Tips for Choosing MFA Methods
MFA enhances your organization's security by requiring users to present at least two factors that prove their identity. Here we list the MFA methods offered by UniFi Identity Enterprise and guide you through choosing the right method for your organization.
SMS & Email
SMS and email are the most common MFA methods. They are easy to set up. Any device that can receive text messages or emails can enroll in them. A random number or code that is usually valid only for a short time is generated by third-party providers and sent via text message or email.
However, they are also the least secure because devices may be lost or stolen, and phone numbers/SIM cards may be cloned or hacked.
Security Keys
FIDO2
UniFi Identity Enterprise supports enabling FIDO2 security keys and WebAuthn biometrics as MFA factors.
FIDO (Fast Identity Online) is a set of open and standardized authentication protocols for online identity security. FIDO2 is a new standard that enables users to use common devices to authenticate to online services in both mobile and desktop environments.
WebAuthn (also known as Web Authentication API) is part of the FIDO2 framework and is supported by all major browsers and most platforms, including Windows 10, Google Chrome, Mozilla Firefox, Microsoft Edge, Apple Safari, Apple iOS, and Android.
Users can easily log in to their UniFi Identity Enterprise workspace using WebAuthn biometrics on devices that support biometric authentication, such as Apple Touch ID and Windows Hello.
WebAuthn is a more secure option than a password because it utilizes a private/public key pair. The private key is stored on the user's device, while the public key and a randomly generated login ID are stored on the UniFi Identity Enterprise server. When a user attempts to log in, UniFi Identity Enterprise uses the public key to verify their identity.
Storing a public key on the UniFi Identity Enterprise server is a more secure option than storing a password. This is because a public key is useless without its corresponding private key. Access will only be granted when both the public and private keys are presented.
Biometric Authentication on Devices
Biometric data for Windows Hello and Apple Touch ID are stored locally on devices, making it more difficult to gain unauthorized access to an employee's device.
For example, each sensor on Windows Hello has its own biometric database file and the template data are encrypted and transmitted to the system using Advanced Encryption Standard (AES) in Cipher Block Chaining (CBC) mode.
Fingerprint sensors with the capability to complete matching on the fingerprint sensor module itself will store biometric data directly on the module, rather than in a database file.
Hardware Security keys
For hardware security keys such as Yubikey and Google Titan, encrypted data and randomly generated keys are stored in the hardware keys and are used only for identity verification. They are considered a form of FIDO authentication method.
Hardware security keys are physical USB devices that can be plugged into computers and laptops for two-step verification. Some of these keys come with a fingerprint sensor for added protection. However, they may not be compatible with older devices and they do not support remote connection.
Each security key comes with a unique encryption chip, making it almost impossible for the key to be cloned or hacked remotely. This method is commonly adopted by enterprises or financial institutions that require the highest level of protection.
Users of the UniFi Identity Enterprise web versions can log in using Apple Touch ID and hardware security keys. The desktop (macOS and Windows) and mobile (Android and iOS) app versions of these services will soon support these MFA methods.
Authenticator Apps
Many businesses use this MFA method because it strikes a perfect balance between security and convenience. Listed below are some of the popular mobile apps that generate OTPs (one-time passwords) or verification prompts, or require PINs or biometric authentication.
- Verify
- Google Authenticator
- Microsoft Authenticator
When OTP is enabled, the authentication server generates OTPs for users to enter. User identity is verified only when the OTP on the authentication server matches that of the client.
Verification prompts are more secure because they cannot be easily migrated or cloned, and device information is required during verification prompt setup.
Enabling number matching enhances the security of authenticator apps. When users go through an MFA challenge, they will see a number that they must select or enter in their apps to complete the verification.
But the downside is that anyone with access to the users' mobile devices can use the OPTs or verification prompts for identity verification unless this MFA method is removed from your UniFi Identity Enterprise account.
See the articles below for details about our MFA methods and configure them in security policies.