IDHUB | Authentication Policies Best Practices

RapidIdentity Cloud provides dynamic end-user authentication methods to support a secure, seamless digital ecosystem focused on learning outcomes. Authentication can be tailored to the needs of individual end users. Students, teachers, and administrators can each authenticate securely with a single login policy that is appropriate for their needs and risk levels.

Authentication Overview

Multi-step authentication: user is required to use two or more of the same factor.
While this option is more secure, it is not the most secure. However it is more appropriate in K-12 education for younger learners than true MFA.
Two-factor authentication: user is required to use two different factors.
Multi-factor (MFA) authentication: user is required to use three different factors.

Authentication Factors:

• Type I - Something you know (Password, Challenge, PIN, PictoGraph)
• Type II - Something you have (Fido, TOTP, QR Code, Duo, EMail, SMS, PingMe)
• Type III - Something you are (Kerberos, Biometrics, WebAuthN)
  

Rationale for Authentication Policies

Passwords - Passwords are a standard practice for system access and can be effective as long as they are strong, secure, and not reused across systems. The challenge facing password use today is the high number of data breaches and end user passwords that have been compromised and are still in use. When a user has the same username and password across multiple systems, it increases the susceptibility to account compromise and data breaches. Utilizing alternative authentication methods and two, or multi-factor, authentication increases your district/institution’s security posture.

Alternate Authentication Methods - Alternate authentication methods move away from passwords and allow more secure access to systems. Using a device, security tokens, biometrics, and other methods will grant end users secure entry to a system with a dependency on passwords.

Two Factor and Multi-Factor Authentication - Multiple authentication methods facilitate user login while confirming user identity for the most secure access to a system. The best practice for multi-factor authentication is to require users to have all three factors: something they have, know, and are to login. Two factor authentication only requires two of the three factors.

Authentication Configuration in RapidIdentity Cloud

End users in RapidIdentity can be assigned one or more specific authentication methods to access RapidIdentity.

• When involving a third-party software, the authentication method must be configured as applicable in both RapidIdentity and the third-party as needed. (i.e. Duo, Kerberos)
• Authentication methods are assigned to users within the RapidIdentity Identity Store based on user attributes.
• A specific authentication order can be set for end users.
• Any authentication policy can have multiple methods to ensure two-factor or multi-factor authentication.
• Multiple policies can apply to users to ensure there is always a method for the user to get in (i.e. if a user doesn’t have their phone for SMS, they can fall back to a token, challenge question, or TOTP authentication method.)
  • Note that your security posture is only as strong as the weakest link here. For example, if you allow a user to fail over to password-only authentication, then even if other options require MFA, the overall policy is still single-factor since passwords are a single point of failure.

Supported Authentication Methods in RapidIdentity Cloud

*Requires third-party vendor software or hard token.