DNS Based Advanced Web Security Filter blocking Malware, Ransom ware and Phishing attempts.

Table of Contents Page

List of Acrimony ......................................................................................................................................ii

1. Introduction .......................................................................................................................................... 1

1.1 What is DNS Based Web Filtering? ................................................................................................. 1

1.2 Brief Explanation ............................................................................................................................. 1

1.3 DNS Based Filtering is Important for Cyber security ...................................................................... 2

1.4 What is DNS Malware Protection? .................................................................................................. 2

2. Phishing is the number one delivery vehicle for ransomware ......................................................... 4

2.1 What are the main phishing types? .................................................................................................. 4

2.2 How can you protect your business from phishing and ransomware? ............................................. 5

3. Software for protecting malware, ransomware, phishing attempts ................................................ 6

4. Advantages of Ransom Ware Protection Tools: ............................................................................... 6

4.1 Benefits of DNS Based Web Filtering ............................................................................................. 7

5. Limitations of Traditional DNS .......................................................................................................... 8

7. References ............................................................................................................................................. 9

ACNS Page i
DNS Based Advanced Web Security Filter blocking Malware, Ransom ware and Phishing attempts.

List of Acrimony

DNS: Domain Name System

IoT: Internet of Things

IP: Internet Protocol

ISP: Internet Service Provider

ROI: Return on Investment

SMB: Small and Medium Businesses

TTL: Time to Live

ACNS Page ii
DNS Based Advanced Web Security Filter blocking Malware, Ransom ware and Phishing attempts.

1. Introduction

1.1 What is DNS Based Web Filtering?

DNS based web filtering is a method of securing the DNS against attack and ensuring a safe browsing
environment. DNS based filtering is used to block attempts by users to visit malicious websites, such as
those used for malware distribution or phishing. Instead of an organization using their own DNS
infrastructure to find websites, which can be vulnerable to attack, the DNS infrastructure is changed to a
third-party service provider. That service provider maintains a database of categorized websites and
webpages and the DNS lookup is conducted through the service provider. There is no impact on the
speed of lookups, so end users will not notice any change. The difference is, in the most part, they will
only be allowed to access safe websites. If they attempt to visit a website and it is not malicious, they
will be connected to the appropriate IP address. If the website they are attempting to visit is determined
to be malicious or highly suspect, they will instead be directed to a local IP address that hosts a DNS
block page advising them they have been prevented from connecting. They could be prevented from
connecting to a website or webpage for three reasons:
 The website they are trying to reach does not exist
 The website was found to host malicious content
 The website violates their organization’s internet usage policy
The attempt to visit the website will be recorded through DNS logging so administrators of the DNS
based web filtering solution (your IT security team) will be able to check the access attempt and take
appropriate action.

1.2 Brief Explanation

DNS filtering is based on the Domain Name System (DNS) – a system of assigning IP addresses to
websites. When an Internet user clicks on a link or types a domain name into their browser, the browser
locates the IP address for the target website and connects the user. The system works very much like
how a telephone exchange connects phone users by phone number rather than by name.
However, not all websites are safe to visit. Therefore, an Internet filter with DNS filtering checks the IP
address against a database of IP addresses to make sure it has not been flagged as unsafe. Because IP
addresses are numeric, the process is much quicker than if a server had to check an alphanumeric
domain name against an alphanumeric database of blacklisted websites.

ACNS Page 1
DNS Based Advanced Web Security Filter blocking Malware, Ransom ware and Phishing attempts.

The primary benefits of DNS filtering are that the process is quick and it uses minimal bandwidth. DNS
filtering helps protect networks by only processing valid IP addresses and by blocking access to unsafe
websites. Please note the functions of a DNS-based filter should not be confused with those of a Domain
Name Server, which accelerates the speed at which devices can find websites, but does not offer any
form of protection against malicious websites.

DNS filtering provides protection from malicious online threats such as viruses, malware, ransom
ware, phishing attacks and botnets. The Domain Name System (DNS) makes it so that we can use
the Internet by remembering names, and computers can translate these names into machine-readable
IP addresses to transfer information from websites, email servers, and file servers to your web
browser or email client. Passwords are hard enough to remember – imagine if we had to remember
IP addresses instead of domain names.

