As part of the risk-based authentication concept, the Identity Authentication service (IAS) offers various options for multi-factor authentication. One of the alternatives is to use hardware security keys for strong phishing resistant access protection combined with ease-of-use for the end user.
In this blog I will explain – jointly with Mr. Rolf Steinbrück from Yubico – how authentication with YubiKeys can be configured in the Identity Authentication service and what the benefits from a security perspective are.
If you prefer to watch a video rather than reading a blog, please have a look at
SAP Cloud Identity Services – Multi-factor Authentication with YubiKey (YouTube)
YubiKeys
Strong yet easy-to-implement authentication is crucial to the success and security level of an identity and access management solution – and the YubiKey is exactly that: An easy-to-implement solution which offers strong phishing resistant authentication in an easy-to-use fashion.
The YubiKey is a multiprotocol authentication device which supports all relevant protocols for Two-Factor-or Multi-Factor-Authentication (2FA / MFA). Besides “legacy” methods for 2FA like OTPs, it also supports certificate / smart card based authentication according to the PIV Standard, OpenPGP as well as FIDO U2F and the evolution of FIDO U2F: FIDO2.
FIDO2 is the method that defines the future of authentication. Due to its design, it is resistant to phishing and provides effective protection against Man-in-the-Middle attacks. The protocol itself is using private-public key cryptography, which ensures the highest level of security. The private-public key pairs are securely generated and stored inside a Secure Element of the YubiKey. The Secure Element is a crypto processor which is hardened against physical and logical attacks. That means that the element of the authentication which requires the highest level of protection – the private key – is never revealed to the outside world and cannot be extracted from the YubiKey.
The YubiKey itself can hold multiple FIDO2 credentials (up to 25), giving a user enough flexibility to secure all important accounts.
Configuring Multi-factor Authentication (MFA) in IAS
Enforcing a second factor for authentication can be configured in Identity Authentication in two – or even three – different ways:
- Rule-based access control per application
Via the so-called risk-based authentication configuration an administrator can determine the need for a second factor for some or all users who want to access this application. The behavior can be controlled per IP address, user type (e.g. employee or external user), user group assignment or authentication method (e.g. users who authenticated initially via a social identity provider have to provide a second factor):
- Need for MFA based on user’s choice
A tenant administrator can allow end users to decide themselves that access with their account shall always require multi-factor authentication:If the administrator activated the above displayed option for the Identity Authentication tenant, then the user can enforce MFA by default in his user profile: - Rule-based access control for all applications
A rather rarely used option is to enforce MFA for access to all applications of an Identity Authentication tenant:
If the administrator activated the above displayed option for the Identity Authentication tenant, then the user can enforce MFA by default in his user profile:
Restrict MFA Devices with Security Keys
The Identity Authentication administrator may allow only a certain type of MFA devices by configuring allowed security keys. These security keys are based on so-called authenticator attestation GUIDs (AAGUID), which are defined in the FIDO standard. Vendors of FIDO devices can choose an attestation GUID for compatible authenticators.
Here an example configuration to allow only YubiKey 5 NFC series as valid MFA devices:
If a user then tries to authenticate with a different FIDO device, he will receive an error message after authentication:
Registration and login with YubiKey
If web two-factor authentication is configured for an application and a user does not have a corresponding device registered in his profile yet, then he will be asked to do so when logging in for the first time to this application:
For a YubiKey registration it is mandatory to set a PIN:
Finally the user may give his newly registered MFA device a name:
Thereafter the user can login to any application that requires two-factor authentication.
-
The user can see and manage the devices he has registered his user profile of the Identity Authentication service:
Conclusion
The Identity Authentication service offers very flexible configuration methods to enforce stronger means of authentication for some or all users who want to access a certain application or even by default for the whole tenant.
Links
SAP Community - SAP Cloud Identity Services
Yubico Product Documentation
Marko Sommer, Product Manager for the SAP Cloud Identity Services
Rolf Steinbrück, Senior Solutions Engineer, Yubico (Linkedin)
