"The keys to the kingdom," a common phrase in the IT industry. More commonly referred to as superuser rights, but for each and every one us it means access to our most personal and protected secrets. For businesses, it's the ability to exploit assets and information.
Authentication and authorization are areas where many small to mid-size businesses continue to struggle in. Mature security usually requires stringent password policies such as complexity, character inclusion, length and reset duration. These are usually seen as inconvenient or counterproductive leading to poor practices like users writing down passwords or otherwise finding ways to bypass these secure measures. A good middle ground is hard to find between functionality and security.
This is also the area where most exploits and comprises occur. Businesses on an upward trend tend to limit the investment in internal IT security budgets because the value is hard to assess until it is too late and a breach has occurred. This tends to limit the amount of security controls that protect an organization. This type of behavior is very common and understood based on the limitation that companies have with overhead resources. For most companies, a choice is made to limit the implementation of secure policies and practices, but this puts these same companies at great risk. So how can companies still keep their overhead down, but add an additional level of security?
ENTER MULTI-FACTOR AUTHENTICATION (MFA)
The goal of MFA is to create a layered defense and make it more difficult for an unauthorized person to access your information. Simplifying this, we add an additional layer of security that can't be stolen without actually taking something personal, like a cell phone. But MFA solutions are costly and require significant effort to support right? The truth is yes, there are hundreds of MFA solutions out there that are what we consider Enterprise grade, and like all good Enterprise grade products they require licenses and support; but there is an option.
MULTI-OTP AN OPEN SOURCE PRODUCT
Multi-OTP is an open source product that provides MFA solutions for both Windows, Linux, and Web Apps. It provides this capability through a mechanism called One-Time Password (OTP) which is done via SMS, Software Token, or Hardware Token. The product currently has a paid enterprise version and an OpenSource Community supported version that is available for download. Several add-ons have been published for the community version granting this tool more capabilities.
Current capabilities for MultiOTP include:
Workstation MFA (Linux and Windows)
Server based MFA (Linux and Windows)
Active Directory integration
AWS Workspace Ready
Cisco ASA Integration
Web App Integration
FREE OPEN SOURCE OTP SOLUTION VALUE
By providing OTP capabilities, we provide an added layer of security that requires a form of validation other than username and password; more importantly something that only the person has or can provide. Simply put, without this unique code, your username and password is useless. This means the level of compliance and scrutiny for IT policies becomes less intensive for IT support organizations, which means standards don't necessarily have to be at par with enterprise grade solutions. Secondly, if companies leverage soft tokens and hardware tokens, they further increase their level of security since the secondary validation method is something that someone has on them. This limits the attack vector for would-be attackers. Finally, it's cheap. Yes. It's very affordable-- your organization doesn't have to sink thousands of dollars into a solution.
ONE-TIME PASSWORD TOKENS
Hardware tokens: for example YubiKey devices, which you can plug in to your USB port and will automatically type in the OTP code for you.
Software tokens: like Google Authenticator, in this case a simple Android application displays the OTP code which you can enter on your login form.
Carnwennan has deployed MultiOTP both in the commercial space and in the Federal Space. Please contact us for more information about MultiOTP deployments.