1.3 DNS Based Filtering is Important for Cyber security

An email security solution can be used to prevent the message from reaching the user’s inbox. The user
can be trained how to recognize a phishing email. The attempt to visit the malicious website can be
blocked using a web filter, and multi-factor authentication can be used to prevent the stolen credentials
from being used to remotely access the account. Having antivirus software on endpoints will also help in
the event of a malware download.
All of these measures are important as no single cyber security solution can block all attacks. By having
several overlapping layers of security, if any one solution fails, another one, two or three measures are in
place to continue to provide protection. DNS based filtering is an important part of cyber security
defenses that it is utilized by web filtering solutions to prevent users from visiting malicious websites. It
is, however, a cyber-security measure that is often not implemented.

1.4 What is DNS Malware Protection?

In order to best answer the question what is DNS malware protection, it is advisable to have an
understanding of how DNS filtering works. Fortunately, you do not have to be technically-aware to
grasp the basics, and a little knowledge of the subject can help businesses better protect their networks
against web-borne threats such as malware, ransomware, and phishing.

ACNS Page 2
DNS Based Advanced Web Security Filter blocking Malware, Ransom ware and Phishing attempts.

 Ransom ware attacks – a growing epidemic

Ransomware is a type of malicious software cyber actors use to deny access to systems or data. The
malicious cyber actor holds systems or data hostage until the ransom is paid. After the initial infection,
the ransomware attempts to spread to shared storage drives and other accessible systems. If the demands
are not met, the system or encrypted data remains unavailable, or data may be deleted.[1]

Ransomware is a type of malicious software that restricts or limits users of a targeted organization from
accessing their IT systems (servers, workstations, mobile devices, etc.), until a ransom is paid.
Ransomware is a major and exponentially growing threat that organizations will certainly face if they
are not already concerned.

For several decades now, we have witnessed a global struggle to prevent malicious code from
undermining the technology upon which so much of modern life now depends The parties to that
struggle include, on the one side, financially motivated criminals, agenda-driven activists, agents of
ethically challenged governments, and occasionally some hoodie-wearing code junkies who haven’t
properly thought things through On the other side are companies and consumers and any organization
that has data which could be leveraged or destroyed by someone with criminal intent Gaining[2]

 Future trends in ransomware

The profitability of ransomware is flourishing due to the simplicity of its business model and the ease
of use of its operating model. According to the latest cyber threat intelligence, ransomware attacks
shifted focus to the industries that have little option but to pay, such as healthcare, small and medium
businesses (SMB), governments, critical infrastructure, NGOs, and education. Spear phishing campaigns
were mainly used to ship the ransomware to those industries. Attackers know that those industries hold
valuable or sensitive data, are usually struggling to fund their IT capabilities, and are often subject to
regulations that can thwart their ability to make an efficient use of backups.

Based on the ENISA Threat Landscape Report 2016 (published in January 2017) and latest threat
intelligence reports, there have been significant improvements in ransomware variety and functionality
to increase damage and accelerate the need for response:

ACNS Page 3
DNS Based Advanced Web Security Filter blocking Malware, Ransom ware and Phishing attempts.

More comprehensive and targeted damage, including back-up files, databases, and web
pages
Use of security vulnerabilities to increase infection rates
Methods to increase ransom in case users delay payment
Change of communication methods to victims to better negotiate ransom amount (e.g.,
through chat rooms instead of fixed banners)
Stealthier encryption of infected computers and improved techniques to evade detection
Internet-of-Things (IoT) and smart devices are seen as new targets

2. Phishing is the number one delivery vehicle for ransomware

The motive behind this is that phishing emails are easy to send and lead to a faster return on investment
(ROI). Phishing, as part of social engineering schemes, lures victims into executing actions without
realizing the malicious drive. The less aware the targeted user is, the more fruitful the attack. Likewise,
in case of targeted attacks, phishing emails are created to look like they come from a trustworthy sender,
but link to or contain malicious content that executes as soon as users click it, encrypting their data and
asking for the ransom.

Sophisticated phishing attacks are harder to detect by nature and sometimes even careful users can still
fall into the trap.

2.1 What are the main phishing types?

 Spear phishing: Spear phishing emails are so personalized that traditional spam and reputation
filters repeatedly fail to detect the malicious content within.

 Business email compromise: also known as CEO fraud or whaling, is also part of the threat
landscape.
In these attacks, the threat agents typically impersonate an email account belonging to a high-profile
executive and then use it to send an email to the organization’s employees with financial authority,
asking them to transfer money into bank accounts controlled by the attackers. CEOs, directors, and
executive-level, payroll, or human resources staff are part of the company’s big fish

ACNS Page 4
DNS Based Advanced Web Security Filter blocking Malware, Ransom ware and Phishing attempts.

What are the most common phishing emails in use?

