online. As more and more applications become available online, identifying users is essential for several reasons.

For privacy reasons, users that register at a site may not want or permit their information and activities to be seen by somebody else. Therefore, companies must verify the user when they return to the site and validate their identity.

Companies that sell services need to make sure that the user registering is legitimate and that they are authorized to use those credentials. As Microsoft’s investigation of the security breach by the group LAPSUS$ shows (https://www.microsoft.com/en-us/security/blog/2022/03/22/dev-0537-criminal-actor-targeting-organizations-for-data-exfiltration-and-destruction/), cybercriminals usually buy credit card numbers and other information on criminal underground forums and will also use the Redline password stealer, Loki, and other password stealers that are bought on the dark web or available for a subscription fee. They will use that information to open new accounts and spend money they don’t intend to pay for. Companies in the financial services industry may also have other regulations they need to follow to prevent money laundering, for example.

Especially after the COVID-19 pandemic started, companies began to hire employees without ever seeing them. Onboarding employees has completely changed. It is not always possible to verify an employee’s identity by looking at their physical documents (birth certificate, social security number, driver’s license, and so on) before or when they start working. Even though identity verification is not something that affects the authentication of that user, it affects what we are fundamentally discussing in this book. If you give valid credentials to a bad actor, all the security in the world will not prevent that user from doing what those credentials allow them to do.

The process of registration is a crucial step in creating and managing a digital identity. It involves collecting and verifying information about a subject (a person or an entity) and linking it to a unique identifier in the digital realm. This identifier can be a username, email address, or any other unique attribute that distinguishes the subject from others. The relationship between a subject and their digital identity is established during the registration process, and it sets the foundation for future authentication and authorization.

The first step in the registration process is to collect relevant information about the subject. Data collection may include personal details such as name, address, date of birth, contact information, and digital credentials such as a username and password. In some cases, biometric data or other unique attributes may also be collected.

After collecting the necessary information, the next step is to verify the authenticity of the data provided by the subject. For example, data verification may involve checking the validity of an email address, confirming a phone number via SMS, or comparing the provided biometric data to a pre-existing database. This verification process ensures that the subject is who they claim to be and helps maintain the integrity of the digital identity system.

Once the data has been verified, an individual account is created for the subject. This account serves as the digital representation of the subject and is linked to their unique identifier (for example, username or email address). In addition, the account may include additional information, such as preferences, interests, and other data to help personalize the subject’s digital experience:

Figure 1.2 – Application registration

Figure 1.2 – Application registration

With the account created and linked to the subject’s unique identifier, the subject can now use their digital identity to authenticate themselves when accessing online services.

The most common way of proving your identity online is by using a username and password:

Figure 1.3 – Application authentication

Figure 1.3 – Application authentication

As documents or other forms of identification are used to determine if a person is who they say they are, authenticators are used to assess the validity of claims from a subject engaged in a transaction online, confirming the digital identity of the subject.

In the physical world, governments and companies define the rules used to identify the users of their services or access to their systems. For example, a person must present a driver’s license or another form of identification to travel to domestic destinations or withdraw money from their local bank. However, they need to show a passport to be able to travel internationally. In addition, government-issued identification may not be enough when going to a company’s office, and badges may be required instead.

A digital identity is different. Even though it must be unique to the digital service it was created for, it does not uniquely identify the subject across all digital services.

Identity proofing, sometimes also referred to as identity verification, is required to validate that a subject is who they say they are. In a process similar to the one described earlier for the physical world, a person will present a driver’s license or password, or other documents accepted by the identity-proofing service, and the identity-proofing service will provide identity assurance (the degree of certainty that the identity can be trusted to belong to the person).

Similarly, companies define their own rules to register for online (or virtual) identities and use them. In some cases, a username or email address is all that is required to create a new account. Others will need more information and, depending on the objective of the identity, validate the data used to create the new identity.

For internal users, the process is usually more complex. Legal or regulatory requirements may specify the information required for each user. The employer verifies that the worker is authorized to work in the country by validating some documents, for example.

Another difference may be self-service, where users can create their own accounts.

When self-service is not used, there are two ways of creating new identities. First, when companies are in their early stages, and the number of employees is small, they use manual processes to create accounts for their employees. Later, as the number of employees grows and the number of applications that those users have access to grows, an identity management platform or product usually performs automated identity creation and management.

Controlling access to systems, applications, and software and who is authorized to do what is called access management.

Workforce identity

Before they can offer services and applications to external customers, companies must start their identity work with everyone in the organization – employees, their contingent workforce, and business partners. Workforce identity software is used to manage identities for employees and the contingent workforce. Businesses may also use workforce identity to manage temporary or permanent identities for the contingent workforce and partners. Identity federation is the trust relationship between the company and an external (workforce) identity system to authenticate users. Identity systems usually work together with access management in what is called identity and access management (IAM) software.

