MFA & Smart MFA
"Powering Secure Logins & Strengthening Identity Protection."
Note: This page is in early preview mode & subject to change.
cidaas Multifactor or Two-factor Authentication offers an additional layer of security for end-users. It provides the user the means of verifying his identity through a second channel to eliminate any doubt about the legitimacy of an access request. MFA is available for password-based (email/username/mobile number and password) and passwordless authentication flows.
Users need to present more than one piece of evidence or identity information that could be a password they know, their unique fingerprint, or logging in on a device like a mobile phone to which their identity is associated.
cidaas offers MFA at the following levels:
A tenant is a group of users who share a common access with specific privileges to cidaas. At the tenant level, an organization's cidaas instance, the subscriptions mapped to it, and their relevant services, policies, SLAs, user types, scale, user isolation, cost, and operations are mapped.
Tenant-level is the first level of authentication to cidaas on its level-1 login page. Here, the user's account credentials for email and password, mobile OTP, or the user name and password combination is authenticated first. Only after successful authentication will the user be redirected to the level-2 login page where the MFA (the second level of security check) for the app they're trying to access happens.
Tenant-level MFA login page
- The customer can disable identity verification at the tenant level. When disabled, enabling
in-app MFA, and
user-account MFAis not possible.
- If the user has enabled
user-level MFA, the configured MFA options become available after successful app login.
- If the user has enabled
tenant-level MFA, only
app-level smart-MFAcan be used at the tenant level for the highest-level MFA permission.
- By default, tenant-level MFA is enabled.
App-level MFA pertains to the authentication methods assigned to an application that is created and maintained for a cidaas instance.
By adding MFA to an app, you provide an additional layer of security for specific apps. The end-users you assign the app to must respond to additional authentication factors to access it.
You can configure app-level MFA by itself or along with tenant-level MFA. If you configure both, your end users are asked for the additional authentication factors when they sign into cidaas, and again when they sign into apps that you have configured for app-level MFA.
App-level MFA login page
- By default, the app-level MFA is disabled.
- If the user has enabled
user-level MFA, the configured MFA options become available after a successful app login.
- If the user has enabled
tenant-level MFA, they can use only the
app-level smart-MFAat the tenant level for the highest-level MFA permission.
- By default, tenant level MFA is enabled.
MFA Methods on cidaas
1. Email: cidaas sends a six-digit verification code to the user's registered email address that has to be entered by the user on the login page.
2. Text Message: A six-digit verification code is sent via SMS to the user's registered mobile number, which should be keyed in correctly for signing in.
3. Password: Type the valid password linked to the user account to sign in.
The following MFA options need to be set up explicitly by the user on the third-party app portal using the cidaas authenticator app:
4. IVR: A six-digit verification code is given to the user by cidaas' Interactive Voice Reponse agent over voice call on the user's registered mobile number.
5. Backup Code: This option is useful when the user can't get codes by text, call, or the Authenticator app. An 8-digit backup code can be used to sign in to the user's account. Once a backup code is used to sign in, it becomes inactive. The user can get a new set of backup codes on request. cidaas offers 10 backup codes.
6. FIDO2: Fast ID Online 2 is a set of technology-agnostic security specifications for strong authentication. It was developed to introduce open and license-free standards for secure, worldwide authentication over the Internet.
This standard uses public-key cryptography to guarantee a secure and convenient authentication system. The FIDO2 standard uses a private and public key to validate each user’s identity to achieve this. To use FIDO2 authentication, you’ll first have to sign up for it on the user self-service portal (either cidaas' or the web app service provider's). Selecting this service will generate a FIDO2 authentication key pair.
Your FIDO2 device sends the public key to the service, while the private key containing sensitive information stays on your device. Once the secure communication path is enabled, the setup credentials are stored permanently, allowing for later logins. The next time you want to log in to a FIDO2 service, you have to follow these steps:
a. Provide your username and email.
b. The service will give you a cryptographic challenge.
c. You use your FIDO2 key to sign the challenge.
The service’s server verifies your response and gives you access to your account.
7. Face Recognition: A facial recognition system is a technology capable of matching a human face from a digital image or a video frame against a database of faces, typically employed to authenticate users through cidaas' verification services. This authentication mechanism on cidaas works by pinpointing and measuring facial features from the user's image captured during initial configuration.
8. Touch ID: Apple Touch ID is a passwordless authentication mechanism that implements embedded fingerprint sensor built into either the home button or power button of an iOS device for user authentication. Touch ID doesn't store any images of fingerprints, but it does store "mathematical representation" of fingerprints that is unique to a human user.
9. Voice Recognition: Voice recognition is a biometric speech-based method measuring the distinctions in individual voices to uniquely identify users. Instead of a password, which might be forgotten or not strong enough to ensure security, voice authentication allows people to use their voices themselves as passwords.