Cyber threat reports define highly effective phishing emails that end-users need to be vigilant about:
Corporate emails: look like official corporate communication (e.g., benefit enrollment messages,
full mailbox notifications, etc.)
Commercial emails: business-related emails that are not organization-specific (e.g., wire transfer
requests, insurance notifications, shipping confirmations, etc.)
Consumer emails: emails the general public gets on a daily basis (e.g., social networking
notifications, gift cards, etc.)
Technical emails: such as error reports and bounced email notifications
Cloud emails: business-related emails including messages related to cloud services (e.g., asking
to download documents from a cloud service, redirection to an online file sharing

2.2 How can you protect your business from phishing and ransomware?

The ransomware threat should be handled with a comprehensive assessment of the organization’s
countermeasures to understand if they are really capable of responding to the latest threats.
This assessment includes, but is not limited to the following:
 User awareness  Content and Whitelist filtering
 Backup and recovery strategies  Security configurations of endpoints
 Vulnerability and patch management  Incident response processes
processes  Use of threat-intelligence solutions
 Use of privileged accounts and
access controls
Malware-blocking DNS Services

How can you protect your family from malware and phishing with just a little effort? Various
alternative DNS services with built-in threat blocking capabilities are now available to the
public. This article introduces these public DNS services and helps you pick the right one for
keeping your devices safe and secure.

Malware-blocking and anti-phishing DNS servers can be an excellent companion to other anti-
malware services, such as anti-malware products and browser plugins. It takes just a few clicks
to change the default DNS servers (provided by your ISP) to these third-party servers with the

ACNS Page 5
 DNS Based Advanced Web Security Filter blocking Malware, Ransom ware and Phishing
attempts.

additional protection built-in. Be careful, though! Your DNS requests go a third-party and this
may raise some privacy concerns.

3. Software for protecting malware, ransomware, phishing attempts

Bitdefender Total Security Avast Antivirus

McAfee Total Protection Avast Antivirus
Norton 360 Deluxe Trend Micro Antivirus+ Security
Bitdefender Antivirus Plus Avira Free Security Suite
Check Point Zone Alarm Anti- F-Secure SAFE
Ransom ware SpyBot Search & Destroy
Web root Secure Anywhere Antivirus Life Lock

4. Advantages of Ransom Ware Protection Tools:

Aside from protection it gives, there are a lot of benefits that you can get by having ransom ware
security software.

System Security: New strains of ransom ware keep on innovating and upgrading. If you are using
traditional ransom ware removal software, most probably, you won't be able to detect new strains
of ransom ware. It is because the traditional software uses a signature-based detection while the
new strains of ransom ware are changing its behaviors.

No Downtime: The effect of the ransom ware attack is much more disastrous than during the
infection. You need a lot of time and effort to restore things in proper. You also need to make sure
that after you restore the system and the files, there are no remaining traces of the Ransom ware.

Easy Deployment: Being protected is very easy using ransom ware removal software. This
software is convenient to download from the internet.

File Recovery Provide: Ransom ware security software is a big help in recovering all infected files
in your computer. Some ransom ware protection has a built-in recovery tool that enables you to
recover any deleted files made by the ransom ware.

ACNS Page 6
 DNS Based Advanced Web Security Filter blocking Malware, Ransom ware and Phishing
attempts.

Alerts: If you installed ransom ware removal software, it can automatically give alerts of any
possible activity done by suspicious software in your system.

Built-in Backup Tool: Some of the ransom ware software has included a ready-made backup
utility that you can use to plan and schedule your backups. This way, you are assured that your
backup is clean and the data is credible.

Cleaning Utility: Another great feature of ransom ware removal software is the ability to clean any
infected files in your computer.

4.1 Benefits of DNS Based Web Filtering

DNS based web filtering has a huge benefit over other forms of internet control. Since it uses DNS,
it is exceptionally quick. There is no latency and internet speed is unaffected. A cloud based DNS
filtering service requires no appliance purchases nor does software download. You simply use the
service provider’s DNS infrastructure, which is as simple as using a DNS redirect to the service
provider’s DNS servers. DNS based web filtering facilitates scale. You are not confined by the
limited capacity of appliances. To all intents and purposes, you can scale up cloud-based DNS
filtering protection for any number of users.
Setting up a DNS based web filter is quick and easy and you get almost immediate results. In a few
minutes you can be blocking access to malicious websites and enforcing your internet usage
policies. DNS based filtering solutions integrate with Active Directory and LDAP, so it is easy to
set controls for the entire organization, different locations, user groups, by role, and for individuals.
You also get full visibility into the online activities of the entire workforce through a web-based
management console which you can use to run reports and set internet control policies with a high
degree of granularity. Modern web filters do not cause problems with over blocking of web content
as category-based and keyword-based filtering is now far more accurate. What you get is a safe,
clean internet service that is largely free of threats. You won’t block every web-based threat, but
you will be able to significantly improve your security posture.
In summary, using a DNS based web filtering service will allow you to:
 Block access to malicious and risky websites
 Block malware downloads