The following are the typical requirements for workforce identity products:

  • Secure and frictionless experience: Users need to be productive with their daily operations. The company must be able to use the product according to their required balance of secure and convenient access for workforce users.
  • Granular, centralized administration: A workforce identity solution must provide sufficient capabilities to control the life cycle of the company’s identities with a centralized administration giving full control to the identity infrastructure.

Customer identity

Businesses use customer identity and access management (CIAM) software to manage customer identities and offer a secure, seamless login experience for the company’s applications. When building an internet-facing application, there are common features and standard requirements that companies usually ask for:

  • Self-service: The first thing is self-service, account management, and many related features – starting with allowing users to sign up and sign in, managing their profile, changing their profile, changing their password, making account recovery, performing MFA, changing their authentication factors, and onboarding new devices. All of these things come under self-service account management. It would be best if you had a solution that allows you to do this for your customers and let your customers – the end users of your application – manage these profiles for themselves.
  • Scalability: The second point is that it scales to tens of millions of users and has a large global coverage. This is different from workforce identity since usually, you have thousands or maybe tens of thousands of users. In the consumer space, you have tens of millions. On Azure, AWS, or Google Cloud, some companies have hundreds of millions of customers, and that number is always increasing. A system must allow millions of identities to be created for a large enterprise with a global presence in different countries and locations. The system must also be able to distribute these users or position them in a country closer to them; they may do this for data residency reasons. For example, users in Europe must have their data only in Europe.
  • Ease of use: We usually want to attract as many users as possible in consumer identity. Ease of use is essential when onboarding customers in an online application. If the process is not user-friendly, it may discourage potential customers from completing the onboarding process and prevent them from using the application. The end users’ onboarding and authentication journey must be as easy as possible while providing various options.

Using social media accounts for onboarding can be convenient and efficient for users to create accounts and access online applications. In addition, this approach allows users to authenticate their identity and provide personal information while using their existing social media profiles rather than having to create a new account from scratch.

Again, this is different from workforce identity. The workforce is usually a captive audience that has to be created by an administrator and typically follows an HR process. Using the same process with external users will cause them to abandon the process. They will do business elsewhere. The journey to onboard end users has to be as seamless as possible.

One requirement that applies to customer or workforce IAM products is single sign-on (SSO). When access management (AM) products allow users to log in once for multiple applications, that is called SSO.

When there is a trusted relationship between separate organizations and companies that allow users to authenticate across domains, that is called federated SSO.

Different protocols are used for SSO. Some of them will be used in the practical implementation examples in this book, starting from Chapter 3:

  • SAML 2.0: Security Assertion Markup Language (SAML) is an open standard created in 2005 to provide cross-domain SSO. In SAML, you have an identity provider (IdP), which is responsible for authenticating users and managing identities, a relying party (RP), which is a service requesting and receiving data from the IdP, and a user agent (UA), which is the user requesting the services. SAML is used by several SSO products (including Azure AD, as shown in Chapter 3) to authenticate users to online Software-as-a-Service (SaaS) applications such as Salesforce, Slack, and others.
  • OAuth 2.0: OAuth allows users to share specific data with an application while keeping their credentials private. For example, a printing service can use OAuth to obtain permission from users to access their photos for printing. We are going to use OAuth for some examples in this book. The OAuth Playground website provides a detailed description of the steps involved in using OAuth, along with an example application that is free to use. OAuth Playground can be viewed at https://www.oauth.com/playground/client-registration.html:
Figure 1.4 – OAuth Playground client registration

Figure 1.4 – OAuth Playground client registration

After registering a new client on OAuth Playground, you can use the generated credentials to test the OAuth protocol:

Figure 1.5 – OAuth Playground test credentials

Figure 1.5 – OAuth Playground test credentials

To test these credentials, go to https://www.oauth.com/playground/authorization-code.html and enter the user account credentials that were generated in the previous step.

Now that the basic terminology is out of the way, let’s dive into the main topic of this book: MFA.

Additional authentication and security controls

MFA is a method of verifying a user’s identity by requiring them to present more than one piece of information. By combining multiple layers of security, MFA decreases the chances of compromised online access to an account.

What are authentication factors?

Authentication factors are different ways of proving identity. There are three different categories of authentication factors:

  • Something you know (knowledge): Passwords, PINs, answers to pre-selected security questions
  • Something you are (being or inheritance): Face recognition, fingerprint scan, voice recognition
  • Something you have (possession): SMS codes, one-time passwords, smart cards, ATM cards, mobile phones, key fobs:
Figure 1.6 – Authentication factors

Figure 1.6 – Authentication factors

As can be seen in Figure 1.7, the three different authentication factors can be used individually, or combined, as part of the same authentication process. The process of combining two different factor types in the same authentication process is called 2FA or MFA. The process of combining three or more different categories of authentication factors used in the same authentication process is called MFA.

To be considered 2FA or MFA, the authentication factors should be from different categories.

