Protect your assets: use Multi-Factor Authentication!

5782
15
11-05-2018 11:58 AM
RandallWilliams
Esri Regular Contributor
3 15 5,782

What is Multi-Factor Authentication (MFA)?

Multi-Factor Authentication (or MFA/2FA) is a feature that allows a user to provide two distinct pieces of evidence to a software solution to prove that you are who you say you are. Evidence includes supplying two of three factors at login time: something you know (like a password), something you have (like a smart card or soft token supplied via an app) or something you are (like a fingerprint or some other biometric marker). Credentials must be from two of these three factors – for example, providing two passwords is not considered MFA. In ArcGIS.com, multifactor authentication is implemented by requesting a verification code in addition to an ArcGIS Online organization name and password at login time.

Why should my organization use MFA?

Multi-Factor Authentication helps protect you and your organization by adding an additional layer of security to the login process, making it substantially more difficult for an unauthorized user to impersonate an authorized user when logging into ArcGIS Online. When MFA is enabled and configured, an unauthorized user needs to have both your username and password combination, and also access to your mobile device (which is assumed also requires a PIN or some biometric marker to access). Security Experts report that MFA is considered one of the top five best online security practices cu... Using MFA can help prevent unauthorized access or changes to your ArcGIS Online organization, and can also help to prevent unauthorized modification or deletion of your organization’s content.

How is MFA implemented in ArcGIS Online?

Organizations can take advantage of this additional authentication and configure their organization to allow members to enable multifactor authentication on their ArcGIS O.... To use this feature, organization members need to have an ArcGIS account and a mobile device with a supported authentication app installed on it.

In ArcGIS Online, two administrators must exist in the organization to configure MFA. This requirement is to help support the potential use case of an administrator themselves losing access to their own device and authentication app. It is strongly recommended that ArcGIS Online administrators enable MFA for their accounts, if not for all ArcGIS Online organization accounts.

 

 

https://www.nist.gov/itl/tig/back-basics-multi-factor-authentication

https://www.usenix.org/system/files/conference/soups2015/soups15-paper-ion.pdf

15 Comments
DanielGarcia
New Contributor III

This is very interesting, but I have 2 doubs about it:

  • Is it posible to configure multi-factor authentication in Portal for ArcGIS?
  • Can ArcGIS mobile apps (Explorer for ArcGIS and Data Collector for ArcGIS) connect to ArcGIS Online or Portal for ArcGIS protected by multi-factor authentication?

Thanks in advanced

RandallWilliams
Esri Regular Contributor

Hi Daniel,

While MFA isn't available OOTB in Portal for ArcGIS, MFA can be achieved by using capabilities in your SAML provider. For instance, OKTA provides MFA for Portals I've created for internal use. 

Esri Mobile apps can leverage MFA with ArcGIS Online. 

Have a look through our ArcGIS Mobile Security Patterns Whitepaper. It and others are available in our documents page in the ArcGIS Trust Center.

Trust ArcGIS | ArcGIS 

DanielGarcia
New Contributor III

Thank you Randall Williams

But when you said "Esri Mobile apps can leverage MFA with ArcGIS Online" means that Esri Mobile apps can leverage MFA with Portal for ArcGIS (configured using SAML provider)?

I have not found anything about it in Trust Center Documentation.

Thank you very much

RandallWilliams
Esri Regular Contributor

Thanks for bringing that up, sounds like an area that we can improve on in this doc. I can confirm that on my internal test portals (we hook into Okta here for our test portals) that SAML using MFA is supported and functions as expected with Mobile apps.

RandallWilliams
Esri Regular Contributor

@DanielGarcia  - MFA is supported natively in ArcGIS Enterprise starting in 10.9.

NickHarvey
Occasional Contributor II

@RandallWilliams  - Hi Randall - Please see the highlighted text below - Does the highlighted text indicate that the 'OOTB' AGOL MFA will not work with a SAML login?  BUT that our in-house IDP'S SAML MFA should work with AGOL (Field Maps, Collector)?  I'm asking to make sure that if we implement SAML we may also have MFA for Fields Maps, Collector.  Hope my question makes sense

thanks 

-Nick 

multi.png

 

RandallWilliams
Esri Regular Contributor

HI @NickHarvey ,

Looks like that doc needs some improvement, I can see the confusion. 

You are correct - the OOTB MFA does not work with organization-specific logins like SAML, but the SAML providers OWN MFA absolutely will work. In fact, many of the ArcGIS Online ORGs we manage here internally at Esri leverage OKTA, in which our configuration requires MFA.

Check out our Organization Specific logins FAQ in our ArcGIS Trust Center documents , we get deeeeep down in this technical paper. Let us know what you think!

 

NickHarvey
Occasional Contributor II

Awesome - Yes will check it out thanks so much Randall!

CourtneyDunn
New Contributor II

How does MFA affect logging into AGO through external applications such as FME? 

RandallWilliams
Esri Regular Contributor

@CourtneyDunn That's a good question.

In all MFA solutions I've seen, MFA is handled at the authorization provider level, meaning that if you use SAML to log into ArcGIS Online, your credentials and MFA tokens are validated by SAML. If FME prompts you to log into ArcGIS Online, ArcGIS Online (as the authorization provider) will handle the MFA token. FME shouldn't really care at that level. I don't think you pass credentials to FME, I think you pass credentials to ArcGIS Online or your organization-specific login provider. 

TammySikma1
New Contributor II

Many organizations have not assigned mobile devices to staff.  Is there any consideration for including a recognized corporate email address as a "something you have" factor?
Also, is it possible to require users to turn on MFA once an organization initiates it?  Or to monitor which users have done so?

RandallWilliams
Esri Regular Contributor

@TammySikma1 

That's a potential option if you have your own auth provider (EG: a SAML system that supports email based MFA).

ArcGIS Online currently requires a software based MFA token for built-in users. 

There's an enhancement request to allow admins to enforce MFA in AGO. 

[#ENH-000113296  Admins of ArcGIS Online Organizations should have the ability to require that members of their organization use Multi-Factor Authentication]

 

CarlosBarahona
New Contributor II

Is there any update on ENH-000113296 to allow AGOL Admins the ability to require members of an organization use Multi-Factor Authentication. We're generally covered by using SAML authentication, but the lack of security to control this for built-in accounts leaves a whole in our authentication requirements.

RandallWilliams
Esri Regular Contributor

@CarlosBarahona Yes. We recently implemented the webAuthN API and are working on the design to allow admins to require MFA for built-in accounts. WebAuthN was a prerequisite. This feature should be implemented in the near future. 

AndreaB_
Occasional Contributor

Hi @RandallWilliams ,

Any idea when the ability to enforce MFA for ArcGIS Enterprise Portal (built-in accounts) will be available?

Thanks!