ACNS Page 7
 DNS Based Advanced Web Security Filter blocking Malware, Ransom ware and Phishing
attempts.

 Create a safe and secure browsing environment for network users, Wi-Fi users, and guests
 Enforce internet usage policies.
 Prevent users from accessing inappropriate and NSFW content
 Improve productivity by blocking access to internet productivity sinks
 Limit the potential for HIPAA violations by blocking access to messenger services, personal
webmail, and social media networks

5. Limitations of Traditional DNS

i. Only Updates Once Every TTL Cycle

The basic limitation of traditional DNS failover is that it only takes effect when the Time to Live
(TTL) for the host’s DNS record expires. Until that point, the old record will be stored in local
cache along the DNS resolution path, and users will continue to be referred to the failed server.
ii. No Failure Detection
Traditional DNS servers are not capable of detecting failure. This makes it necessary to run external
monitoring of all servers participating in the failover, and “intervene” by changing DNS records
when a server goes down.
iii. Not Aware of Load, Geography or Service Capabilities

Traditional DNS failover is not aware of the current load on different servers. For example, if there
are two backup servers, and the main server goes down, there is no easy way to determine which of
the remaining two servers have fewer loads, and redirect traffic to them.

Additionally, in many web applications, users need to be redirected to a data center or endpoint that
is closer to their geographical location, or that provides the services or capabilities they need.

ACNS Page 8
 DNS Based Advanced Web Security Filter blocking Malware, Ransom ware and Phishing
attempts.

7. References
1. Phishing and ransomware can be your worst nightmares, how can you prevent these
evolving threats? (n.d.). Retrieved from deloitte:
https://www2.deloitte.com/lu/en/pages/risk/articles/phishing-ransomware-how-to-prevent-
threats.html

2. What is DNS Based Web Filtering? (n.d.). Retrieved from HIPAA Journal:
https://www.hipaajournal.com/hipaa-journal/

3. What is DNS Malware Protection? (n.d.). Retrieved from webtitan:

https://www.webtitan.com/dns-malware-protection/

4. ADDIN Mendeley Bibliography CSL_BIBLIOGRAPHY CISA, Cybersecurity and

Infrastructure Security Agency. 2016. “Ransomware | CISA.” 1.
5. Cobb, Stephen. 2018. “Ransomware : An Enterprise Perspective.” 20.
6. ADDIN Mendeley Bibliography CSL_BIBLIOGRAPHY CISA, Cybersecurity and
Infrastructure Security Agency. 2016. “Ransomware | CISA.” 1.
7. Cobb, Stephen. 2018. “Ransomware : An Enterprise Perspective.” 20.

8. Ransomware Protection Software for 2022. (n.d.). Retrieved from Comdo:

https://enterprise.comodo.com/forensic-analysis/ransomware-protection-software.php

9. ADDIN Mendeley Bibliography CSL_BIBLIOGRAPHY CISA, Cybersecurity and

Infrastructure Security Agency. 2016. “Ransomware | CISA.” 1.Cobb, Stephen. 2018.
“Ransomware : An Enterprise Perspective.” 20.

10. Introduction to Malware-blocking DNS Services. (2017, December 22). Retrieved from
gaborszathmari: https://blog.gaborszathmari.me/introduction-malware-blocking-dns/

ACNS Page 9
 Secure single sign-on, multi-factor authentication and directory integration with AD, LDAP.

Table of Contents Page

List of Acrimony ...................................................................................................................................... ii

1. Introduction .......................................................................................................................................... 1

1.1 What is Single Sign-On (SSO) and How Does It Work? ............................................................... 1

1.2 What is Multi-Factor Authentication (MFA)? ............................................................................... 1

How Does MFA work? ....................................................................................................................... 2

2. Methodology ........................................................................................................................................ 2

3. Multi-Factor Authentication Software ................................................................................................. 5

4. Applications ......................................................................................................................................... 7

5. Advantage .......................................................................................................................................... 10

6. Limitations ......................................................................................................................................... 12

7. References .......................................................................................................................................... 13

ACNS Page i
 Secure single sign-on, multi-factor authentication and directory integration with AD, LDAP.