Most websites use a username and password combination to verify users’ identities. Some will attempt to increase security and require an answer to a security question as well. This is not MFA. Even though the user provided two factors to authenticate (password and answer to security questions), the second factor is also from the knowledge category. This is considered a two-step authentication process but a single factor.

Going back to our ATM example, MFA enhances security because it requires the hacker to obtain the two factors of authentication before being able to access your money. If your wallet is stolen or you lose your ATM card, the person that has your card cannot use it without knowing the pin as well. Similarly, if someone shoulder surfs (steals your PIN by spying over your shoulder as you use an ATM) and can use your PIN, they still don’t have the ATM card needed to complete the transaction.

Most free email providers, such as Gmail, Outlook, iCloud, and Yahoo!, provide some form of 2FA:

Figure 1.7 – Gmail 2-Step Verification confirmation

Figure 1.7 – Gmail 2-Step Verification confirmation

As we discuss MFA throughout this book, it is important to consider the needs of the organization and the types of users that are going to be using the systems. An authentication system needs to balance its security needs with the usability and risks of the application being accessed.

In certain industries and the government, special standards and regulations may also require (or prohibit) the use of different types of MFA systems.

https://2fa.directory/us/ provides a list of websites for different industries and whether or not they support 2FA and is a good place to look to see what your competition is doing in this area.

Criminals can obtain user credentials in different ways. For example, they can buy user credentials on the dark web, try brute-force attacks, or use social engineering methods.

Another problem with passwords is that users reuse passwords across many different sites; they may share passwords with their colleagues. They may also write the passwords on post-it notes and attach them to their monitor at work or home.

All these issues make using passwords as the single method to identify users a significant security risk for companies.

If passwords are not enough, what else can organizations do? MFA, or at least 2FA, is the most common solution. Google, in their latest Hacking Google series, states “Add 2FA to your account, and we do the rest regarding security.” Microsoft says that 99.9% of identity attacks can be blocked by MFA (https://www.microsoft.com/en-us/security/blog/2019/08/20/one-simple-action-you-can-take-to-prevent-99-9-percent-of-account-attacks/).

On the other hand, MFA overuse may cause customers to choose to move to a friendlier site and do business with a different company or abandon a shopping cart or transaction completely. Therefore, the balance between usability and security has to be considered according to the risk involved with the transaction.

In some cases, the use of MFA is based on other signals that help the system decide when to ask for a second form of authentication – for example, detection that the user’s IP address has traveled impossible distances, thus limiting the number of login attempts and increasing the time after each failure, and bot detection, among others.

Other tools may create a profile of the browser or mobile phone used by the users and ask for additional authentication if the phone changes or screen dimensions change, among other characteristics.

Behavioral biometrics can also be used to create a profile of the user and perform continuous authentication of the user based on their behaviors, not only when they log in:

Figure 1.8 – Top five cyber attacks in 2022

Figure 1.8 – Top five cyber attacks in 2022

According to a report by HYPR (https://get.hypr.com/state-of-authentication-in-the-finance-industry-2022), cyberattacks persistently targeted financial service institutions in 2022, as evidenced by the fact that 94% of those surveyed experienced some form of attacks within the last year. As shown in the preceding figure, the most common type of attack continues to be phishing, accounting for 36% of incidents. Other frequently occurring attacks included malware, credential stuffing, MFA fatigue attacks, and Man-in-the-Middle (MitM) attacks.

Phishing

Employees frequently fall for emails that promise bonuses, an urgent request from their CEO, or a request from the Information Technology (IT) department. Those emails ask users to click on a website or verify their credentials. Unfortunately, the whole company may be compromised when the employee clicks on the link or enters their credentials where they shouldn’t.

Here are some other related attacks:

  • When a hack is done via a phone call, this is known as vishing
  • Similar to emails, SMS texts are sent to users in what is known as smishing
  • When code to redirect the original browser request to a malicious website – without the knowledge or consent of the user – is installed on a server or personal computer, the attack is called pharming

Credential stuffing

Credential stuffing attacks occur when many username/password combinations are tried against a website. Bots usually perform this type of attack.

Malware

Malware, or malicious software, is a term that describes a malicious program or piece of code that is harmful to the user’s computer.

Malware is normally used in conjunction with phishing to obtain the credentials from a user.

Account Take Over (ATO)

The reuse of credentials causes another typical attack. Most users commonly use the same email or username on many different apps. At the same time, passwords are also reused. If one account is compromised, bad actors can use the same credentials and try to log in to many other sites. Account Take Over (ATO) is usually the outcome of a successful credential stuffing attack.

MFA fatigue – push notification attack

A common way to prevent a credential stuffing attack is by using a second authentication step in addition to a username and password. For example, systems may require users to accept an app push notification or receive a phone call and press a key as a second factor. When an attack issues multiple MFA requests to the end user until the user accepts the authentication, this is called MFA fatigue. It is also known as a push notification attack.

Man-in-the-Middle attack

An MitM attack is a type of session hijacking attack. The attacker eavesdrops and interrupts an existing conversation by inserting themselves into the middle of the transfer.

