Challenge
A university needs to give its employees and students access to the university's internal network, so that they can carry out their work even if they work from home or in another place outside the university. Today, employees and students authenticate themselves with usernames and passwords to access the university's internal network. For security reasons, to avoid hackers being able to crack passwords and access the organization's digital information, the organization wants to use a more secure method of authentication. The method must be easy to use and involve minimal work with administration, in order to save time and money. The university's infrastructure is based, among other things, on software from Microsoft. However, for compliance and cost reasons, the use of Microsoft Azure's multi-factor authentication (MFA) tool is not applicable to the college. MFA must work "on-premise" without the involvement of cloud services.
Solution
With Fortified ID Integrity Radius, a second factor can be added when logging into the university's internal network (VPN). Of the various choices for other factors that the solution offers, the college has chosen a one-time password via mobile app (token). The university has chosen Microsoft Authenticator as the mobile app. Upon authentication, the user begins to enter a username and password. If the validation of the username and password is successful, a new input box is displayed where the one-time password must be entered. The user opens their Microsoft Authenticator where a one-time password is displayed, the one-time password is changed every 30 seconds. The user enters the displayed one-time password and if validation of the one-time password is correct, the user's device is connected to the internal network. The solution is both cost-effective, simple and secure:
Requires minimal administration in the organization
Teachers and students can activate Microsoft Authenticator via self-service. The activation portal is included with FortifiedID Integrity
Standardized integration
Other
Username and password are validated against the university's user directory, Microsoft Active Directory (AD), through an LDAP lookup from FortifiedID Integrity. The one-time password is validated in FortifiedID Integrity via the algorithms specified in the OATH (Initiative for Open Authentication) standard. The protection of the VPN is configured via a standardized integration pattern according to the Radius protocol, between the VPN server and Integrity.