Enterprise IT management solutions provider ManageEngine recently announced the launch of passwordless, phishing-resistant FIDO2 authentication for enterprise applications in its on-prem identity security solution, ADSelfService Plus.

The company also launched endpoint multi-factor authentication (MFA) for Windows and elevated system actions in Identity360, its cloud-native identity management platform.

FIDO2 authentication in ADSelfService Plus eliminates passwords and replaces them with portable security keys and native authentication mechanisms on users’ devices, like Windows Hello and Apple TouchID.

All communication between the parties involved in FIDO2 authentication is done using public key cryptography.

That mean instead of communicating the actual user-entered authentication secret—such as a PIN, an OTP, or biometric information—to the authentication server, a mathematically generated key corresponding to the secret is communicated.

“Simply put, user credentials are not shared between services,” explained Jay Reddy, senior technical evangelist for ManageEngine.

He said even if one service is compromised, the credentials cannot be used to access other services, making ADSelfService Plus’ FIDO2 authentication resistant to phishing, replay, and manipulator-in-the-middle (MITM) attacks.

A cloud-native identity platform like Identity360 works with organizations that have either a fully cloud-based environment or a hybrid environment: These environments may contain a myriad of business resources spread across platforms.

“When it comes to securing identities within such sophisticated business environments, it is important to deploy effective yet user-friendly authentication measures,” Reddy said.

He noted endpoint MFA in Identity360 not only eases the MFA configuration and monitoring processes for IT administrators using a unified, interactive console, but also provides an enhanced digital experience for end users as they access various business resources each day to get work done.

ManageEngine’s identity-first approach helps organizations align with the Zero Trust principle of never trust, always verify in the following ways by supporting high-assurance MFA to ensure unauthorized users don’t gain access to enterprise resources.

The company’s high-assurance MFA can be configured to adapt to risk factors such as IP, geolocation, device, and time of access, enabling organizations to add authentication factors for access requests from high-risk users.

Meeting Compliance, Supporting Remote Users 

Regulations like the GDPR and the CCPA aim to protect the data privacy rights of individuals with strong and reliable authentication techniques.

ManageEngine’s FIDO2 authentication and endpoint MFA features satisfy these requirements, providing regulatory compliance for organizations implementing these capabilities.

National Institute of Standards and Technology (NIST) compliance states that organizations should deploy verifier-impersonation-resistant and replay-resistant authentication mechanisms to resist phishing, replay and MITM attacks.

The PCI DSS states that access to any endpoint that is part of the cardholder data environment must be protected with MFA. It also states that the MFA system implemented should not be susceptible to replay attacks.

ManageEngine also extends MFA support for remote users accessing through VPNs and RDP, including users who are not connected to the internet.

“Deploying identity-first security measures not only helps organizations achieve comprehensive Zero Trust, but it also defends against identity-based cyberattacks while providing compliance with regulations,” Reddy said.

He noted organizations often encounter a series of challenges when shifting from legacy network-based security controls to an identity-first security model.

Legacy-network-based security controls freely allow lateral movement for users who are within the network by default.

This is contradictory to identity-first security, which works on the Zero Trust principle of never trust, always verify.

“When making the essential shift from the former to the latter, the primary challenge that arises is deploying identity verification techniques that are effective in filtering out unauthorized users from authorized users,” Reddy said.

The next challenge is identifying and bolting all the right doors, or endpoints, with MFA.

“ManageEngine helps organizations overcome these challenges and transition smoothly to an identity-first security model by providing high assurance authentication methods for all necessary endpoints and resources,” he explained.

ManageEngine also deploys just-in-time (JIT) user provisioning in ADSelfService Plus to improve the efficiency and security of access provisioning for enterprise applications.

ADSelfService Plus leverages the System for Cross-domain Identity Management (SCIM) standards for JIT user provisioning to systematically manage identities across multiple platforms.

“JIT user provisioning in ADSelfService Plus overcomes the challenges of manual user provisioning, which is taxing, error-prone, time-consuming, and a hindrance to users’ productivity,” Reddy explained.

Techstrong TV

Click full-screen to enable volume control
Watch latest episodes and shows