10. Pattern Recognition: Pattern Recognition is the process of distinguishing and segmenting data according to the set geometrical pattern on a device which is performed by special algorithms.
11. PUSH: This feature generates a six-digit code every 30 seconds. The user has to log into the app or service which asks for the two-factor authentication code. Entering the correct code authenticates the user successfully.
12. TOTP: Time-based One-time Password (TOTP) is a computer algorithm that generates a one-time password (OTP) that needs to be verified by the user within a limited time for passwordless authentication.
cidaas MFA Flow
cidaas implements an authentication flow that supports both password-based and passwordless verifications as shown below.
The following checks are done before the system redirects the user to the MFA page where the MFA methods configured by the user (using the cidaas Authenticator app) are available for authentication.
tenant-level MFAis enabled (by the admin for the app on cidaas).
If the above is true, the system checks if the
app-level MFAis set as mandatory for the app.
Priorities & MFA Combinations
cidaas' MFA logic assigns a priority to each MFA method internally which defines the MFA and Smart MFA flows based on the tenant-level authentication method (email/user name/mobile number) they select. The highest priority is '1', the next priority is '2', and the lowest is '3'.
- Priority 1 indicates that the MFA method is displayed by default on the level-2 login page. For example, when the user logs in using email, Touch ID (with priority 1) will be available first to the user.
- Priority 2 indicates that the MFA method will be displayed to the user, in addition to the priority 1 method(s) only if it's explicitly configured by the user (user-level MFA). For example, when the user logs in using email, TOTP (that has been configured by the user) will be available to the user at the app level (level-2 login page), in addition to Touch ID that is the default.
- Priority 3 indicates that this MFA method is displayed if the user has not configured any MFA method other than the default MFA method(s) with priority 1.
Here's a list of the MFA methods you can configure on cidaas, and the priority levels assigned to them automatically based on the in-built MFA logic:
P1 - Priority 1; P2 - Priority 2; P3 - Priority 3
|Verification Method||PASSWORD||FACE||VOICE||TOUCHID||PUSH||TOTP||PATTERN||BACKUP CODE||FIDOU2F||FIDO2||SECURITY QUESTION||SMS||IVR|
"Intelligent Identity Protection Simplified!"
Outdated on-prem MFA solutions are too complex to manage and frustrate your users. cidaas provides a smarter way- Smart MFA!
Smart MFA provides a convenient way to add intelligent, risk-based MFA to an existing authentication flow.
It's used immediately after a user's password has been succesfully authenticated, but, before a session is created and the user is granted access to the application.
cidaas Smart MFA is a step ahead of MFA in analyzing and verifying user identity, inferring behavioral data to detect anomalies and eliminating dependence on vulnerable binary authentications. We take a modern data science approach to deliver passwordless authentication with this adaptive MFA for speed, scalability, and risk mitigation (confirming who has access to what). This approach is the precursor to post-authorization, unique anomaly detection and early warning powered by an AI-enabled risk engine to elevate secure identity experiences.
Smart MFA is a pattern in which the application you're logging into performs risk analysis and profiling of contextual information on the user's login such as their device, browser, location, email account, IP address, OS, internet connection and other network parameters. It's backed by big-data analytics as a part of cidaas' Fraud Detection System (FDS).
- Email & SMS security factors are enabled as a part of the default security policy on the login page of your app when using cidaas.
- By storing and using simple machine learning models on this data, the application users are logging into can selectively decide whether or not to force them to prove their identity using a second factor.
- First-time users will receive a token to register their device (and other context information) as trusted. From that point on, the token will only be sent if the risk score has exceeded the threshold limit.
- Smart MFA uses the information on previous logins to identify legitimate access patterns, and differentiate trusted behavior from a suspicious one.
- 14 MFA methods can be included in your Smart MFA flows.
cidaas FDS works on the principle that trusted activity has some semblance of consistency, while attackers tend to mix up tactics to obscure their true identities and avoid detection.
On the flip side, when legitimate users are asked for the 2FA again when they log in the second time, it could be frustrating.
Why cidaas' Smart MFA?
Detects and responds to high risk logins without sacrificing usability.
Multifactor with configurable friction level offers balanced security.
identity risks are reduced by almost 90% with multi-layer Smart MFA.
A user-friendly and effortless verification process.
Supports high volumes of verifications.
cidaas offers Smart MFA at the following level:
- By default, app-level Smart MFA is enabled.
- Only if the user has disabled
app-level MFA, the Smart MFA flow is processed.
Smart MFAis enabled, the FDS analyses if any fraudulent activities have happened in the background for location-based fraud detection, and user activity-based fraud detection.
Smart MFA Flow
**Right click and select "Open image in new tab" for the enlarged view.
cidaas' Smart MFA is developed using Risk-based Authentication which calculates a risk score for any given access attempt in real time, based on a predefined set of rules.
Users are then presented with authentication options appropriate to that risk level.