The attacker pretends to be the other legitimate participant for both the user and the original web application, enabling them to intercept information and data from either side of the conversation. An MitM attack can be used for account takeover purposes or just for the duration of the session:

Figure 1.9 – MitM attack

Figure 1.9 – MitM attack

In Chapter 2, we will discuss different types of authentication factors and what types can be used to prevent different types of attacks.

In addition to knowledge-based authentication factors, other commonly used authentication factors will be described next.

One-time password

A one-time password (OTP) is a mechanism for logging into an application or service using a unique password that can only be used once. OTP can be generated by security tokens or applications such as Google Authenticator or Microsoft Authenticator. SMS-based OTP is not recommended because of its vulnerabilities.

FIDO Alliance

The Fast Identity Online (FIDO) Alliance is an open industry association with a single goal: to create authentication standards to help reduce the world’s reliance on passwords.

FIDO Universal 2nd Factor standard

Yubico and Google developed the FIDO Universal 2nd Factor (FIDO U2F) standard. After FIDO U2F was successfully tested with Google employees, the standard was contributed to the FIDO Alliance.

The WebAuthn specification

WebAuthn is a World Wide Web Consortium (W3C) specification that allows the creation and use of strong, public key-based credentials for authenticating users. It is designed to be a secure and convenient alternative to traditional username and password authentication methods and can be used to authenticate users on websites and other online platforms.

WebAuthn works with the FIDO Client To Authenticator Protocol version 2 (CTAP2) to securely create and retrieve credentials on a security key. The two standards work together. Developers only use the WebAuthn specification; they don’t have to worry about CTAP2. WebAuthn uses public key infrastructure (PKI) to create and manage the public keys that are used for authentication.

One of the main benefits of WebAuthn is that it allows users to authenticate using a variety of different devices, such as security keys, biometric sensors (such as fingerprint scanners or facial recognition cameras), and other types of hardware tokens. This makes it easier for users to authenticate securely and reduces the risk of password-based attacks such as phishing and brute-force attacks.

WebAuthn is supported by most modern web browsers and is becoming increasingly popular as a secure and convenient way to authenticate users on the web.

FIDO2

The FIDO2 specification includes World Wide Web Consortium’s WebAuthn specification and FIDO Alliance’s corresponding CTAP. The specifications are open and free for general use.

Passkeys

Passkeys are replacements for passwords based on FIDO Alliance and W3C standards. Passwords are replaced with strong credentials (cryptographic key pairs). In addition, passkeys are linked with the website or application they were created for, thus being safe from phishing. Passkeys are not a new thing, just a new name for WebAuthn/FIDO2 credentials, enabling a fully passwordless experience for the user. Even though passkeys are on a user’s devices (something they have) and the relying party (the service provider that processes access to the applications) can ask for user verification, which is done by a biometric or PIN (something the user is or knows), some regulatory bodies still do not recognize passkeys as MFA.

This completes our introduction to MFA, authenticator factors, and the types of attacks companies face.

Summary

In this chapter, you learned why (digital) identity and authentication are fundamental parts of security. We also covered the basic concepts and terminology that will be used throughout this book. Finally, we introduced MFA.

In the next chapter, we are going to discuss the different types of authentication factors, how cybercriminals attempt to bypass them, and when to use or not to use different types of authentication factors.

Left arrow icon Right arrow icon

Key benefits

  • Gain proficiency in using solutions like Okta, Ping Identity, and ForgeRock within the IAM domain
  • Thwart authentication breaches using pragmatic strategies and lessons derived from real-world scenarios
  • Choose the right MFA solutions to enhance your organization's security

Description

MFA has emerged as an essential defense strategy in the wide-ranging landscape of cybersecurity. This book is a comprehensive manual that assists you in picking, implementing, and resolving issues with various authentication products that support MFA. It will guide you to bolster application security without sacrificing the user experience. You'll start with the fundamentals of authentication and the significance of MFA to familiarize yourself with how MFA works and the various types of solutions currently available. As you progress through the chapters, you'll learn how to choose the proper MFA setup to provide the right combination of security and user experience. The book then takes you through methods hackers use to bypass MFA and measures to safeguard your applications. After familiarizing yourself with enabling and managing leading cloud and on-premise MFA solutions, you’ll see how MFA efficiently curbs cyber threats, aided by insights from industry best practices and lessons from real-world experiences. Finally, you’ll explore the significance of innovative advancements in this domain, including behavioral biometrics and passkeys. By the end of the book, you'll have the knowledge to secure your workforce and customers, empowering your organization to combat authentication fraud.

Who is this book for?

This book is for developers, system administrators, security professionals, white-hat hackers, CISOs, and anyone interested in understanding and enhancing their access management infrastructure. While basic knowledge of authentication and IAM is helpful, it is not a prerequisite.

