Configure Client Certificate Authentication with OneLogin

Everything and everyone is going online, be it businesses or how we operate our homes and cars The benefits of being online are that we make our work much more manageable while enhancing the quality and taking us to a much larger market, whether we are a buyer or a seller. And just like every market comes with its management issues, the online world, too, has a host of them.

Cyber theft or cyberattacks are among the most significant concerns the online world faces, with over 50% of them being caused by credential theft. With every advancement of technology, the risk of attacks and cyber theft is increasing in intensity and scale. Attackers exploit any vulnerabilities in your network, and passwords can potentially be the most vulnerable.

In this article, we will go through some of the risk factors of password-based authentication and how OneLogin can help you mitigate security risks.

Why Passwords are Bad for Network Security

One of the oldest tools for network security, passwords fail to meet the security need of the ever-evolving network security landscape. Password attacks are getting more vicious by the day. Attackers are manipulating any broken authorization vulnerabilities in the system, and using advanced techniques, they access and steal the credentials of legitimate users to infiltrate your network.

Risk of Passwords Attacks

Password attacks involve attackers using different techniques and strategies to get their hands on the login credentials of valid users using automatic password attack tools to accelerate the process of cracking passwords. Password attacks can have huge repercussions on the reputation and finance of a company depending on the extent of exposure to sensitive information. Some of the common over-the-air cyber password attacks are

• Phishing
• Brute-force password attacks
• Keylogging
• Dictionary password attacks
• Password spraying

Risk Factors of Password Authentication due to Human Behavior

The need for human interaction to authenticate is probably the most significant vulnerability of passwords. Your network security’s strength depends on crucial factors like

• The training level of each employee
• How careful your employees are with storing their passwords,
• If they are following password policies accurately

Add to that the risk of a disgruntled employee sharing their password for personal gain or as an act of showing their displeasure. Human interaction in password authentication weakens this process, as human behavior cannot be predicted with absolute certainty. Some of the most common behavior or practices that make passwords risky are:

1. Passwords have to be changed frequently (about every 60 days) as a good password policy. Trying to create a new password that is entirely different every time and remembering it is a mammoth task. As a result, people often use similar passwords, changing but a few characters, increasing the risk of a security breach.
2. People often use the same password for multiple accounts to avoid the hassle of storing and remembering multiple passwords. Suppose your employee’s social account is hacked by an attacker intending to infiltrate your network. You use password-based authentication, and your employee uses the same password for their work accounts. The risk it brings to your network security and business can be catastrophic.
3. Storing or remembering passwords is another challenge. People often store their passwords on their phones, notebooks, or even written on paper. This is a very high risk as they can be stolen with little effort and used by hackers to attack your business.

Cost of Managing Password-related IT Tickets

Account lockouts can increase the burden on your IT department as they have to spend hours fixing them. You will have to deploy resources or at least divert part of their time to address password-related tickets. The time taken to fix the issue is also the productive time that your employee whose account is locked out loses. This, in turn, can impact the budget of your company.

The risk factors that passwords carry are huge that they can cripple any network. No matter how well-designed your Identity and Access Management (IAM) solution is or how strong an IT and security team you have, passwords can become the biggest threat to your cybersecurity.

Certificates are Better Context for Network Security & Identity Management

Digital certificates are better at protecting your network as they mitigate all the risks involved with passwords, especially by eliminating human interaction. Certificates shift the responsibility from the end user and provide a better context for identity-based access management. They also do away with the need for any reset policy. Once a certificate is issued, a user can access the network till the certificate expires, and you can configure them to automatically renew. Some other benefits of using certificates are as follows.

1. The authentication process of digital certificates eliminates the involvement of end users. The authentication process becomes completely automatic with a managed RADIUS that enables cloud IDP integration. The entire authentication process is completed at the back end with a Security Assertion Markup Language (SAML) application that requires no input from the user.
2. Certificates help manage identity-based and role-based access by providing a better identity context. Certificates cannot be stolen or replicated, so only a valid certificate will be allowed access to the network. Implementing an IAM solution to control network access, based on the security group to a user or a machine, becomes much easier and more secure with certificates.
3. Implementing Zero Trust Policy with certificates is much easier. Zero Trust as a security policy follows the principle “never trust, always verify,” meaning verification alone is not enough. User or machine activity has to be monitored constantly to detect and prevent any malicious or suspected activity. Digital X.509 certificates are crucial in building a zero-trust network authentication because they allow you to verify the identity of a user or a machine with greater precision.
4. Public Key Infrastructure (PKI) can add higher identity assurance and are very strong identity context for authentication. Unlike passwords, certificates cannot be copied, shared, or replicated. A certificate-based authentication environment is optimal for implementing Context-Based Identity Management & Device Trust policies.

The need for Public Key Infrastructure (PKI) can make the process of implementing certificate-based authentication look daunting. However, you can quickly secure your network with the right PKI solution and a managed RADIUS server built for certificates. The right IAM solution allows you to segment your network to control the level of access for every user and implement company policies with greater ease.

