Why Multi Factor Authentication (MFA)?
Traditional security systems rely on passwords to authenticate and authorize access to protected data. But such password-only systems are, in general, more vulnerable to security breaches as there is only one layer of security. To protect against such breaches, multi-factor authentication (MFA) or two-factor authentication (2FA) is used, which offers extra layer of security. This extra layer of security makes use of information that is accessible only to the user being authenticated.
A typical example of MFA can be seen in online banking domain where one-time password (OTP) is used to re-authenticate the user before completing any transaction e.g. money transfer. Note that the user anyway has to login to the online banking system using a password, but needs a “second factor” to complete any transaction.
Vaultize manages a large amount of critical and confidential data of enterprise customers. To ensure highest level of security with additional IT controls, Vaultize is introducing multi-factor authentication (MFA) for all users (internal or external) accessing the Vaultize system. This further strengthens enterprise file security parameters – helping IT administrators and security officers in data governance and compliance.
Vaultize MFA enables the enterprise IT to have fine-grained control over user authentication. On top of regular password based authentication (with controls over password complexity and rotation), Vaultize administrator can now configure policies to add One Time Password (OTP) or RADIUS (e.g. RSA SecurID tokens) as the second factor of authentication. Vaultize MFA can be enforced for internal users (e.g. at the time of Vaultize login) as well as for external or third-party users (e.g. while accessing a shared link or while opening a file protected using Vaultize Digital Rights Management).
Vaultize MFA - OTP
OTP is a one-time password (usually a number), which is communicated to the user via a “personal” communication medium like email or SMS. This personal communication information like email or mobile phone number is usually detected automatically via Active Directory or LDAP, but could also be manually entered by the administrator or the user. The communicated OTP has to be entered by the user at the time of authentication as a second layer of security. In Vaultize, to enable OTP based authentication for the users, administrator needs to configure the OTP parameters on the Settings page:
Here, the administrator can configure the “Authentication Mode” (which denotes the communication medium of OTP - email and/or SMS/text), number of digits in the OTP and how long the OTP will be valid (in minutes).
Once these OTP parameters are set, administrator can enable OTP based authentication for one or more Vaultize users/groups through policy. If enabled, the user has to go through a two-step process at the time of login. The first step is the usual - to authenticate using a username and password:
If password based authentication succeeds, an OTP is generated and communicated to the user via email and/or SMS. Then the login screen changes into the OTP screen:
Once the correct OTP is entered, the user authentication is successful. If either of the password or the OTP is incorrect, the user authentication fails.
Vaultize MFA - RADIUS
RADIUS is a protocol for remote user authentication, authorization and accounting. You can use your existing authentication infrastructure (e.g. RSA SecurID, SafeNet), where Vaultize will act as a RADIUS client.
To enable RADIUS based authentication for the users, administrator needs to configure its parameters via the Settings page. The following image shows the Vaultize RADIUS configuration window; administrator can configure more than one RADIUS servers:
Once these RADIUS parameters are set, administrator can enable RADIUS based authentication for one or more Vaultize users through policy. If enabled, the user has to go through a two-step process at the time of login. The first step is to authenticate using password:
When Vaultize password authentication is successful, user will be asked to enter her RADIUS token:
Using this token, user will be authenticated against RADIUS server, Vaultize login will be successful only if token is validated.
Vaultize MFA - Shared link access
OTP can also be enabled for external or third-party recipients for shared link accesses and for opening of files secured through enterprise digital rights management (eDRM). It can be enforced by the administrator or by the document owner. If enabled, after successful password authentication, the external user will also be asked for the OTP, which will be sent via email.