In EmpowerID, multi-factor authentication (MFA) is a flexible, configurable points-based system with integrated Adaptive Authentication policies which can be authored in Workflow Studio. Administrators define a specific number of trust or MFA points, and apply those points to objects in EmpowerID to provide a target point number required to authenticate to EmpowerID, and to access any third-party applications secured by EmpowerID. Adaptive Authentication policies are applied in conjunction with the MFA Trust Point system and support complex context-based rules using on identity attributes, device info, and environmental attributes such as geo-velocity. These are a few of the objects to which you can apply these policies and rules: Password Manager policiesMFA methodsIP address rangesIdentity ProvidersService Provider ApplicationsMulti-Factor Authentication Cybercrime is on the rise again and according to 2017 Verizon Data Breach Investigative Report 81% of data breaches were due to weak or stolen credentials. Passwords continue to be the weakest link in an organization’s security strategy. Multi-Factor Authentication has been proven as the only means to ensure that a user is who they say they are but the need for security must be balanced with usability to ensure that a solution gets used and adopted. To rollout MFA successfully, it must be available for all entry points at which the user authenticates such as web, VPN, and mobile app and it must be available in an easy to use format from any of their devices. EmpowerID supports a wide range of friendly options including one-time password, FIDO/Yubikey tokens, 3rd parties such as DUO, as well as the EmpowerID Mobile phone app which allows users to click to approve their logins. Adaptive MFA Adaptive MFA eases the adoption of more secure login procedures by ensuring that users aren’t forced to perform MFA on every login but rather only when the circumstances warrant it. The circumstances evaluated include leveraging information about the user’s device, their location on the internal or external network, their geolocation and velocity, the application they are attempting to access, as well as information about the user themselves including their roles and risk score. EmpowerID intelligently analyzes these factors to determine when a user must go through additional steps to ensure the veracity of their identity. Passwordless Login The only password an end user won’t forget is no password at all. Since the invention of the password it has been a dream to live in a password free world. EmpowerID eliminates the need for passwords by securely authenticating users via a broad set of supported factors, including FIDO2 keys, virtual and hardware tokens, and mobile authenticators. Passwordless login requirements are intelligently determined by flexible adaptive policies which analyze the context of the login to determine how many and which types of factors are required. EmpowerID Mobile Authenticator The EmpowerID Mobile Authenticator is available on major mobile platforms and allows users to perform multi-factor authentication with the click of a button. User adoption is greatly increased by the convenience of adding additional login security by letting users simply respond to a push notification on their smartphone or watch during the login process. The decision is sent through your phone to EmpowerID where it is validated and then the user is logged in. If the user’s mobile device is not connected to the Internet, the user can enter the one-time password displayed on the app in the EmpowerID Portal. As soon as EmpowerID receives a valid one-time password, the user is logged in. The EmpowerID Mobile Authenticator is available in the Apple and, Android app stores and is easy to install and enroll. The first time a user signs into the EmpowerID Portal and selects EmpowerID Mobile Authenticator as their MFA option, they are presented with a QR code which can be scanned by the mobile app to automatically register the device for the user. Adaptive MFA for VPN The integrated EmpowerID RADIUS Server provides RADIUS strong authentication to firewalls, network devices and VPN servers within your network infrastructure. EmpowerID verifies user credentials against the Identity Warehouse or against connected directories like Active Directory. User logins from network devices are analyzed using the same context-driven policies as web logins and enforce adaptive multi-factor authentication rules. The EmpowerID LDAP Virtual Directory can be used in the same manner for organizations which prefer LDAP over RADIUS.
| Tip |
|---|
Depending on how you configure EmpowerID, you can require users to pass through a number of checkpoints and to submit additional biographic information before gaining access to resources. Checkpoints can include the user's IP address, the selected identity provider and the Password Manager policy assigned to the user. |
| 