While risk-based authentication can be static or adaptive, the focus of this post is static RBA.
Risk scores are the key measure for RBA and are used to determine the risk levels that help measure whether a login attempt is legitimate or likely fraudulent.
How it works?
1. Risk Profile Analysis - During authentication, the user's risk profile is analysed and the MFA method relevant to the risk will be activated for the user.
2. Risk Score Evaluation- Every user will have a risk score associated to his profile which may change over time based on his/her past authentication behavior.
For example, low-risk users usually log in from a common location (home and office) on specific devices, and perform normal operations on the application. In this scenario, cidaas makes them perform only limited authentication steps.
Alternatively, with basic credentials checks in place, the legitimate users should be able to login when the correct password/verification code is provided by them since the transaction is marked as "Low Risk."
When a legitimate user tries to login several times with the wrong credentials, the compromised credentials will be classified as "Medium Risk" and the relevant MFA methods should be activated for the user.
When an illegitimate user tries to login from a new device, location, browser, and/or with multiple failed login attempts, credentials will be classified as "High Risk" and the system blocks the MFA flow and redirects the user to a failed attempt page. The system also notifies the legitimate user immediately over email/SMS about the incident.
3. Detection Scenario Evaluation - The following Fraud Detection scenarios will influence whether the Smart MFA flow will be triggered or not.
- Location-based fraud detection: It is based on the condition that the user always logs in from a specific location. Any sudden change in the login location will trigger the Smart MFA flow. The user is also notified about the same.
- User activity based fraud detection: It is based on the condition that the user logs in during a specific time of the day for a given time zone on a specific device. When the user logs in at a different time and on a different device, the Smart MFA flow is triggered.
4. If fraud is detected, one of the following MFA methods in the high security list will be enabled for physical verification (app-level smart-mfa should be enabled):
If no fraud is detected the MFA flow is not triggered and the user can login using their email/user name and password or passwordless two-step verification, if configured.
Velocity Detection is built into cidaas' FDS which is the process of checking the historical login activity patterns of a user and matching that record against their current login activity to detect if the number of logins or failed attempts match up or if there appears to be an irregularity.
Velocity Threshold Overview
Risk levels are compared to a velocity threshold score that is established as a policy on cidaas. When the actual risk score exceeds this limit, a second authentication method is prompted to the user to login.
In general, the velocity threshold is influenced by checks on the following contextual factors:
Login Device: Is this a registered or known device? Is there an associated fingerprint that can verify the device?
IP Reputation: Is this a known or suspect IP address or subnet associated with bad actors?
User Identity Details: Is the user’s information being presented the same as the information stored in the directory or user store?
Geolocation: Is the user’s current geographic location known to be good or bad? Are there certain locations to which you simply need to block access or should access only be granted if at a specific facility?
Geovelocity: Does the user's location and time of login make sense given the time and location of the last login attempt?
The Velocity Threshold can also be set based on the following influencers:
Personal Characteristics: Time with company, role or job levels, history of security incidents and certifications, granted entitlements, etc. I.e., if a user fails to pass an internal security certification exam or falls prey to an internal phishing test, the user is automatically required to “step up” to two-step verification configured for their account.
Application or Data Sensitivity: How critical or sensitive is the target system or data being accessed? Do certain systems mandate a second or third form of authentication?
Number of Attempts: Login failure beyond three times will lock the account until unlocked explicitly by the backend team.
Velocity Threshold on cidaas
There is no specific velocity threshold defined on cidaas. However, as a part of our Fraud Detection System, the following scenarios are considered where we prompt for second authentication.
- Device change
- Location change
- Wrong OTP attempts that exceed 4-5 times during a passwordless Email/SMS authentication flow.
Enabling MFA and Smart MFA
As an administrator, you can enable MFA and Smart MFA for your app with a simple configuration on the cidaas admin account.
1. On the home page, navigate to Apps > App Settings, click the Edit App icon (for the app you want to set up MFA for), then, click Advanced Settings.
2. Under Advanced Settings, click Authentication. Then, enable the following options:
- Always ask for 2FA
- Smart MFA
Enabling Always ask for 2FA will display the MFA options configured by your user using the cidaas Authentication app on their level-2 login page.
Enabling Smart MFA will activate Smart MFA based on the abovementioned flow for the user where the contextual information of the user and account access risks are analysed.
3. Select one or more Authentication method(s) you want to be displayed on the login screen for MFA/Smart MFA.
4. Click Save.
5. A success confirmation window is displayed.
After you enable Always ask for 2FA and Smart MFA, and set the authentication methods for your app, the user will be able to view the following screens when they select Passwordless Authentication during login.
Level-1 Login Page
Level-2 Login Page with MFA Enabled
For help in configuring MFA or Smart MFA on your app, or any other assistance, please contact the cidaas support team.
We'll be happy to help. Thank you!