List of Acrimony
FIM: Federated Identity Management
IAM: Identity and Access Management
IDaaS: Identity as a Service
LDAP: Lightweight Directory Access Protocol
MFA: Multi-Factor Authentication
OTP: one-time passwords
SSO: Single Sign-On
2FA: Two-Factor Authentication
VPN: Virtual Private Network

ACNS Page ii
 Secure single sign-on, multi-factor authentication and directory integration with AD, LDAP.

1. Introduction

1.1 What is Single Sign-On (SSO) and How Does It Work?

Single sign-on (SSO) is a session and user authentication service that permits a user to use one set of
login credentials for example, a name and password -- to access multiple applications. SSO can be
used by enterprises, smaller organizations and individuals to ease the management of various
usernames and passwords.

In a basic web SSO service, an agent module on the application server retrieves the
specific authentication credentials for an individual user from a dedicated SSO policy server, while
authenticating the user against a user repository, such as a Lightweight Directory Access Protocol
(LDAP) directory. The service authenticates the end user for all the applications the user has been
given rights to and eliminates future password prompts for individual applications during the same
session.

How single sign-on works

Single sign-on is a federated identity management (FIM) arrangement, and the use of such a system is
sometimes called identity federation. OAuth, which stands for Open Authorization and is pronounced
"oh-auth," is the framework that enables an end user's account information to be used by third-party
services, such as Facebook, without exposing the user's password.

1.2 What is Multi-Factor Authentication (MFA)?

Multi-factor Authentication (MFA) is an authentication method that requires the user to provide
two or more verification factors to gain access to a resource such as an application, online account,
or a VPN. MFA is a core component of a strong identity and access management (IAM) policy.
Rather than just asking for a username and password, MFA requires one or more additional
verification factors, which decreases the likelihood of a successful cyber-attack.

ACNS Page 1
 Secure single sign-on, multi-factor authentication and directory integration with AD, LDAP.

Why is MFA Important?

The main benefit of MFA is it will enhance your organization's security by requiring your users to
identify themselves by more than a username and password. While important, usernames and
passwords are vulnerable to brute force attacks and can be stolen by third parties.

Enforcing the use of an MFA factor like a thumbprint or physical hardware key means increased
confidence that your organization will stay safe from cyber criminals.

How Does MFA work?

MFA works by requiring additional verification information (factors). One of the most common
MFA factors that users encounter are one-time passwords (OTP). OTPs are those 4-8 digit codes
that you often receive via email, SMS or some sort of mobile app. With OTPs a new code is
generated periodically or each time an authentication request is submitted. The code is generated
based upon a seed value that is assigned to the user when they first register and some other factor
which could simply be a counter that is incremented or a time value.

2. Methodology
Three Main Types of MFA Authentication Methods
Most MFA authentication methodology is based on one of three types of additional inform ation:
 Things you know (knowledge), such as a password or PIN
 Things you have (possession), such as a badge or smartphone
 Things you are (inherence), such as a biometric like fingerprints or voice recognition
MFA Examples

Examples of Multi-Factor Authentication include using a combination of these elements to

authenticate:

K now l edge

 Answers to personal security questions

 Password

ACNS Page 2
 Secure single sign-on, multi-factor authentication and directory integration with AD, LDAP.

 OTPs (Can be both Knowledge and Possession - You know the OTP and you have to have
something in your Possession to get it like your phone)
Pos s es s i on

 OTPs generated by smartphone apps

 OTPs sent via text or email
 Access badges, USB devices, Smart Cards or fobs or security keys
 Software tokens and certificates
Inher enc e

 Fingerprints, facial recognition, voice, retina or iris scanning or other Biometrics

 Behavioral analysis
Other Types of Multi-Factor Authentication

As MFA integrates machine learning and artificial intelligence (AI), authentication methods
become more sophisticated, including:

L ocat i on -Based

Location-based MFA usually looks at a user’s IP address and, if possible, their geo location. This
information can be used to simply block a user’s access if their location information does not match
what is specified on a whitelist or it might be used as an additional form of authentication in
addition to other factors such as a password or OTP to confirm that user’s identity.

Adapt i ve Aut hent i ca t i on or Ri s k -Based Aut hent i cat i on

Another subset of MFA is Adaptive Authentication also referred to as Risk-based Authentication.

