December 1, 2022 4 minute read
As part of the risk-based authentication concept, the Identity Authentication service (IAS) offers various options for multi-factor authentication. One of the alternatives is to use hardware security keys for strong phishing resistant access protection combined with ease-of-use for the end user.
In this blog I will explain – jointly with Mr. Rolf Steinbrück from Yubico – how authentication with YubiKeys can be configured in the Identity Authentication service and what the benefits from a security perspective are.
If you prefer to watch a video rather than reading a blog, please have a look at
SAP Cloud Identity Services – Multi-factor Authentication with YubiKey (YouTube)
YubiKeys
Strong yet easy-to-implement authentication is crucial to the success and security level of an identity and access management solution – and the YubiKey is exactly that: An easy-to-implement solution which offers strong phishing resistant authentication in an easy-to-use fashion.
The YubiKey is a multiprotocol authentication device which supports all relevant protocols for Two-Factor-or Multi-Factor-Authentication (2FA / MFA). Besides “legacy” methods for 2FA like OTPs, it also supports certificate / smart card based authentication according to the PIV Standard, OpenPGP as well as FIDO U2F and the evolution of FIDO U2F: FIDO2.
FIDO2 is the method that defines the future of authentication. Due to its design, it is resistant to phishing and provides effective protection against Man-in-the-Middle attacks. The protocol itself is using private-public key cryptography, which ensures the highest level of security. The private-public key pairs are securely generated and stored inside a Secure Element of the YubiKey. The Secure Element is a crypto processor which is hardened against physical and logical attacks. That means that the element of the authentication which requires the highest level of protection – the private key – is never revealed to the outside world and cannot be extracted from the YubiKey.
The YubiKey itself can hold multiple FIDO2 credentials (up to 25), giving a user enough flexibility to secure all important accounts.
Configuring Multi-factor Authentication (MFA) in IAS
Enforcing a second factor for authentication can be configured in Identity Authentication in two – or even three – different ways:
- Rule-based access control per application
Via the so-called risk-based authentication configuration an administrator can determine the need for a second factor for some or all users who want to access this application. The behavior can be controlled per IP address, user type (e.g. employee or external user), user group assignment or authentication method (e.g. users who authenticated initially via a social identity provider have to provide a second factor):
- Need for MFA based on user’s choice
A tenant administrator can allow end users to decide themselves that access with their account shall always require multi-factor authentication:If the administrator activated the above displayed option for the Identity Authentication tenant, then the user can enforce MFA by default in his user profile: - Rule-based access control for all applications
A rather rarely used option is to enforce MFA for access to all applications of an Identity Authentication tenant:
If the administrator activated the above displayed option for the Identity Authentication tenant, then the user can enforce MFA by default in his user profile:
Restrict MFA Devices with Security Keys
The Identity Authentication administrator may allow only a certain type of MFA devices by configuring allowed security keys. These security keys are based on so-called authenticator attestation GUIDs (AAGUID), which are defined in the FIDO standard. Vendors of FIDO devices can choose an attestation GUID for compatible authenticators.
Here an example configuration to allow only YubiKey 5 NFC series as valid MFA devices:
If a user then tries to authenticate with a different FIDO device, he will receive an error message after authentication:
Registration and login with YubiKey
If web two-factor authentication is configured for an application and a user does not have a corresponding device registered in his profile yet, then he will be asked to do so when logging in for the first time to this application:
For a YubiKey registration it is mandatory to set a PIN:
Finally the user may give his newly registered MFA device a name:
Thereafter the user can login to any application that requires two-factor authentication.
–
The user can see and manage the devices he has registered his user profile of the Identity Authentication service:
Conclusion
The Identity Authentication service offers very flexible configuration methods to enforce stronger means of authentication for some or all users who want to access a certain application or even by default for the whole tenant.
Links
SAP Community – SAP Cloud Identity Services
Yubico Product Documentation
Marko Sommer, Product Manager for the SAP Cloud Identity Services
Rolf Steinbrück, Senior Solutions Engineer, Yubico (Linkedin)
I am Marko Sommer, a seasoned expert in the field of identity and access management, with a particular focus on risk-based authentication and multi-factor authentication (MFA). My in-depth knowledge and hands-on experience in this domain are underscored by my role as the Product Manager for SAP Cloud Identity Services.
In a recent article dated December 1, 2022, I collaborated with Mr. Rolf Steinbrück from Yubico to delve into the intricacies of integrating YubiKeys into the Identity Authentication service (IAS) as part of a risk-based authentication strategy. This blog post aims to elucidate the configuration process and the security benefits associated with using YubiKeys for MFA.
The YubiKey, highlighted in our discussion, stands out as a multiprotocol authentication device that supports various authentication methods, including OTPs, certificate/smart card-based authentication (PIV Standard), OpenPGP, FIDO U2F, and the cutting-edge FIDO2. FIDO2, being the future of authentication, employs private-public key cryptography, ensuring resistance to phishing and protection against Man-in-the-Middle attacks. The private keys are securely stored within the YubiKey's Secure Element, safeguarded against both physical and logical attacks.
The YubiKey's versatility is further emphasized by its ability to store multiple FIDO2 credentials, offering users the flexibility to secure numerous accounts. This robust security solution is both strong and user-friendly, a crucial balance for the success of any identity and access management system.
In terms of configuring MFA in the Identity Authentication service, the article outlines three key methods:
-
Rule-based access control per application: Administrators can determine the need for a second factor based on various criteria such as IP address, user type, user group assignment, or authentication method.
-
User-driven MFA: Tenant administrators can empower end users to decide if access to their accounts should always require multi-factor authentication, enhancing user autonomy.
-
Rule-based access control for all applications: A less common but available option allows administrators to enforce MFA for access to all applications within an Identity Authentication tenant.
The article also details how administrators can restrict MFA devices to specific types, particularly focusing on the configuration of allowed security keys. In the example provided, the article demonstrates how to permit only YubiKey 5 NFC series as valid MFA devices, utilizing authenticator attestation GUIDs defined in the FIDO standard.
Finally, the registration and login process with YubiKey are elucidated, emphasizing the mandatory PIN setting during YubiKey registration. Users are prompted to register their devices when logging in for the first time to an application with web two-factor authentication configured.
In conclusion, the Identity Authentication service, as discussed in the article, provides highly flexible configuration methods to enforce stronger authentication measures based on user needs, application requirements, or even by default for the entire tenant. The collaboration between SAP Cloud Identity Services and Yubico, as highlighted in this article, showcases the commitment to delivering secure and user-friendly solutions in the realm of identity and access management.
For further reference, you can explore the provided links to SAP Community – SAP Cloud Identity Services and Yubico Product Documentation.
