This topic describes multi-factor authentication (MFA) and guides you on how to enable MFA for the WSO2 Identity Server management console. By default, WSO2 Identity Server is shipped with username/password based authentication. You can further strengthen the security of this authentication by adding an additional authentication step to authenticate with basic authentication, FIDO, TOTP etc.
About multi-factor authentication
With the rapid growth of the internet, more and more services are available for use by enterprises and organizations. However, username and password based authentication still plays a major role in authenticating users, and it is essential to use a strong password to keep your computer, data, and accounts safe. However, if you are like most users, you will find that it is challenging to remember a strong password, especially if you have to change it once in awhile.
Multi-factor Authentication (MFA) creates a layered defense and makes it more difficult for an unauthorized person to access a target such as a physical location, computing device, Web service, network or database. If one factor is compromised or broken, the attacker still has at least one more barrier to breach before successfully breaking into the target.
Authentication factors in MFA rely on two or more independent credentials of the three categories.
- Knowledge factors - Things only the user knows, such as passwords
- Possession factors - Things only the user has, such as ATM cards
- Inherence factors - Things only the user is, such as a fingerprint
With a combination of two or more factors from the above three, the user is authenticated. A basic example is when withdrawing money with an ATM card; the card is the possession factor and the pin number is the knowledge factor.
Configuring multi-factor authentication for WSO2 IS
- Start the WSO2 IS server and login to the management console.
- Click Add under Service Providers on the Main tab. Enter a service provider name and click Register.
Since the service provider is for the WSO2 Identity Server itself, in this tutorial the service provider is referred to as 'self'.
- Expand Inbound Authentication Configuration>SAML2 Web SSO Configuration and click Configure.
- Select Manual Configuration and enter the following details. Click Register.
- Issuer - carbonServer
- Assertion Consumer URLs - https://localhost:9443/acs
- Enable Response Signing - true
- Expand Local and Outbound Authentication Configuration and select Advanced Configuration to configure multi-factor authentication.
There are two types of multi-factor authentication that you can configure here.
- Multi-option authentication: This can be configured by clicking Add Authenticator. Clicking this again will enable you to create another authentication option. These can be either local or federated authenticators.
- Multi-step authentication: This is configured by clicking Add Authentication Step. Clicking this again will enable you to create another authentication step. These can be either local or federated authenticators.
Click Add Authenticator to add a Local Authenticator. You can choose the type of authenticator using the dropdown. Clicking Add Authenticator again will enable you to add a second local authenticator and configure multi-option authentication using two local authenticators. Alternatively, you can click Add Authentication Step and configure a Local Authenticator in one step by selecting the local authenticator from the dropdown and clicking Add Authenticator. You can do the same for the second step.
As an example for this scenario, basic and fido are used as the two authenticators. Basic authentication allows you to authenticate users from the enterprise user store while FIDO authenticates you externally.
If you are adding FIDO as an authenticator, see Multi-factor Authentication using FIDO for more information and follow the instructions given in the topic to configure it.
- Select whether this is a Subject Step, Attribute Step or both. In the case of multiple steps, you can have only one step as the subject step and one as the attribute step.
- Click the Update button.
- This navigates you to the previous screen with your newly configured authentication steps. Click Update again to save changes.
- Shutdown WSO2 IS and open the
authenticators.xmlfile found in the
SAML2SSOAuthenticatorby changing the
disabledparameter to false.
Change the value of the
<Priority>property found under the
Save and close the
Try it out
- Start the WSO2 IS and navigate to the following URL: https://localhost:9443.
- You will now be prompted for extra steps of authentication depending on the authentication options and steps you added above.
You have successfully configured multi-factor authentication for the WSO2 Identity Server management console.