Adaptive Authentication analyzes additional factors by considering context and behavior when
authenticating and often uses these values to assign a level of risk associated with the login attempt.
For example:
 From where is the user when trying to access information?

ACNS Page 3
 Secure single sign-on, multi-factor authentication and directory integration with AD, LDAP.

 When you are trying to access company information? During your normal hours or during
"off hours"?
 What kind of device is used? Is it the same one used yesterday?
 Is the connection via private network or a public network?
The risk level is calculated based upon how these questions are answered and can be used to
determine whether or not a user will be prompted for an additional authentication factor or whether
or not they will even be allowed to log in. Thus another term used to describe this type of
authentication is risk-based authentication.

With Adaptive Authentication in place, a user logging in from a cafe late at night, an activity they
do not normally do, might be required to enter a code texted to the user’s phone in addition to
providing their username and password. Whereas, when they log in from the office every day at 9
am they are simply prompted to provide their username and password.

Cyber criminals spend their lives trying to steal your information and an effective and enforced
MFA strategy is your first line of defense against them. An effective data security plan will save
your organization time and money in the future.

What's the Difference between MFA and Two-Factor Authentication (2FA)?

MFA is often used interchangeably with two-factor authentication (2FA). 2FA is basically a subset
of MFA since 2FA restricts the number of factors that are required to only two factors, while MFA
can be two or more.

What is MFA in Cloud Computing

With the advent of Cloud Computing, MFA has become even more necessary. As companies move
their systems to the cloud they can no longer rely upon a user being physically on the same network
as a system as a security factor. Additional security needs to be put into place to ensure that those
accessing the systems are not bad actors. As users are accessing these systems anytime and from
anyplace MFA can help ensure that they are who they say they are by prompting for additional

ACNS Page 4
 Secure single sign-on, multi-factor authentication and directory integration with AD, LDAP.

authentication factors that are more difficult for hackers to imitate or use brute force methods to
crack.

MFA for Office 365

Many cloud based systems provide their own MFA offerings like AWS or Microsoft’s Office 365
product. Office 365 by default uses Azure Active Directory (AD) as its authentication system. And
there are a few limitations. For example, you only have four basic options when it comes to what
type of additional authentication factor they can use: Microsoft Authenticator, SMS, Voice and
Oauth Token. You also might have to spend more on licensing depending on the types of options
you want available and whether or not you want to control exactly which users will need to use
MFA.

Identity as a Service (IDaaS) solutions like One Login offer many more MFA authentication
methods when it comes to authentication factors and they integrate more easily with applications
outside of the Microsoft ecosystem.

The proposed system consists of four authentication stages, two of which appear randomly for the
user to pass during the login process. To the best of our knowledge, this is a novel idea that has not
been employed before. Users begin by choosing a username and entering their full name.[1]

3. Multi-Factor Authentication Software

Last Pass

Last Pass is a password management solution for consumers and businesses that allow users to store
their passwords in a digital vault. It uses single sign-on with password vaulting to protect users’
passwords. Users can save the websites into which they login frequently. They can also import
websites from their email accounts or other password manager tools.

ACNS Page 5
 Secure single sign-on, multi-factor authentication and directory integration with AD, LDAP.

Okta

Okta Identity Suite is a cloud-based identity management solution that caters to businesses across
various industries such as information technology (IT), consumer services, energy and utilities,
telecommunications and more. Key features include access request management, account
management, compliance management, user provisioning and multi-factor authentication.

Okta’s lifecycle management functionality enables businesses to automate their workflows and
operations for external and internal users. Businesses are also provided with a universal directory that
helps them to manage multiple devices, users, applications and APIs.

Duo Security

Duo Security is a cloud-based identity management and data security platform. It helps protect the
data of organizations at scale. It also helps users reduce management overheads, enabling
organizations to handle agility, reduce risk and improve end-user productivity and experience. Duo
Security first confirms user identities and then improves visibility into access activities.

One Login
One Login is a cloud-based identity and access management solution that helps users control access to
facilities, web applications, data centers, cloud storage and more.
Auth0
Auth0 is a cloud-based identity management platform, which helps small to large businesses provide
secure data access to users and detect anomalies or password leaks during logins. Features include
single sign-on, multi-factor authentication, account linking, and log retention and streaming.
Ping Identity

Ping Identity is a cloud-based identity and access management solution that helps enterprises provide
secure access to APIs, networks, cloud/on-premise applications, and other corporate resources. The
artificial intelligence (AI)-enabled platform automatically tracks, detects and blocks unauthorized
activities to ensure compliance with regulatory guidelines.

