MFA and the Curity Identity Server

The Curity Identity Server can help create secure multi-factor authentication flows to fit a client's specific security requirements. An authentication method in the Curity Identity Server is called an authenticator. The Curity Identity Server makes it possible to configure an infinite number of authenticators, either of the same type or of different types. These authenticators can be combined in various ways to create multi-factor solutions and integrations.

The server's great flexibility permits a wide variety of approaches to MFA. In principle, there are two main ways to create multi-factor authentication flows.

Required Factors

One way is to set up a predefined flow. Although a predefined flow can be set up in various ways, once established it must be followed as laid out. The flow will proceed the same way every time. Such authentication flows can be thought of as “swim lanes” restricting the user to particular pathways. The predefined nature of such a flow does not mean the multi-factor authentication provided is necessarily lacking in robustness, however. This approach can in fact be used to set up elaborate chains of authentications that can achieve a level of MFA not limited to two factors alone.

Conditional Factors

The other main way to create a multi-factor authentication flow in the Curity Identity Server is to make the flow conditional. The conditions involved can be based on the client’s needs or even external circumstances such as a report of an attack that necessitates stepped up security measures. The key difference between this approach and the predefined approach is that a second factor can be conditional on almost anything a developer chooses from user preference to time of day to location, etc. In short, just about any condition can be introduced into this type of authentication flow.

Provided that the administrator permits it, the client has many options concerning which flow to trigger among predefined and conditional flows. The administrator can provide a variety of flows to choose from, and the client can then choose the desired flow and apply it. Or, alternatively, the user may chose his or her own flow, deciding, for example, whether to provide a second factor by, say, text message or email.

Depending on the approach chosen and the degree of security required, the Curity Identity Server can fine-tune multi-factor authentication in an almost infinite variety of ways.