In recent years, there have been a lot of high-profile breaches due to compromised passwords. Passwords are often considered the weakest link in network security. In fact, according to a recent Verizon Data Breach Investigations report, more than 75% of all breaches are due to weak authentication. Most user-chosen passwords can be cracked in seconds. Even a strong 8 character password can be cracked offline in less than 2 hours. Passwords are also frequently compromised via phishing, malware, social engineering, or eavesdropping. Multi-factor authentication adds an additional layer of security to user logins. It works by requiring two or more of the following authentication types:
- Something you know (such as a password)
- Something you have (such as a mobile device or key fob)
- Something you are (such as a fingerprint or iris scan)
Authenticating multiple times with a username and password, even if they are different, is not multi-factor authentication. MFA is a security best practice and is required for organizations that process financial transactions, health care information, or do business with some state and federal governments. This is sometimes also referred to as Two-Factor Authentication, Two-Step Authentication, or One-Time Passwords (OTP).
How it works
In order to use MFA, the user will generate a one-time password from a smart phone app.The OTP is added to the authentication credentials when the user logs in. The OTP consists of 6 digits. These digits change for each authentication. In order for an attacker to authenticate, the attacker needs to know a valid username and password and have access to the user's device running the Authenticator app or token. Smart phone apps are available for Android, iOS, BlackBerry, Windows Mobile, and Palm smartphones.
Integration in TACACS.net
TACACS.net is the only TACACS+ server that includes integrated Multi-Factor Authentication. This integration is important for a couple of reasons. First, it saves you money. Purchasing separate servers to add this capability can increase costs by an additional $20,000-$50,000. It also reduces points of failure. It eliminates issues with time synchronization or network latency which can cause authentications to fail. It reduces complexity, and makes the system easier to manage and troubleshoot. With multiple systems, you would have to debug each one to find errors. With TACACS.net, MFA errors and TACACS+ errors are logged to the same place, which makes it easier to find issues and saves you critical time. This can be very important when people are experiencing authentication issues. TACACS.net MFA is also more flexible than using a separate system. When using a separate system for MFA, it's either on or off for all users. With TACACS.net, you can enable MFA for specified groups only. This means you can enable it for just the users with the highest privileges, or you can just enable it for test groups to roll it out one group at a time. This can be very helpful when migrating users.
TACACS.net uses Google Authenticator for its MFA functionality. When Google decided to add MFA to thier products like Gmail, they built their own functionality and then they released the source code to the public so that others could integrate it into their products as well. Google Authenticator has been integrated into other products like Microsoft (mobile, .Net, Microsoft account), Amazon Web Services, Dropbox, Facebook, Gmail, LastPass, Salesforce.com, and WordPress.
For more information about using MFA with TACACS.net, download our deployment guide.