ACNS Page 6
 Secure single sign-on, multi-factor authentication and directory integration with AD, LDAP.

Privileged Access Security Solution

Cyber ark Privilege is designed to help businesses across banking; federal, insurance and healthcare
industries control access for administrative and privileged accounts. The application enables
organizations to reduce information leaks, assess risks and generate custom reports via a unified
platform.

4. Applications

 Widely Deployed MFA Sensors/Sources

Today, identification and authentication for accessing sensitive data are one of the primary use cases
for MFA. We further list the factors already available for the MFA utilization without acquiring
additional specialized equipment[2]

 Password Protection

The conventional way to authenticate a user is to request a PIN code, password, etc. The secret pass-
phrase traditionally represents a knowledge factor. It requires only a simple input device (at least one
button) to authenticate the user. [2]

 Token Presence

The password could then be supplemented with a physical token—for example, a card, which is
recommended as a second factor group—the ownership. From the hardware perspective, a user may
present a smartcard, phone, wearable device, etc., which are more complicated to delegate. In this
case, the system should be equipped with a radio interface allowing for two-way communication with
the token. On the other hand, the most widely known software token is one-time software generated
password. The main drawback of the above is the problem of uncontrollable duplication.

 Voice Biometrics

Most of the contemporary smart electronic devices are equipped with a microphone that allows
utilizing voice recognition as a factor for MFA. At the same time, the technology advancement of
ACNS Page 7
 Secure single sign-on, multi-factor authentication and directory integration with AD, LDAP.

tomorrow may allow special agencies not only to recognize the speakers but also to mimic their voices
including the intonation, timbre, etc., which is a serious drawback of utilizing voice as a primary
authentication method .[2]

 Facial Recognition

As the next step, facial recognition could be considered. At the beginning of its development, the
technology was based on the landmark picture analysis, which was relatively simple to replicate by
supplying the system with a photo. The next phase was by enabling three-dimensional face
recognition, i.e., by asking the user to move head during the authentication process in a specific
manner. Finally, the advancement of this system reached the point of recognizing the actual
expressions of the user. To enable facial recognition, it is required to equip the system with at least one
output device and a camera.

 Ocular-Based Methodology

The iris recognition techniques are on the market for more than 20 years. This approach does not
require the user to be close to the capture device while analyzing the color pattern of the human eye.
Retina analysis is another attractive technique. Here, a thin tissue composed of neural cells that are
located in the posterior portion of the eye is captured and analyzed. Because of the complex structure
of the capillaries that supply the retina with blood, each person’s retina is unique. The most prominent
challenges in those methods are the need for high quality capture device and robust mathematical
technique to analyze the image.

 Hand Geometry

Some systems employ the analysis of the physical shape of a hand to authenticate the user. Initially,
pegs were utilized to validate the subject, but the usability of such methods was low. Further on, the
flatbed scanner was used to obtain the image without the need to fix the user’s hand in one specific
position. Today, some systems utilize conventional cameras not requiring close contact with the
capture surface. This approach is, however, not very robust to the environment. Some vendors apply

ACNS Page 8
 Secure single sign-on, multi-factor authentication and directory integration with AD, LDAP.

so-called photo plethysmography (PPG) to determine whether a wearable device (e.g., a smart watch)
is currently on its user’s wrist or not. The process is similar to the one followed when measuring heart
rate. Cryptography 2018, 2, 1 6 of 31

 Vein Recognition

The advances in fingerprint scanners offer an opportunity to collect the vein picture of the finger as
well. More complicated devices utilize palm print recognition to acquire and store the
shape/movement of the entire hand. At the current stage of development, vein biometrics is still
vulnerable to spoofing attacks. [2]

 Fingerprint Scanner

Utilizing fingerprint scanner as the primary authentication mechanism is currently being pushed by the
majority of smartphone/personal computer vendors. This solution is intuitive to use but remains
extremely simple to fabricate—mainly due to the fact that our fingerprints could be obtained from
almost anything we touch. The integration potential of this method is indeed high [108], even though it
is also not recommended to be used as a standalone authentication approach. Most of the smartphone
vendors install an additional camera to obtain the fingerprint instead of safer vein recognition.[2]

 Thermal Image Recognition

Similarly, to vein recognition, thermal sensor is utilized to reconstruct the unique thermal image of
one’s body blood flow in proximity. Many challenges with this authentication method may arise due
to the user conditions: sickness or emotion may significantly influence the perceived figures.[2]

ACNS Page 9
 Secure single sign-on, multi-factor authentication and directory integration with AD, LDAP.