What you will learn

  • Evaluate the advantages and limitations of MFA methods in use today
  • Choose the best MFA product or solution for your security needs
  • Deploy and configure the chosen solution for maximum effectiveness
  • Identify and mitigate problems associated with different MFA solutions
  • Reduce UX friction with ForgeRock and behavioral biometrics
  • Stay informed about technologies and future trends in the field
Estimated delivery fee Deliver to Turkey

Standard delivery 10 - 13 business days

$12.95

Premium delivery 3 - 6 business days

$34.95
(Includes tracking information)

Product Details

Country selected
Publication date, Length, Edition, Language, ISBN-13
Publication date : Jun 28, 2023
Length: 550 pages
Edition : 1st
Language : English
ISBN-13 : 9781803246963
Category :
Concepts :
Tools :

What do you get with Print?

Product feature icon Instant access to your digital eBook copy whilst your Print order is Shipped
Product feature icon Paperback book shipped to your preferred address
Product feature icon Download this book in EPUB and PDF formats
Product feature icon Access this title in our online reader with advanced features
Product feature icon DRM FREE - Read whenever, wherever and however you want
Product feature icon AI Assistant (beta) to help accelerate your learning
OR
Modal Close icon
Payment Processing...
tick Completed

Shipping Address

Billing Address

Shipping Methods
Estimated delivery fee Deliver to Turkey

Standard delivery 10 - 13 business days

$12.95

Premium delivery 3 - 6 business days

$34.95
(Includes tracking information)

Product Details

Publication date : Jun 28, 2023
Length: 550 pages
Edition : 1st
Language : English
ISBN-13 : 9781803246963
Category :
Concepts :
Tools :

Packt Subscriptions

See our plans and pricing
Modal Close icon
$19.99 billed monthly
Feature tick icon Unlimited access to Packt's library of 7,000+ practical books and videos
Feature tick icon Constantly refreshed with 50+ new titles a month
Feature tick icon Exclusive Early access to books as they're written
Feature tick icon Solve problems while you work with advanced search and reference features
Feature tick icon Offline reading on the mobile app
Feature tick icon Simple pricing, no contract
$199.99 billed annually
Feature tick icon Unlimited access to Packt's library of 7,000+ practical books and videos
Feature tick icon Constantly refreshed with 50+ new titles a month
Feature tick icon Exclusive Early access to books as they're written
Feature tick icon Solve problems while you work with advanced search and reference features
Feature tick icon Offline reading on the mobile app
Feature tick icon Choose a DRM-free eBook or Video every month to keep
Feature tick icon PLUS own as many other DRM-free eBooks or Videos as you like for just $5 each
Feature tick icon Exclusive print discounts
$279.99 billed in 18 months
Feature tick icon Unlimited access to Packt's library of 7,000+ practical books and videos
Feature tick icon Constantly refreshed with 50+ new titles a month
Feature tick icon Exclusive Early access to books as they're written
Feature tick icon Solve problems while you work with advanced search and reference features
Feature tick icon Offline reading on the mobile app
Feature tick icon Choose a DRM-free eBook or Video every month to keep
Feature tick icon PLUS own as many other DRM-free eBooks or Videos as you like for just $5 each
Feature tick icon Exclusive print discounts

Frequently bought together


Stars icon
Total $ 129.97
Implementing Multifactor Authentication
$34.99
Information Security Handbook
$44.99
Practical Cybersecurity Architecture
$49.99
Total $ 129.97 Stars icon

Table of Contents

16 Chapters
Part 1: Introduction Chevron down icon Chevron up icon
Chapter 1: On the Internet, Nobody Knows You’re a Dog Chevron down icon Chevron up icon
Chapter 2: When to Use Different Types of MFA Chevron down icon Chevron up icon
Part 2: Implementing Multifactor Authentication Chevron down icon Chevron up icon
Chapter 3: Preventing 99.9% of Attacks – MFA with Azure AD and Duo Chevron down icon Chevron up icon
Chapter 4: Implementing Workforce and Customer Authentication Using Okta Chevron down icon Chevron up icon
Chapter 5: Access Management with ForgeRock and Behavioral Biometrics Chevron down icon Chevron up icon
Chapter 6: Federated SSO with PingFederate and 1Kosmos Chevron down icon Chevron up icon
Chapter 7: MFA and the Cloud – Using MFA with Amazon Web Services Chevron down icon Chevron up icon
Chapter 8: Google Cloud Platform and MFA Chevron down icon Chevron up icon
Chapter 9: MFA without Commercial Products – Doing it All Yourself with Keycloak Chevron down icon Chevron up icon
Part 3: Proven Implementation Strategies and Deploying Cutting-Edge Technologies Chevron down icon Chevron up icon
Chapter 10: Implementing MFA in the Real World Chevron down icon Chevron up icon
Chapter 11: The Future of (Multifactor) Authentication Chevron down icon Chevron up icon
Index Chevron down icon Chevron up icon
Other Books You May Enjoy Chevron down icon Chevron up icon

