In a world where organizations need to implement layers of security to protect themselves from the dangers of external attacks, it becomes more and more important to know someone is who they say they are – often on an on-going basis. Compromised credentials via successful malware attacks make even the most trusted of users a potential threat.
We’ve evolved in authentication tactics from the simple username/password combination. The reason, of course, is that it’s no longer enough to simple know those two pieces of information, as they can be easily be captured by a compromised system and a keylogger. A few technologies have grown from the need to better authentication users, including two-factor authentication (“something you know and something you have”), to multi-factor authentication (which extends 2FA to include “something you are” such as the use of biometric data), and now external authentication.
An external authenticator can be any trusted external system that has its own means of securely validating a user. Now, because you already have AD that can authenticate based on the basic username/password combination, the expectation behind adding an authentication layer should be one that provides even more assurance that the person being authenticated is who they say they are.
A great example of this today is Google. They provide APIs to applications to trust Google to authenticate the user. Any authentication requests go beyond the simple providing of a password – Google also requires the use of a one-time password (usually sent to your mobile phone) to provide additional validation it’s really you.
The idea behind this is, while an attacker may easily gain access to, say, your credentials in Active Directory, they won’t necessarily know the password you use to access external services, such as Google. The beauty of Google’s requirement to also include a one-time password is that it thwarts the external attacker/key logger attack vector; they’d be able to potentially obtain your Google password, but have access to your mobile phone? No attacker is that good.
These external authenticators can be used at a few user touch points, such as at logon, during a password reset, and when accessing specific data or applications – increasing the security of your applications and systems without requiring a huge monetary investment in yet another solution to manage.
And as you look to extend IT by delegating responsibility to managers and users outside of IT, or simply wish to strengthen your organization’s security stance, the use of external authenticators aides in the rapid deployment of an additional layer of security that protects your user’s identity and the resources they access.