Introduction

News about unauthorized access due to leaked passwords is being reported every day. The risk of password authentication is increasing day by day, as it can lead to a large amount of financial damage and even a service outage. Therefore, MFA (multi-factor authentication), which adds authentication factors other than passwords, is emphasized.

In this blog, I will explain what MFA is in the first place, and how MFA can be used with the introduction of our IDaaS product “Okta” about Salesforce, which is scheduled to make MFA mandatory from February 1, 2022. We will introduce you to

What is MFA in the first place?

MFA (multi-factor authentication) is to authenticate two or more of the following factors.

• Memorized by the user (e.g. passwords, security questions)
• Something only the user has (e.g. email, SMS, smartphone one-time password)
• Based on the user's physical characteristics (e.g. biometrics such as face or fingerprint)

The strength of authentication also differs depending on the combination of "two or more".

Using a single factor twice does not strengthen authentication (such multiple authentications with a common factor are called multi-factor authentication, not multi-factor authentication). For example, if you authenticate with a "secret question" after "password" authentication, it is common that "the user remembers", and it cannot necessarily be said that the identity verification process has been strengthened.

Therefore, by combining authentication with different elements such as "memory" and "retention", the strength of authentication can be increased.

For example, after "password" authentication, if you authenticate with a "one-time passcode" (software token authentication) to a smartphone that only you have, the authentication will be based on different elements of "memory" and "retention". It is multi-factor authentication.

Only the person in possession of the smartphone can know the one-time passcode. Therefore, even if the account ID/password is leaked and the password authentication is broken, the subsequent MFA will fail and access can be denied.

Additionally, authentication based on user physical characteristics can be even stronger and is recommended when stricter authentication is required. With "memory", there is a risk of being identified from personal information such as birthday, and with "holding" there is a risk of being stolen by a third party. considered to be high.

We have introduced FIDO2, an authentication technology used for biometric authentication, which is representative of "based on the user's physical characteristics," on our blog, so please read it as well.

Reference: Graduation from understanding the atmosphere "FIDO2" What is the optimal solution when hiring at a company?

https://mnb.macnica.co.jp/2021/02/zerotrust/fido2.html

Towards mandatory MFA for Salesforce

Starting February 1, 2022, MFA (multi-factor authentication) will be required to access Salesforce products.

MFA is required not only when logging in directly to the user interface of Salesforce products, but also for SSO login by SAML authentication via IdP (Identify Provide) represented by Okta.

In addition, MFA on the IdP side can be used, and when logging in using MFA on the IdP side, MFA authentication on the Salesforce side is not required. Therefore, if you have completed user authentication by MFA on Okta, you can log in to Salesforce with SSO without additional MFA authentication on the Salesforce side.

Of the MFA authentication methods, "email authentication", "SMS authentication", and "phone authentication" are not supported, and even SSO login via IdP cannot be used. The reason for this is that email login information can easily be leaked, and SMS/phone calls can be intercepted.

For more information, please check the official website of Salesforce.

See: Salesforce Multi-Factor Authentication FAQ

https://help.salesforce.com/articleView?id=000352937&type=1&mode=1

About MFA at Okta

Okta offers different types of multi-factor authentication and can add contextual and dynamic authentication controls.

Okta offers 14 types of MFA, and you can choose the elements that meet your company's requirements. In addition, since it is possible to automatically control whether or not MFA is used and element selection based on the user's situation and state, it will also lead to improved security and convenience.

Available MFA

Okta has its own software token, Okta Verify. In general software tokens, a one-time passcode of about 6 digits is displayed on the smartphone app, and you will use this number to log in, but "Okta Verify" can only use a one-time passcode with numbers. You can use push notifications instead.

 

When a login attempt is attempted, Okta will automatically notify the smartphone, and the user can complete authentication simply by clicking on the push notification, eliminating the need for troublesome number input. In addition, only the smartphone owned by the person can receive push notifications, and the element of "holding" can be satisfied. Also, in order to click on the push notification, you need to unlock your smartphone, so there is no problem with security.

Okta also supports FIDO2, and you can log in without a password using “Windows Hello” or “Apple Touch ID”.

 

In addition to the problem of password leaks, the operational costs and man-hours required for operators to reset passwords when they forget them are also issues. Therefore, the need for passwordless authentication is increasing.

 

From the perspective of authentication strength, using FIDO2 makes it possible to log in more securely and solves the problem of password authentication. I don't think it's too far in the future when passwordless authentication using FIDO2 becomes commonplace.

Dynamic authorization control

With Okta, you can improve security by setting authentication rules based not only on user information, but also on the status and status of users, such as "where?", "what device?", "from which IP address?" .

 

Specifically, access from the internal network can be considered as an internal person and MFA is not required, and access from outside the company and new locations can be set to require MFA to increase the authentication strength. .

Requiring MFA can improve the security level of authentication, but it takes time and effort to log in to the App, which may result in a decrease in work efficiency.

 

With Okta, you can set a control policy for each linked app to achieve more detailed authentication control. In the case of general IDaaS products, it may not be possible to set per App such as allowing access from a specific IP address to all App uniformly and requesting MFA uniformly, but in Okta Salesforce requests MFA and other App can be individually set to not require MFA.

 

By using Okta, it is possible to set detailed authentication rules based on the user's situation and status, and improve the security level of authentication while maintaining operational efficiency.

Summary

In the future, the need for MFA will increase more and more. However, although they understand the necessity of MFA, there are many cases where MFA cannot be introduced because smartphones cannot be brought into the office, and that MFA is not required when logging into applications that do not handle personal information due to man-hours. I think there are many people who have issues in.

Therefore, by introducing Okta, you can choose from a wide variety of MFA that can be used by your company, and by controlling dynamic authentication control and MFA requests for each App, you can solve the problems in introducing MFA. I think we can.

Also, just as Salesforce made MFA mandatory, other SaaS is expected to require MFA as well. If MFA elements are registered for each SaaS, the man-hours on the operation management side will increase, so centralized management is the best practice. From this point of view as well, we recommend the introduction of Okta, which can centrally manage MFA for each SaaS.

If you are interested in Okta, please contact Macnica.