You are viewing an earlier version of the admin guide. For the latest version, please visit EmpowerID Admin Guide v7.211.0.0.
Multi-Factor Authentication
Multi-Factor Authentication
Cybercrime is on the rise again and according to 2017 Verizon Data Breach Investigative Report 81% of data breaches were due to weak or stolen credentials. Passwords continue to be the weakest link in an organization’s security strategy. Multi-Factor Authentication has been proven as the only means to ensure that a user is who they say they are but the need for security must be balanced with usability to ensure that a solution gets used and adopted. To rollout MFA successfully, it must be available for all entry points at which the user authenticates such as web, VPN, and mobile app and it must be available in an easy to use format from any of their devices. EmpowerID supports a wide range of friendly options including one-time password, FIDO/Yubikey tokens, 3rd parties such as DUO, as well as the EmpowerID Mobile phone app which allows users to click to approve their logins.
Adaptive MFA
Adaptive MFA eases the adoption of more secure login procedures by ensuring that users aren’t forced to perform MFA on every login but rather only when the circumstances warrant it. The circumstances evaluated include leveraging information about the user’s device, their location on the internal or external network, their geolocation and velocity, the application they are attempting to access, as well as information about the user themselves including their roles and risk score. EmpowerID intelligently analyzes these factors to determine when a user must go through additional steps to ensure the veracity of their identity.
Passwordless Login
The only password an end user won’t forget is no password at all. Since the invention of the password it has been a dream to live in a password free world. EmpowerID eliminates the need for passwords by securely authenticating users via a broad set of supported factors, including FIDO2 keys, virtual and hardware tokens, and mobile authenticators. Passwordless login requirements are intelligently determined by flexible adaptive policies which analyze the context of the login to determine how many and which types of factors are required.
EmpowerID Mobile Authenticator
The EmpowerID Mobile Authenticator is available on major mobile platforms and allows users to perform multi-factor authentication with the click of a button. User adoption is greatly increased by the convenience of adding additional login security by letting users simply respond to a push notification on their smartphone or watch during the login process. The decision is sent through your phone to EmpowerID where it is validated and then the user is logged in. If the user’s mobile device is not connected to the Internet, the user can enter the one-time password displayed on the app in the EmpowerID Portal. As soon as EmpowerID receives a valid one-time password, the user is logged in. The EmpowerID Mobile Authenticator is available in the Apple and, Android app stores and is easy to install and enroll. The first time a user signs into the EmpowerID Portal and selects EmpowerID Mobile Authenticator as their MFA option, they are presented with a QR code which can be scanned by the mobile app to automatically register the device for the user.
Adaptive MFA for VPN
The integrated EmpowerID RADIUS Server provides RADIUS strong authentication to firewalls, network devices and VPN servers within your network infrastructure. EmpowerID verifies user credentials against the Identity Warehouse or against connected directories like Active Directory. User logins from network devices are analyzed using the same context-driven policies as web logins and enforce adaptive multi-factor authentication rules. The EmpowerID LDAP Virtual Directory can be used in the same manner for organizations which prefer LDAP over RADIUS.
Depending on how you configure EmpowerID, you can require users to pass through a number of checkpoints and to submit additional biographic information before gaining access to resources. Checkpoints can include the user's IP address, the selected identity provider and the Password Manager policy assigned to the user.
Getting Started
Set LoA points on Password Manager policies
Setting MFA Points on Policies
Assign MFA Types to Password Manager Policies
Assigning MFA Types to Policies
Assign Adaptive Authentication Rules to Password Manager Policies
Assigning Adaptive Authentication to Policies
Set LoA Points on Applications
Setting MFA Points on Apps
Assign MFA Types to Applications
Assigning MFA Types to Apps
Assign Adaptive Authentication Rules to Applications
Assigning Adaptive Auth to Apps
Edit LoA point values for MFA Types
Editing MFA Type Point Values
Set LoA points granted by Identity Providers
Setting MFA Points by SSO Connections
Integrate DUO Two-Factor Authentication
Integrating DUO Two-Factor Authentication
Integrating Yubico OTP
Registering and Issuing VASCO Hardware OATH Tokens
VASCO Hardware OATH Tokens
Customizing the MFA Retry Limit
Configuring Multi-Factor Communication Options
Configuring MFA Communication Options
Configuring the EmpowerID RADIUS Server
RADIUS Server