By Riyad Mammadov, Vice President, Application Development
The Software as a Service delivery model has become predominant in enterprise software over the past dozen years or so. With SaaS, application software is hosted on the Web, either in a public cloud or proprietary servers, and users access it from a thin client (typically a web browser). To ensure customers comply with the licensing limitations and to protect system data, every SaaS system utilizes authentication. The main point of authentication is obtaining proof of user identity. Of course, there are cyber attackers out there who have a different main goal — to circumvent the security and authenticate on behalf of a registered user.
Credentials – as in username and password – used to be the only way for a user to authenticate to a web-based application. It is now known as “basic authentication.” The security of this approach is as strong as the password the user created. Although it is theoretically possible for users to create strong passwords, remembering them becomes a challenge, especially when every one of us must deal with multiple SaaS systems. People are people, and we responded by reusing passwords, writing them down on sticky notes, or emailing them to ourselves. There are, of course, heuristics, like picking meaningful text and converting it to a strong passphrase by replacing, for example, “O”s with zeros, “S”s with dollar signs, and so on (a simple “password” becomes “p@$$w0rd”), but these heuristics are well-known and can be easily incorporated into password-breaking algorithms. The only viable approach with basic authentication is the use of password managers – special applications that securely store various passwords. In practice, people only need to remember one password: that of the password manager app itself. Modern browsers such as Edge and Chrome have built-in password managers.
Authentication with single sign-on (SSO) allows SaaS systems to piggyback on the authentication provided to the users by their corporate IT. The main idea is that a trusted relationship is established between the SaaS system (Service Provider) and the corporate identity management system (Identity Provider) by exchanging cryptographic keys. After that, the identity provider can forward an encrypted assertion to the service provider that acts as proof of identity. Single sign-on is an improvement on basic authentication for a few reasons. First, it results in fewer usernames and passwords for the person to remember (or store in their password manager). Second, it makes SaaS less vulnerable to data breaches (the passwords or even hashed passwords are never stored, and hackers can’t steal what companies don’t have). Finally, SSO allows an identity provider to manage other aspects of access policy on behalf of a service provider. For instance, it can verify whether the user is enabled and allowed to authenticate.
An even bigger improvement than SSO was the invention of multi-factor authentication (MFA), which is sometimes called two-factor authentication (2FA). The main idea behind MFA is that successful authentication requires something that the user knows (the password) and something that the user has in their possession. There are many variations of MFA that depend on the device being used for the second factor. A cellphone can be used to deliver a one-time security code via text message or a voice call, but it is vulnerable to SIM card theft. A modern smartphone with biometric protection (fingerprint reader or face scanner) all but guarantees that a stolen device cannot be used for unauthorized access. MFA system can issue a challenge every time user attempts to sign in, do it periodically, or perhaps decide based on a combination of factors – client IP address, browser signature (so-called user-agent), time of day, etc.
The contemporary approach to MFA is centered around the FIDO2 standard, where second-factor authentication is provided by so-called authenticators – hardware devices such as USB security keys or software applications with equivalent functionality. The authenticator uses public-key cryptography to communicate with the SaaS system. Strong encryption makes it possible to eliminate passwords altogether and rely on MFA alone for authentication.
Companies that rely on multiple SaaS systems from different vendors need to take a closer look at the authentication models offered by each. If single sign-on is available, it should be implemented instead of basic authentication. If SSO is not an option, ask the vendor if they can support two-factor authentication. Finally, if only basic authentication is available, adopt a security policy that will require users to create strong passwords and change them on a regular basis.
Riyad Mammadov is the Vice President of Application Development for XDimensional Technologies. Riyad is an experienced IT executive who combines strategic leadership and hands-on management skills with a passion for technology.