Without controlling cloud application access, organizations are at risk of a security breach. Take Twitter for example. In 2009, an 18-year-old hacker guessed a Twitter employee’s password – 33 high-profile accounts were compromised. A Federal Trade Commission settlement mandated Twitter to establish a comprehensive security program that must be independently audited for 10 years.

What is Multi-Factor Authentication?

US Federal regulators recognize three authentication factors:

• Something you know – a password or PIN
• Something you have – a smart card, USB key, PKI (Public Key Infrastructure) certificate or mobile phone
• Something you are – a biometric characteristic, e.g. fingerprint or voice pattern

Multi-factor authentication means that you authenticate a user with two or more factors. Ideally, different authentication factors should be used in combination.

How Multi-Factor Authentication is Secure

Additional authentication factors prevent someone from signing into your account, even if they know your password. Although you may think your password is safe, it can be compromised in a number of ways: Most individuals choose easy-to-remember passwords and reuse it for several applications – those who know you can easily guess a pet’s name, a birthplace or an important date; Someone looking over your shoulder can decipher your password; Finally, a more sophisticated technique that can compromise your login credentials is a key logger that records all key strokes and sends them to a third party.

If authentication requires both a password and, say, a USB key, a criminal would need to know your credentials and be in possession of your USB key in order to sign into your account.

Authentication can be made even stronger by combining additional factors; you can add a PKI certificate in your browser or only access an account from a trusted IP address.

Strong Authentication Factors

There are a variety of second authentication factors that can be used to secure application access. Here are some examples:

• One-time password (OTP) – A unique password which can only be used once. This is typically a long string of numbers generated based on a complex algorithm, which is checked against the OTP provider’s server in the cloud. Even if someone manages to steal your password, it cannot be reused.
• Time-based PIN – A sequence of digits which have to be entered within a short window, typically 30-60 seconds. The PIN can be generated by a software application or hardware device with a very precise clock. The security lies in the fact that the PIN is only valid for a short period of time.
• Fingerprint – The user has to place their index finger on a fingerprint pad when logging in. The fingerprint is matched against the pattern registered for the user in the identity provider’s system.
• PKI certificates – PKI certificates, issued by a trusted certificate authority, is installed in the user’s browser. The identity provider can check for the presence 
of valid certificates as well as revoke them at any time. Only a browser with a valid certificate will be allowed to sign in.

To further strengthen the user authentication process, several factors can be combined.

Authentication Process

OneLogin’s multi-factor authentication process is straightforward. The user is first authenticated using a username and password. OneLogin looks up the user and if additional authentication factors are required, the user will be prompted to enter them on the login page.

In the example above, the user has to press the YubiKey button , which will send the generated one-time password straight to the input field in the browser. OneLogin then validates that a) the YubiKey does belong to the user accessing the account and b) the code entered has not been used previously.

Multi-Factor Authentication and SaaS

Once your company’s sensitive data is located in the cloud, it is no longer protected by your company’s firewall – anyone with Internet access can attempt to log in. By eliminating passwords and securing access at the identity provider (OneLogin) using multi-factor authentication can drastically reduce the chance of your organization suffering a security breach.