Workforce IAM

Identity Federation, Single Sign-On (SSO), & Multi-Factor Authentication (MFA)

We’ve heard horror stories about poor Identity Management, and being in this business long enough, most “hacks” are a result of poor process, and avoidable oversights. Unified Identities with single passwords/no passwords that are secured by MFA or Biometric Factors should be standard to secure any organization’s data and applications.

Having multiple accounts for multiple services opens up issues with tracking, and creates problems when trying to maintain multiple passwords, which leads to end users writing them down on sticky notes, personal devices, and other dangerous attack vectors.

Federated Identity Management

Do not confuse this concept with SSO, because they are vastly different. Federated Identity Management uses an Identity Provider (IDP) that is plugged into a Datastore (like Active Directory for example) to connect to other Identity Management systems.

In lieu of authenticating directly with a service provider, the service provider trusts the corporate identity provider to validate your corporate credentials. So the user never provides credentials directly to anyone but the corporate identity provider. This trust is how identities are federated. This is a central concept to strong IAM today.

Single Sign-On (SSO)

In a corporate environment, this should be a product of federating one identity with multiple services, so that logging into your corporate IDP is tantamount to logging in to all approved services by your organization that you should have access to.

Multi-Factor Authentication

Multi-Factor adds an additional layer of security to your Federated Identities. In the event of a breach of user passwords, MFA can literally save an organization from dangerous exposure to cyber threat.

Adding a layer of protection like 2FA using an authenticator application on a mobile device, biometric data factors, or even just SMS or email MFA to go on top of a password are key in securing your organizations’ data. This can be done based on user locations, IP address listings, step-up authentication to an already active session due to an attempt to access privileged resources, and more.

Back to Workforce IAM