2FA/MFA Solutions on VPN Applications
Activating 2FA (two-factor authentication) or MFA (multi-factor authentication) solutions in VPN connections is of great importance for the security of your passwords. By activating these solutions, even if your passwords are stolen, it will not be possible to access your systems.
Thanks to the advanced integration capabilities of SecurifyID, two-factor authentication can be applied to almost all VPN devices without any problem. To run 2FA on VPN connections the SecurifyID Access Gateway (SAG) application is being used. This system contains Radius server and connectors that provide connection to identity providers such as Active Directory or OpenLDAP. Today, authentication via Radius protocol is supported in almost all network active devices, Firewall, VPN or other security devices. Therefore, the only thing to do is to direct the identity authentication on the relevant devices to SAG over Radius. Here, two different types of authentication can be preferred according to the configurations of different devices:
- Processing Both Primary Authentication and Multi-Factor Authentication on SecurifyID Side
- Processing Only Multi-Factor Authentication on SecurifyID
If the first option is preferred, first, the authentication request to SAG will be routed to the institution’s LDAP server, then primary factor authentication and LDAP group authentication will be performed. In case the primary factor authentication is successful, the SecurifyID Backend system is contacted to perform multi-factor authentication, and only if both of these two authentications are successful, the VPN connection is allowed.
Some VPN devices can perform primary factor authentication by themselves and only come to SecurifyID for the second factor authentication process. In this case, it is possible only to perform second factor authentication by making the necessary configurations on SecurifyID.
So why should you choose SecurifyID for 2FA / MFA on VPN applications?
Variety of Authentication Factors
SecurifyID supports a wide variety of factors such as Time-based OTP (TOTP), Offline OTP, Pocket Confirmation (Push Confirmation), SMS, E-mail. Especially on devices that do not support OTP, while other MFA products cannot interfere, it easily intervenes with mechanisms such as SecurifyID Mobile Approval and then performs multi-factor Authentication.
Wide Integration Capability
SecurifyID can be integrated with many different brands of VPN systems.
AD and OpenLDAP Support
SecurifyID can work integrated with Active Directory, OpenLDAP or any similar identity provider in your organization. Apart from authentication, it has many important functions such as group-based authentication, user synchronization (sync).
By using the SecurifyID management console, you can easily perform many functions listed below:
- Defining MFA ID to user mobile application remotely
- Deleting / inactivating MFA IDs remotely
- Assigning different factor types to different users (For example, the factor of a user who does not want to use mobile application can be simply drawn to SMS.)
- Canceling / enabling second factor authentication
- Access controlling with Area-based or time-based parameters such as IP addresses, location, countries
- With risk-based adaptive authentication, different action options can be done according to the risk score generated during the user’s authentication process, such as Enable MFA / Disable MFA, Block User or Log Only
Secure Mobile Application
SecurifyID Mobile Applications provide superior security to its users in the market compared to competitors by using many techniques such as Security Chain, White Box Cryptography, SSL pinning. When required, PIN login option can also be activated when accessing the mobile application. In this way, even if your phone is stolen, it will not be possible to access the application.
Security with Usability
Thanks to the advanced features of SecurifyID, it is possible to activate options that will increase usefulness such as “not doing MFA again if authentication has been achieved using the same browser or IP address within a certain period of time” or “enabling MFA according to the risk situation”. At the same time, with the configurations to be made on the mobile application, options such as “asking PIN only once a day” can be activated when accessing the mobile application.
Cloud / Hybrid / On-Prem Architecture
You can run SecurifyID completely on the cloud or completely on-prem. SecurifyID also supports Hybrid architecture. In Hybrid scenario, SecurifyID Access Gateway is deployed within the organization, and SecurifyID Backend services are located in the cloud. In this way, while the primary factor authentication using the user’s passwords is completely local, the SecurifyID Backend is only used for multi-factor authentication. Critical information of users is never being transmitted outside of the organization.
Highly Scalable and Accessible Architecture
SecurifyID works on a container-based microservice architecture. By having stateless application layer, it is possible to scale from 1 to N when necessary. It provides high accessibility thanks to the cluster system created in the data layer.
High Technical Support
Our team gives you one-on-one support during your MFA journey and intervenes immediately in case of any malfunction.