Customer reviews

Top Reviews
Rating distribution
Full star icon Full star icon Full star icon Full star icon Half star icon 4.8
(8 Ratings)
5 star 75%
4 star 25%
3 star 0%
2 star 0%
1 star 0%
Filter icon Filter
Top Reviews

Filter reviews by




esgar jimenez Jul 18, 2023
Full star icon Full star icon Full star icon Full star icon Full star icon 5
This book does a great job describing how to properly use and deploy Multifactor Authentication (MFA). MFA is a good tool to help prevent unauthorized access to user accounts. Since cyber crime has been on the rise it has increased the need to protect users from having their credentials stolen. This has resulted in the rise in popular use of MFA. MFA helps to secure user access by forcing a second form of authentication. It could be a simple code sent to the user's phone or email. It could be a code from an app like Authenticator or Authy. This extra layer of protection helps prevent unauthorized access to an account and helps with alerting the user of a possible credential breach. overall this is a great read and a very helpful guide.
Amazon Verified review Amazon
GUNDERSTONE Jul 07, 2023
Full star icon Full star icon Full star icon Full star icon Full star icon 5
In today's digital age, security is of utmost importance. Cyber threats constantly evolve, and breaches can have devastating consequences for businesses and individuals. These threats are why Multifactor Authentication (MFA) is becoming increasingly popular as an effective strategy to secure accounts and applications. MFA goes beyond the traditional username and password combination, adding an extra layer of security that makes it much harder for attackers to access sensitive information. However, mastering MFA can be daunting, especially for those new to the cybersecurity world. Because of these challenges, hands-on guides like "Implementing Multifactor Authentication" can be helpful."Implementing Multifactor Authentication" takes you through a fictitious company and its experiences as they adopt various MFA products and mechanisms. This is a practical and engaging way to learn about MFA while still mastering it in no time. The book aims to help you fortify your digital fortress by reducing the risk of cyber threats.This book offers step-by-step explanations, practical examples, and hands-on implementations of MFA concepts and technologies. It covers a range of Identity and Access Management (IAM) products and includes crystal-clear explanations that will make you an expert in no time. The book teaches you how to enable secure Single Sign-On (SSO) for enterprise and customer-facing applications."Implementing Multifactor Authentication" is designed to help you select the ideal products for your users, partners, and customers. You will be given instructions on obtaining free trial versions of the products used in the examples and how to build SaaS applications that use the security provided by the solutions demonstrated in each chapter. This will enable you to make empowered decisions to fortify your digital fortress, enhance your applications' security and reduce the risk of cyber threats.The book also explores Multiple Factor Authentication (MFA) mechanisms such as biometrics, smart cards, tokens, and mobile devices. MFA mechanisms are essential for enterprises as they add another layer of security. Acme Software's journey will show you how to effectively balance security, cost and user experience. The book also looks at IAM products such as Okta, Microsoft Azure, AWS IAM, LastPass, and OneLogin.-----------------ABOUT THE AUTHOR - Having shifted gears from software engineering to cybersecurity, Marco Fanti's professional journey is as impressive as inspiring. His innate knack for designing state-of-the-art security tools transformed his career, positioning him as a distinguished figure in the security sphere. Marco's collaborative efforts span from assisting startups, to joining forces with industry leaders like Oracle and Accenture, ultimately leading to the creation of solutions that ensure the safety of millions globally. As a perpetual learner, Marco's credentials include two MSc degrees from NYIT and NYU, and an MBA from UF, providing him the aptitude to deliver tailored solutions for his clients, blending the optimum aspects of various products. A Brazil native, Marco now resides in Florida with his wife, consistently pushing the boundaries in cybersecurity.-----------Audience Overview of This BookThis book is crafted to serve a broad spectrum of readers:IT Administrators, System Operators, and Security Specialists: The book targets system administrators, network administrators, security engineers, and other IT personnel tasked with the establishment and maintenance of secure authentication systems. It offers a comprehensive exploration of Multifactor Authentication (MFA).Cybersecurity Specialists: This book is an excellent resource for security consultants, researchers, analysts, and other professionals engaged in the cybersecurity sector seeking to augment their understanding of MFA. It aids in staying updated with the most effective strategies for safeguarding critical data and systems.Software Professionals: Software developers and engineers tasked with developing applications with stringent authentication requirements will find this book invaluable. It provides in-depth knowledge on MFA, shares best practices, and illustrates effective techniques to incorporate it into their applications seamlessly.Business Leaders: For executives, managers, and business proprietors who are accountable for their organization's data and infrastructure security, this book serves as a reliable guide to MFA. It aids in gaining a solid understanding of the concept, thereby facilitating judicious decisions regarding its implementation.In addition, the book contains sections that highlight examples of Software as a Service (SaaS) applications crafted utilizing Software Development Kits (SDKs) for an array of authentication products. Although the book thoroughly explains the process of constructing and launching these applications, readers with a basic grounding in programming will find it easier to grasp the material and apply this knowledge to their endeavors.-------------In conclusion, "Implementing Multifactor Authentication" is a comprehensive guide that delves deep into the world of MFA, providing you with all the information you need to make informed decisions and elevate your security game. By immersing yourself in the practical, engaging learning experience of the fictitious Acme Software, you will master MFA in no time. You will be equipped with the knowledge to select the ideal IAM products for your requirements and implement secure SSO for your applications.
Amazon Verified review Amazon
Shrinivas Shenoy Aug 24, 2023
Full star icon Full star icon Full star icon Full star icon Full star icon 5
A worthy purchase for those seeking an in-depth understanding of multifactor authentication implementation across various platforms. Concepts are well explained keeping all levels of audience in mind. A must-have for people trying to break into the IT Infrastructure and Cybersecurity domain.Thank you.
Amazon Verified review Amazon
Rio Jul 03, 2023
Full star icon Full star icon Full star icon Full star icon Full star icon 5
This book is great if you would like to learn "Everything MFA"! Takes you through the basics to the extensive deployment of 3rd party integration. Would highly recommend you create a sandbox tenant and follow along with the implementations steps. This book is also great if you're studying for the AZ-500.
Amazon Verified review Amazon
Brandon Lachterman Jul 05, 2023
Full star icon Full star icon Full star icon Full star icon Full star icon 5
This is a must have for security engineers, and software appsec and devops alike. I was delighted to see how in depth the author went into many different methods of implementation without making it overly dense and difficult to understand. Nice work!
Amazon Verified review Amazon
Get free access to Packt library with over 7500+ books and video courses for 7 days!
Start Free Trial

