What’s multi-factor authentication?

Multi-factor authentication (MFA) is a security method requiring users to provide two or more verification factors to access a system, application, or account.

Instead of relying on just a username and password, MFA adds extra layers of protection by combining the following.

What are the differences between IdP and MFA?

An IDP is a central system that manages user identities and authenticates them when they try to access apps or systems. For instance, Okta, Microsoft Entra ID (Azure AD), and Google Identity.

MFA is a security layer added on top of login systems (like an IDP). It requires users to verify their identity using two or more factors. For example, something you know (like a password) or something you possess (such as a phone or token).

IdP

Think of IDP as the gatekeeper of user access. It handles login credentials and single Sign-On (SSO) and enforces access policies.

The IDP’s primary function is “Who is this user, and what are they allowed to access?

MFA

MFA enhances login system security (like an IDP) by requiring users to verify their identity through two or more factors.

The MFA’s primary function is “to help users prove they’re really who they say they are.

DUO MFA Visual Workflow (Egress)

DUO MFA Visual Workflow (Ingress)

Multi-Factor Workflow Explanation

User Login Attempt

• The user initiates access by entering its username and password into a Duo-protected application. In this case, Palo Alto Global Protect application.

Primary Authentication

• When the user enters his username and password, the credentials are verified against the primary authentication source, which in this case is Active Directory, LDAP, or RADIUS, if it exists.
• Note: This authentication proxy can be downloaded from the MFA vendor, specifically DUO, and installed on the server.

Duo MFA Challenge

• Once the initial authentication using LDAP is successfully completed, the application connects with the Duo Authentication Proxy. This proxy then contacts the Duo cloud service to start the second-factor authentication process.

User Verification

• When the user tries to log in, he’ll receive a friendly prompt on the registered device through the Duo Mobile app, SMS, or phone call to approve his login attempt.

Access Granted

• After the user confirms the second-factor prompt, the Duo service notifies the application, granting access.

Why does multi-factor authentication matter?

• It stops stolen credentials from being enough: Even if a password is leaked, the attacker can’t get in without the second factor.
• Easy for users, challenging for attackers: A quick mobile tap is far easier than remembering complex codes.
• Flexible across environments: Works with cloud apps, VPNs, firewalls, remote desktops, and more.

Where Can MFA Be Implemented?

Multi-factor authentication can be used across various systems and access points, including:

• VPN and remote access portals Protect remote workers connecting to internal systems.
• Cloud applications Secure logins to Microsoft 365, Google Workspace, Salesforce, and more.
• Firewalls and network devices: Add a second layer to admin access (e.g., Palo Alto, Cisco, Fortinet).
• Workstations and desktops: Enforce MFA for login to Windows or macOS.
• Email and file-sharing services: Prevent unauthorized access to sensitive communication and data.
• Admin dashboards and servers: Secure privileged accounts with stronger authentication.

Final Thought

If you’re not using MFA yet, you’re at risk. Duo or any other Identity provider (IdP) makes it simple to add that extra layer of protection without frustrating your team.

Cheers,