OneLogin IAM Solution for Context-Based Identity Management & Device Trust

OneLogin is an IAM solution created to provide users with a single-sign-on experience. It allows companies to facilitate employee login to all the applications and other resources through one single interface. OneLogin will catalog all your cloud and company apps that you need to perform your role using one instead of having to remember multiple apps, URLs, and their login credentials. From a network administration standpoint, OneLogin allows you to enforce company and identity policies by provisioning users and assigning them security groups to provide them access as per their job role.

One of the leading IAM solutions, OneLogin has been developed with zero trust as the crux of its architecture. It has device trust and context-based identity management as the basis for many features and services.

OneLogin allows you to dynamically onboard and offboard users and monitor user activities with the click of a few buttons as a feature designed around context-based identity management. OneLogin can sync with your Active Directory operating as an Identity Provider, eventually replacing Active Directory.

Context-based identity management is a security concept that allows you to automatically amass contextual information whenever a user logs onto your network. Contextual data, like IP address, location, device history, etc., are obtained instantly and are invaluable components used as identity context for authentication and authorization. This identity context information enhances the precision of validating users by better capturing user behavior and history.

Device trust is the concept used to determine if the devices within your network can be trusted to access enterprise resources. Depending on the compliance policies and risk tolerance of your organization, unique decisions are made to determine which devices should be trusted to what degree and granted with what level of access. Their MFA (multi-factor authentication) features are also developed around the policies of device trust to enhance network security.

OneLogin implements device trust not just as a policy but as one of the primary features of their products to install PKI certificates on devices as a process of device authentication and management. Let us take a look at how OneLogin Identity Context allows you to create and download certificates manually.

Enabling Certificate Authentication in OneLogin

Embodying the concept of device trust as one of its primary features, OneLogin supports certificate-based authentication (CBA) for enrolling certificates on devices. However, its infrastructure does not allow large-scale enrollment of devices for 802.1X, nor does it distribute the certificates. You will have to manually create and download certificates or rely on an onboarding solution for scaling certificate distribution to your entire organization.

To get a self-generated digital certificate on the OneLogin platform, you must first create a security policy or edit an existing one to install a self-generated certificate. The steps are as follows.

1. To edit an existing policy, select Security > Policies or add a new policy by clicking New User Policy.
2. From MFA, change the option to Device Trust Required
3. Select Allow self-installation to enable manual installation of certificates. Once enabled, a user who needs a certificate will be prompted to install one at the time of log in to any application from OneLogin.
4. You can also choose the validity period of certificates. Select the validity period as per your requirements.

You are now ready to use certificates for authentication in OneLogin. For the installation of certificates, you will have to create and download them manually. The steps for the same are as follows:

1. Go to Users > Users and select the user.
2. Choose Download PKI Cert from More Actions.
3. The certificate password dialog box will open up.
   • Create a password and click Download to download the certificate. Please store the password for later use.
   • To download the certificate a second time (in case of expired certificates), you will need to use the password that you had previously created.
   • To start the installation, you may do so manually on the user’s device or send it to the user using a secure channel. Please note user certificate installation processes are different for different OS and browsers.

Automate Client Certificate Authentication on OneLogin with SecureW2

As discussed above, OneLogin does allow CBA; however, enrollment of certificates has to be done manually. It is almost impossible to roll out certificates manually throughout your organization as it is utterly time-consuming. It can become expensive with the need for IT to configure each certificate manually. The best way to automate certificate enrollment is using an onboarding solution that can integrate seamlessly with OneLogin.

SecureW2’s onboarding solutions can help you implement certificate-based authentication for your managed and unmanaged devices. As a company, we use 802.1x Certificates as the building block of a zero-trust framework. We are an official partner of OneLogin, and our authentication solutions support all of their cloud identity solutions. Our Dynamic Cloud RADIUS and advanced policy engines are designed to communicate with OneLogin to enforce user policies in real time.

Our Managed Gateway API & PKI solutions offer zero-touch certificate enrollment for managed devices. You can deploy certificates to any MDM via API gateways to configure and auto-enroll managed devices for certificate-based authentication.

Our JoinNow MultiOS provides simple self-service BOYD certificate enrollment. SecureW2 solutions make the life-cycle management of certificates completely automatic and provide a great user experience.

SecureW2 Solutions

The landscape of network security is changing rapidly. With an increase in the number and intensity of cyber attacks, steps have to be taken to make your network the most secure. IAM solutions like OneLogin, designed with a zero-trust policy framework with context-based identity management and device control, are definitely instrumental in improving network security. However, continuing to use passwords is not the most secure option. No matter how robust your IAM solution is, passwords can be an easy gateway for hackers to penetrate your network.

For enhancing your network security and enjoying the strengths of your OneLogin platform, passwordless certificate-based authentication is the best approach. SecureW2 has affordable options for organizations of all sizes. Click here to see our pricing.