Many companies today are seeking to make the most of the wide variety of digital resources. As part of this agenda, they focus on developing internal services such as corporate web resources. These resources have a major advantage in that they are available through any browser both from inside and outside of the corporate IT perimeter.
In addition, web applications are usually easier to develop compared to custom desktop applications. With a variety of ready-made templates and services available online, the only thing you need to do is insert relevant corporate data, in other words, customize your design and add your content. Many technical solutions and services today commonly implement user interfaces in the web application format.
But the ease of use comes at a price: studies show that on average, web applications are more vulnerable to cyberattacks compared to desktop applications. This is why many cyberattacks today have public and internal web resources as their target.
One of the main threats here lies in the fact that web applications continue to rely on passwords, a vulnerable authentication method, both for local and remote sessions.
The use of password-based authentication for remote sessions has a number of important disadvantages.
- There is always a high risk of password theft (by using data interception, social engineering techniques, etc.) when intruders gain illegitimate access to your web resources on behalf of your employees.
- Password theft is hard to detect, which reduces the overall efficiency of cyberattack response.
- Users may sometimes disregard password security requirements in terms of password length, mandatory characters, and rotation.
- A forgotten password may result in workflow disruptions until your IT/IS administrator resets it.
All these flaws can be addressed by using strong authentication tools, such as digital certificates, one-time passwords, biometrics, etc.
However, not many web applications can support other types of authentication besides passwords. And even when they are supported, the two most common options are digital certificates (individual certificates required for each web application) and external user accounts (Google, Yandex, Microsoft, etc.), which may disagree with your organization’s policy.
More often than not, web resources may also have their own user database and authentication data. Regular users may find it hard to meet all password security requirements, especially when they have to use separate user accounts for different web services. We should also keep in mind that users are forced to authenticate every time they need to sign in to access your corporate web resource, which may be a nuisance.
Different kinds of software relying on the Web Single Sign-On technology are commonly used for ensuring secure unified authentication across all corporate desktop and web applications. Additionally, a specialized solution, Two-Factor Authentication (2FA) Provider, may be used. Such software suites are your best choice for building a unified strong authentication system encompassing all your corporate web services.
If your goal is to have a centralized access security and control system, the first thing you need to do is integrate your Web Single Sign-On platform with all the target resources.
The Indeed AM platform supports the following protocols for web app integration:
- OpenID Connect
Indeed AM offers Web SSO technology for the above protocols. Whenever Web SSO is used, users can sign into one corporate web resource and then open a personal page on another web resource without having to go through authentication once again.
In addition, Indeed AM includes a specialized module that can be installed on the Microsoft Internet Information Services server.
The following strong authentication tools can be used for building a secure remote access system:
- One-time passwords (OTPs) sent by email, SMS, or via a Telegram bot
- Push authentication
- Mobile applications serving as OTP generators
- Hardware OTP generators
Indeed AM supports different types of strong authentication that can be customized for different user groups and target web resources. This means you can set up the right list of authentication tools for each employee group, depending on whether or not and to what extent they need access to critical web applications.
In addition, the Indeed AM platform can be used for neutralizing all attacks aimed at sabotaging your company's operations. In this case, intruders may use a public page of your corporate web resource to intentionally enter incorrect passwords, causing the corresponding domain account to be blocked. But what gets blocked in the course of such cyberattacks is the authenticator rather than the actual user account.
- Active Directory
- Microsoft Internet Information Services
- Web applications
Integration mechanisms for target applications
- OpenID Connect
Strong authentication technology for secure remote sessions
- One-time passwords (TOTP/HOTP)
- Push authentication
Strong authentication tools for secure remote sessions
- Mobile applications serving as OTP generators (Indeed Key, Google Authenticator, and other apps that support HOTP/TOTP protocol)
- Hardware OTP generators (eToken PASS and others that support HOTP/TOTP protocol)
- The Indeed Key app used for generating OTPs and push authentication
- OTPs sent by email, SMS, or via a Telegram bot