What to consider when using Specops uReset MFA
(Last updated on February 17, 2020)
If you are considering Specops uReset, all the ways your users can authenticate to the self-service system can be overwhelming. Before rolling out the solution, you need to decide how you will verify user identities – will it be mobile, social, email, biometrics, or all of the above. Moreover, you need to assign a weight to each identity service – ultimately deciding that one is worth twice as much as another during authentication.
- Do users have the identifier information in Active Directory? If so, you can remove the enrollment burden. Users may not need to enroll in the service if they have any of the following information stored in Active Directory.
- Mobile number in the Mobile attribute
- Manager in the Manager attribute
- Duo Security Username in the samAccountName attribute
- Symantec VIP userID in the samAccountName
For more information on pre-enrollment, click here.
- Do any of your users have privileged access? Users with privileged access are a big target for attackers and require a stronger authentication policy. For those users we recommend going beyond “something you know” to prevent unauthorized access if a password on an external service is compromised i.e. social (LinkedIn), or Email (Gmail).
- What is the corporate BYOD policy? Specops uReset uses a variety of mobile based authentication methods – mobile code, fingerprint and OTP applications to strengthen the authentication process. These phone as a token methods can be taken advantage of by any organization that doesn’t block users from installing mobile applications or receiving SMS.
- Will your users access the solution remotely? Specops uReset is accessible from any browser, via the Windows login screen, or the Specops uReset mobile application. To maximize the remote worker experience, we recommend mobile and non-mobile dependent identity services. This will ensure access to the system, even if they do not have their device on hand.
Once you know what identity services to use, you need to assign it a star-value. The number of stars assigned to an identity service should reflect how secure it is deemed. Here are some Identity Service specific considerations when assigning a star value:
- Specops/Google/Microsoft Authenticator: very secure, as they require a possession factor. Additionally, to obtain the secret code generated by the app, the user must unlock the phone and launch the application.
- Manager Identification: secure as it requires a trusted source to authenticate the inherence (something you are) factor.
- Social Identity Services: as secure as the policy complexity requirement of the identity service. You can check the complexity requirements of popular sites on here.
- Mobile Code somewhat secure, as it requires a possession factor. However, unlike the Authenticator apps, the secret code can be displayed on the lock screen (depending on how the user has configured their phone setting).
Note: In the latest draft of the Digital Authentication Guide, NIST is discouraging SMS-based authentication. You can read more about SMS based vulnerabilities here.
For more best practices, check out our recommendations for MFA implementation.