You are viewing an earlier version of the admin guide. For the latest version, please visit EmpowerID Admin Guide v7.211.0.0.
Multi-Factor Authentication
Multi-Factor Authentication
Cybercrime is on the rise again and according to 2017 Verizon Data Breach Investigative Report 81% of data breaches were due to weak or stolen credentials. Passwords continue to be the weakest link in an organization’s security strategy. Multi-Factor Authentication has been proven as the only means to ensure that a user is who they say they are but the need for security must be balanced with usability to ensure that a solution gets used and adopted. To rollout MFA successfully, it must be available for all entry points at which the user authenticates such as web, VPN, and mobile app and it must be available in an easy to use format from any of their devices. EmpowerID supports a wide range of friendly options including one-time password, FIDO/Yubikey tokens, 3rd parties such as DUO, as well as the EmpowerID Mobile phone app which allows users to click to approve their logins.
Adaptive MFA
Adaptive MFA eases the adoption of more secure login procedures by ensuring that users aren’t forced to perform MFA on every login but rather only when the circumstances warrant it. The circumstances evaluated include leveraging information about the user’s device, their location on the internal or external network, their geolocation and velocity, the application they are attempting to access, as well as information about the user themselves including their roles and risk score. EmpowerID intelligently analyzes these factors to determine when a user must go through additional steps to ensure the veracity of their identity.
Passwordless Login
The only password an end user won’t forget is no password at all. Since the invention of the password it has been a dream to live in a password free world. EmpowerID eliminates the need for passwords by securely authenticating users via a broad set of supported factors, including FIDO2 keys, virtual and hardware tokens, and mobile authenticators. Passwordless login requirements are intelligently determined by flexible adaptive policies which analyze the context of the login to determine how many and which types of factors are required.
EmpowerID Mobile Authenticator
The EmpowerID Mobile Authenticator is available on major mobile platforms and allows users to perform multi-factor authentication with the click of a button. User adoption is greatly increased by the convenience of adding additional login security by letting users simply respond to a push notification on their smartphone or watch during the login process. The decision is sent through your phone to EmpowerID where it is validated and then the user is logged in. If the user’s mobile device is not connected to the Internet, the user can enter the one-time password displayed on the app in the EmpowerID Portal. As soon as EmpowerID receives a valid one-time password, the user is logged in. The EmpowerID Mobile Authenticator is available in the Apple and, Android app stores and is easy to install and enroll. The first time a user signs into the EmpowerID Portal and selects EmpowerID Mobile Authenticator as their MFA option, they are presented with a QR code which can be scanned by the mobile app to automatically register the device for the user.
Adaptive MFA for VPN
The integrated EmpowerID RADIUS Server provides RADIUS strong authentication to firewalls, network devices and VPN servers within your network infrastructure. EmpowerID verifies user credentials against the Identity Warehouse or against connected directories like Active Directory. User logins from network devices are analyzed using the same context-driven policies as web logins and enforce adaptive multi-factor authentication rules. The EmpowerID LDAP Virtual Directory can be used in the same manner for organizations which prefer LDAP over RADIUS.
Depending on how you configure EmpowerID, you can require users to pass through a number of checkpoints and to submit additional biographic information before gaining access to resources. Checkpoints can include the user's IP address, the selected identity provider and the Password Manager policy assigned to the user.
Getting Started
Passwordless Login
Configure EmpowerID for the Mobile App
Configure EmpowerID for the Mobile App
FIDO2 WebAuthn
Set LoA points on Password Manager policies
Setting LOA Points on Password Policies
Assign MFA Types to Password Manager Policies
Assign MFA Types to Password Policies
Assign Adaptive Authentication Rules to Password Manager Policies
Assign Adaptive Authentication to Password Policies
Set LOA Points on Applications
Set LOA Points on Apps
Assign MFA Types to Applications
Assigning MFA Types to Apps
Assign Adaptive Authentication Rules to Applications
Assigning Adaptive Auth to Apps
Set LOA Points Granted by Identity Providers
Set LOA Points Granted by Identity Providers
Edit LOA Point Values for MFA Types
Edit LOA Point Values for MFA Types
Customize the MFA Retry Limit
Configure one-time password delivery types
Configure One-Time Password Delivery Types
Configure the EmpowerID RADIUS Server
Configure the RADIUS Server
Integrate DUO Two-Factor Authentication
Integrate DUO Two-Factor Authentication
Integrate Yubico OTP
VASCO Hardware OATH Tokens