IBM MaaS360

 View Only

MaaS360 Identity Management Features – Multifactor Authentication

By Clinton Adams posted Fri May 29, 2020 11:13 AM

  

 MaaS360.jpg
Maas360
now includes Multifactor Authentication (MFA) that enables administrators to enforce MFA for selected SaaS applications and allows users to enroll various forms of second authentication factors (SMS, Email, TOTP). This capability is made available as a part of all MaaS360 bundles through an integration with IBM Cloud Identity Verify.

 

IBM Cloud Identity Verify is comprised of two main components:

  1. The IBM Cloud Identity Verify service that supports the following authentication factors:
    1. Email one-time password (Email OTP)
    2. SMS one-time password (SMS OTP)
    3. FIDO Token support for SSO
    4. FIDO2/Webauthn support for Passwordless SSO.

 

  1. The IBM Verify Mobile Multi-Factor Authenticator App
    1. Time-based one-time password (TOTP)
    2. Push Authentication with TouchID and FaceID support
    3. QRLogin Passwordless SSO

 

When MFA is enabled for a user or group of users, the user will be required to enroll in MFA which triggers a validation transaction flow. A special OTP is sent to the user to establish the validity of their email address or mobile number for subsequent productive runtime verification. The actual use of MFA for sign-on is not allowed until an OTP validation is successfully completed.

 

Once the user has been validated, they will be allowed to add other authentication factors such as FIDO tokens, additional phone numbers (must be verified) and IBM Verify Authenticator app instances. The administrator can control which factors are allowed for MFA on a per user and/or per app basis.

Admin workflow high level overview:

  1. Insure the Cloud Identity Verify subscription is enabled for your tenant.
  2. Provision users in the tenant hosted cloud directory or corporate Identity source.
  3. Review or update the administrative settings for the authentication factors.

 

For more information and detailed instructions see:

https://www.ibm.com/support/knowledgecenter/en/SSCT62/com.ibm.iamservice.doc/concepts/configurations_admin_console.html

 

Using the IBM Verify Mobile Multi-Factor Authenticator Application

 

The IBM® Verify app (IOS and Android) is a 2FA authenticator app that delivers out-of-band 2FA through a separate secure channel by using a user’s mobile device. Users register their IBM Verify instances through a simple user self-care style-initiated workflow. Users enroll via authentication methods such as device-based biometrics that includes fingerprint and face biometrics where supported by the mobile device. By using Cloud Identity platform policies, an application can initiate an IBM Verify 2FA authentication transaction. It waits for that authentication to be completed by the user with IBM Verify, then continues the runtime access.

 

IBM Verify lifecycle and features are comprised of four main functional areas.

 

  1. Registration
    1. After the installation of IBM Verify from the app store, users must register their new instance of IBM Verify with their Cloud Identity user account. The registration process basically requires displaying a QRCode to the user, which they can then scan with their new instance of the IBM Verify app installation.
  2. Verify - Authenticator factor enrollment
    1. Immediately after successful registration, the IBM Verify mobile app guides the user through an authenticator factor enrollment flow that includes enrollment for TOTP, user presence, and device-based biometrics. For user presence and device-based biometrics, the enrollment is embodied by a cryptographic public key exchange between IBM Verify and the Cloud Identity tenant.
  3. Runtime verification transactions
    1. After the registration and enrollment steps are completed, IBM Verify is ready for productive use. Applications can validate an end user’s identity by initiating an IBM Verify verification transaction. This transaction includes the ability to send mobile push notification to the user's registered instance of IBM Verify.
  4. QRLogin Passwordless
    1. After registration and verification, the user can leverage a QRlogin Passwordless login functionality provided by the Verify Authenticator app (if enabled by the Administrator). This is based on a QR code scan performed by the user and uses the registered instance of IBM Verify to authenticate an IBM Cloud Identity SSO session. This provides a seamless experience or the user while enfacing a strong authentication event.

 

For more information and detailed instructions see:

https://www.ibm.com/support/knowledgecenter/en/SSCT62/com.ibm.iamservice.doc/concepts/c_landing_page_admin.html

 

 

 

0 comments
21 views

Permalink