Self-Service MFA with Casa
Multi-Factor Authentication Under One Roof
Everyone knows passwords are bad. Try typing your password in to a game console. Usability is terrible. Password security is even worse. The attack surface area of passwords is large and getting larger every day. So why don’t all organizations use Multi-Factor Authentication (MFA)?
The answer is simple. While other authentication technologies are more secure then passwords, and more usable, they are more difficult for organizations to deploy. Organizations know how to enroll passwords and how to reset them. But will your organization manage all your MFA technologies under a single roof?
Casa is revolutionary. It provides a single point of management for end users to view, enroll, and remove MFA credentials, including hardware tokens, software tokens, commercial services (like Duo), social login, biometric, and mobile. Casa is also extensible. As new authentication technologies arise, you can download plugins to leverage them in your organization–through Casa.
Self Service MFA done right
In the old days “password-reset” was a standard identity management (IDM) feature. Every IDM still has this capability today. But as organizations roll-out MFA, this “password-reset” process needs an upgrade. Consumer service providers that excel at security, like Google and Github, enable end-users to see all their various MFA credentials on one page; end users can also add and remove new credentials. Organizations also need this capability. That’s why we build Gluu Casa. So your organization can manage MFA like the pros.
Eliminate Phishing with FIDO
To defeat phishing, we need to stop the “Man in the Middle” (MITM) attack. Passwords are vulnerable, but so are OTP tokens and mobile push notifications–any authentication that relies on an out-of-band authentication mechanim is phishable. In order to fight phishing, we need to enable end-users to register authentication credentials which are connected directly to the web browser. FIDO (i.e. WebAuthn) is a critical tool to accomplish this. But the great thing about FIDO is that end-users can bring their own devices, for example laptops and phones enabled with FIDO capabilities. But without self-service tools like Casa, end-users won’t have the tools to enroll their devices (or to remove old devices).
Modern Multi-Factor Authentication
Create a profile for each user, which includes information such as the user’s geographical location, registered devices, role, and more. Each time someone tries to authenticate, the request is evaluated and assigned a risk score. Depending on the risk score, the user may be required to provide additional credentials.
Configure geo-location to trigger a requirement to use multi-factor authentication (MFA) or take other steps before access is granted to ensure the person is who they say they are since they’re attempting to log in from a location they wouldn’t normally be.
Configure web browsers to require verification. When you log in, you’ll be asked to verify your browser by entering your email, password, and a security code. Once you’ve entered these credentials, your browser will be considered verified.
Login with or without Passwords
If you love Kubernetes, or services like Amazon EKS, Google GKS or SUSE Rancher, then Casa is for you! Casa supports cloud native deployments using standards tools like Helm. Casa also supports multiple database backends, including LDAP, Couchbase, RDBMS, Amazon Aurora, and Google Spanner.
Enforce strong authentication
Only the right user on the right device can gain access to applications. Improve your organization's security posture by locking the front door! Casa offers an OpenID Connect API as the interface, and returns a standard JWT "id_token" that can be used for policy enforcement.
No more password resets
Users can easily enroll, manage and remove passwordless credentials on all their devices without calling the help desk or degrading the security of the credentials. Organization's MFA is only as strong as the weakest account recovery workflow!
Choose any standard or commercial authentication solution
Built-in MFA that comes out of the box!
FIDO / WebAuthn
Many great USB, Bluetooth and Lightning tokens are available from vendors like Yubico, Feitian, AuthnTrend and others. But new iPhones and MacBook’s also have FIDO built-in. You can’t “top-down” provision FIDO for users. Casa is an essential tool to rollout FIDO which requires end-users to enroll their devices.
Super Gluu, a free iOS / Android App
Super Gluu can be configured to support a passwordless authentication workflow where the user scans a QR code for each sign in, or simply enters a username and approves a push notification. It can also be used for traditional username + password + mobile push authentication . An open source software project, your organization can also brand and distribute your own version of Super Gluu.
Built-in HOTP / TOTP
Sometimes good old OATH tokens (HOTP/TOTP) are handy. Some devices just don’t support any mechanism to display a web page, and sending an OTP as the password mitigates some risk. Casa supports using a QR code to enroll an OTP software app (like Google Authenticator). You can also enroll a hardware OTP hardware device (e.g. a keyfob), manually or via an API.
Plugins add More MFA options
Casa is a plugin-oriented, Java web application. Existing functionality can be extended and new functionality and APIs can be introduced through plugins.
BioID Web Service offers liveness detection and facial recognition biometric authentication services. It strengthens identity verification around the world with reliable, device-independent anti-spoofing. BioID liveness detection is compliant with ISO/IEC 30107-3 and offers seamless implementation and user experience, requiring nothing more than a few selfies taken with any standard camera.
Multi-factor authentication from Cisco’s Duo protects your applications by using a second source of validation, like a phone or token, to verify user identity before granting access. Duo is engineered to provide a simple, streamlined login experience for every user and application, and as a cloud-based solution, it integrates easily with your existing technology.
Stytch consolidates passwordless authentication into one API.
Now supported in both Gluu Server, and Gluu Casa!
Watch the demo: Integrating Stytch SMS OTP authentication with Casa
Read the post: OpenID enables Stytch passwordless authentication with Gluu Casa
SMS OTP plugin sends a one time password (OTP) with the SMS text to the user’s phone. The user receives the OTP and enters it on the device where the authentication is happening. The OTP must be used within a specific time frame.
The browser certificate plugin allows users to enroll X.509 digital certificates and use them as a form of second factor authentication.
When this plugin is configured to use email, the user is asked to enter their email address, to which a one-time-use code is sent. The user then enters the code into your application to authenticate.
Configure self-registration to require approval after a new directory user registers. Users will not be able to sign-in immediately after registration. Their registration will have to be approved by the site administrator.
RSA SecurID Authentication
RSA SecurID authentication can be enforced for all privileged users of the organization. This integration provides an extra security layer enabling a centralized, secure access via single sign-on to an organization’s IT assets.
The Consent Management plugin gives end-users the ability to view and revoke previously granted authorizations provided to applications accessed with their account in a Gluu Server.