FAQs

What is the delivery time and cost of print book? Chevron down icon Chevron up icon

Shipping Details

USA:

'

Economy: Delivery to most addresses in the US within 10-15 business days

Premium: Trackable Delivery to most addresses in the US within 3-8 business days

UK:

Economy: Delivery to most addresses in the U.K. within 7-9 business days.
Shipments are not trackable

Premium: Trackable delivery to most addresses in the U.K. within 3-4 business days!
Add one extra business day for deliveries to Northern Ireland and Scottish Highlands and islands

EU:

Premium: Trackable delivery to most EU destinations within 4-9 business days.

Australia:

Economy: Can deliver to P. O. Boxes and private residences.
Trackable service with delivery to addresses in Australia only.
Delivery time ranges from 7-9 business days for VIC and 8-10 business days for Interstate metro
Delivery time is up to 15 business days for remote areas of WA, NT & QLD.

Premium: Delivery to addresses in Australia only
Trackable delivery to most P. O. Boxes and private residences in Australia within 4-5 days based on the distance to a destination following dispatch.

India:

Premium: Delivery to most Indian addresses within 5-6 business days

Rest of the World:

Premium: Countries in the American continent: Trackable delivery to most countries within 4-7 business days

Asia:

Premium: Delivery to most Asian addresses within 5-9 business days

Disclaimer:
All orders received before 5 PM U.K time would start printing from the next business day. So the estimated delivery times start from the next day as well. Orders received after 5 PM U.K time (in our internal systems) on a business day or anytime on the weekend will begin printing the second to next business day. For example, an order placed at 11 AM today will begin printing tomorrow, whereas an order placed at 9 PM tonight will begin printing the day after tomorrow.


Unfortunately, due to several restrictions, we are unable to ship to the following countries:

  1. Afghanistan
  2. American Samoa
  3. Belarus
  4. Brunei Darussalam
  5. Central African Republic
  6. The Democratic Republic of Congo
  7. Eritrea
  8. Guinea-bissau
  9. Iran
  10. Lebanon
  11. Libiya Arab Jamahriya
  12. Somalia
  13. Sudan
  14. Russian Federation
  15. Syrian Arab Republic
  16. Ukraine
  17. Venezuela
What is custom duty/charge? Chevron down icon Chevron up icon

Customs duty are charges levied on goods when they cross international borders. It is a tax that is imposed on imported goods. These duties are charged by special authorities and bodies created by local governments and are meant to protect local industries, economies, and businesses.

Do I have to pay customs charges for the print book order? Chevron down icon Chevron up icon

The orders shipped to the countries that are listed under EU27 will not bear custom charges. They are paid by Packt as part of the order.

List of EU27 countries: www.gov.uk/eu-eea:

A custom duty or localized taxes may be applicable on the shipment and would be charged by the recipient country outside of the EU27 which should be paid by the customer and these duties are not included in the shipping charges been charged on the order.

How do I know my custom duty charges? Chevron down icon Chevron up icon

The amount of duty payable varies greatly depending on the imported goods, the country of origin and several other factors like the total invoice amount or dimensions like weight, and other such criteria applicable in your country.

For example:

  • If you live in Mexico, and the declared value of your ordered items is over $ 50, for you to receive a package, you will have to pay additional import tax of 19% which will be $ 9.50 to the courier service.
  • Whereas if you live in Turkey, and the declared value of your ordered items is over € 22, for you to receive a package, you will have to pay additional import tax of 18% which will be € 3.96 to the courier service.
How can I cancel my order? Chevron down icon Chevron up icon

Cancellation Policy for Published Printed Books:

You can cancel any order within 1 hour of placing the order. Simply contact customercare@packt.com with your order details or payment transaction id. If your order has already started the shipment process, we will do our best to stop it. However, if it is already on the way to you then when you receive it, you can contact us at customercare@packt.com using the returns and refund process.

Please understand that Packt Publishing cannot provide refunds or cancel any order except for the cases described in our Return Policy (i.e. Packt Publishing agrees to replace your printed book because it arrives damaged or material defect in book), Packt Publishing will not accept returns.

What is your returns and refunds policy? Chevron down icon Chevron up icon

Return Policy:

We want you to be happy with your purchase from Packtpub.com. We will not hassle you with returning print books to us. If the print book you receive from us is incorrect, damaged, doesn't work or is unacceptably late, please contact Customer Relations Team on customercare@packt.com with the order number and issue details as explained below:

  1. If you ordered (eBook, Video or Print Book) incorrectly or accidentally, please contact Customer Relations Team on customercare@packt.com within one hour of placing the order and we will replace/refund you the item cost.
  2. Sadly, if your eBook or Video file is faulty or a fault occurs during the eBook or Video being made available to you, i.e. during download then you should contact Customer Relations Team within 14 days of purchase on customercare@packt.com who will be able to resolve this issue for you.
  3. You will have a choice of replacement or refund of the problem items.(damaged, defective or incorrect)
  4. Once Customer Care Team confirms that you will be refunded, you should receive the refund within 10 to 12 working days.
  5. If you are only requesting a refund of one book from a multiple order, then we will refund you the appropriate single item.
  6. Where the items were shipped under a free shipping offer, there will be no shipping costs to refund.

On the off chance your printed book arrives damaged, with book material defect, contact our Customer Relation Team on customercare@packt.com within 14 days of receipt of the book with appropriate evidence of damage and we will work with you to secure a replacement copy, if necessary. Please note that each printed book you order from us is individually made by Packt's professional book-printing partner which is on a print-on-demand basis.

What tax is charged? Chevron down icon Chevron up icon

Currently, no tax is charged on the purchase of any print book (subject to change based on the laws and regulations). A localized VAT fee is charged only to our European and UK customers on eBooks, Video and subscriptions that they buy. GST is charged to Indian customers for eBooks and video purchases.

What payment methods can I use? Chevron down icon Chevron up icon

You can pay with the following card types:

  1. Visa Debit
  2. Visa Credit
  3. MasterCard
  4. PayPal
What is the delivery time and cost of print books? Chevron down icon Chevron up icon

Shipping Details

USA:

'

Economy: Delivery to most addresses in the US within 10-15 business days

Premium: Trackable Delivery to most addresses in the US within 3-8 business days

UK:

Economy: Delivery to most addresses in the U.K. within 7-9 business days.
Shipments are not trackable

Premium: Trackable delivery to most addresses in the U.K. within 3-4 business days!
Add one extra business day for deliveries to Northern Ireland and Scottish Highlands and islands

EU:

Premium: Trackable delivery to most EU destinations within 4-9 business days.

Australia:

Economy: Can deliver to P. O. Boxes and private residences.
Trackable service with delivery to addresses in Australia only.
Delivery time ranges from 7-9 business days for VIC and 8-10 business days for Interstate metro
Delivery time is up to 15 business days for remote areas of WA, NT & QLD.

Premium: Delivery to addresses in Australia only
Trackable delivery to most P. O. Boxes and private residences in Australia within 4-5 days based on the distance to a destination following dispatch.

India:

Premium: Delivery to most Indian addresses within 5-6 business days

Rest of the World:

Premium: Countries in the American continent: Trackable delivery to most countries within 4-7 business days

Asia:

Premium: Delivery to most Asian addresses within 5-9 business days

Disclaimer:
All orders received before 5 PM U.K time would start printing from the next business day. So the estimated delivery times start from the next day as well. Orders received after 5 PM U.K time (in our internal systems) on a business day or anytime on the weekend will begin printing the second to next business day. For example, an order placed at 11 AM today will begin printing tomorrow, whereas an order placed at 9 PM tonight will begin printing the day after tomorrow.


Unfortunately, due to several restrictions, we are unable to ship to the following countries:

  1. Afghanistan
  2. American Samoa
  3. Belarus
  4. Brunei Darussalam
  5. Central African Republic
  6. The Democratic Republic of Congo
  7. Eritrea
  8. Guinea-bissau
  9. Iran
  10. Lebanon
  11. Libiya Arab Jamahriya
  12. Somalia
  13. Sudan
  14. Russian Federation
  15. Syrian Arab Republic
  16. Ukraine
  17. Venezuela