5. Advantage

Why Are LDAP and Active Directory Important?

For managed services providers, it might be obvious why LDAP and Active Directory are so
important, but if you’re new to this space, here’s why you need to think carefully about how to use
them effectively.

Active Directory is part of the security layer for your IT systems, and LDAP is a core part of how AD
works. This means both pieces are critical for keeping your IT environment secure.

Active Directory is the part of your system designed to provide a directory service for user
management. It helps you manage and control all the devices on your network, including computers,
printers, services, and mobile devices, and the users who engage with the devices. You can assign
privileges to each user or group of users to allow them access to the objects (devices) or information
contained in Active Directory.

Active Directory authentication is important because access to information in the directory can make
or break system security, and directory services are essentially a phonebook for everything your
organization holds in terms of information and devices.

The directory server and server LDAP integration are a critical result of these services functioning
appropriately and securely. With LDAP, users can access the information they need in AD to do their
jobs effectively. To configure LDAP correctly, you need to understand what authentication processes
you need, how users will be searching the systems, and where your security and information needs lie.

Due to the critical role of Active Directory in your IT environment, it can be a target for hackers and
malicious actors who want to breach your security systems. If a single high-level or high-access
account is accessed, you risk the exposure of sensitive data such as files and information, or passwords
for other accounts. LDAP is a key to protection in Active Directory because it provides the
authentication piece of the whole operation.

ACNS Page 10
 Secure single sign-on, multi-factor authentication and directory integration with AD, LDAP.

 Increases Security

By requiring users to provide multiple credentials prior to accessing accounts, hackers are
prevented from using stolen passwords, devices, or other individual pieces of information
to enter your network. A recent Ping Identity survey revealed that security and IT
professionals consider multi-factor authentication to be the most effective security
control to have in place for protecting on premises and public cloud data.

 Reduces Risk from Compromised Passwords

While passwords are the most common form of authentication, they are the least secure.
People may reuse or share passwords, which can also be stolen or guessed, leading to
exposure for account holders and system administrators. A 2021 Verizon Data Breach
Investigations Report found that 61 percent of breaches in 2020 were executed using
unauthorized credentials.

 Customizable Security Solution

Each authentication factor offers multiple options, providing enterprises with the ability
to customize the user experience to meet their needs. For example, users might have
access to finger print scanners on their smartphones, but not retinal or voice recogniti on
scanners. Two factors may be sufficient for some use cases, while others may require all
three authentication factors.

 Compatible with Single Sign-On (SSO)

MFA can be embedded into applications and integrated with single sign-on. Users no
longer have to create multiple unique passwords or make the risky choice of reusing the
same password for different applications when logging in. Together with SSO, MFA
reduces friction while verifying the user’s identity, which saves time and improves
productivity.
 Scalable for Changing User Bases

ACNS Page 11
 Secure single sign-on, multi-factor authentication and directory integration with AD, LDAP.

Multi-factor authentication easily adapts to your business needs. MFA can be set up for all
users, including employees, customers and partners. Single sign-on combined with MFA
eliminates the need for multiple passwords, streamlines the login process, improves the user
experience, and reduces the number of calls to IT departments for password assistance.

6. Limitations
i. Extra-strong passwords must be enforced. If an SSO account is cracked, others under the
same authentication can also be endangered.

ii. When SSO is down, access to all connected sites is stopped. This is a big reason to exercise
great care in choosing an SSO system. It must be exceptionally reliable and plans should be in
place for dealing with breakdowns.

iii. What’s more, when your identity provider goes down, your SSO does too. The provider’s
vulnerability to any kind of interruption becomes your vulnerability as well, and it is probably
beyond your control. Once again, the choice of vendors is critical.

iv. If a hacker breaches your identity provider user account, all your linked systems could be
open to attack. This can be a classic single point of failure and should be headed off in the
planning process. On the plus side, high-quality identity providers have top-notch security.

v. SSO can take longer than expected to set up. Each environment is different, so added steps
in implementation can crop up. One example is the task linking the identity provider to the
service provider.

vi. SSO is risky for multi-user computers. What happens when one user is logged in and
another needs to use the machine?

vii. Reduced sign-on (RSO) may be needed to accommodate different levels of access. With
RSO, additional authentication servers may be required.

viii. SSO using social networking services can create conflict. This can be the case with
workplaces that block social media sites and government connections where censorship is
involved.

ACNS Page 12
 Secure single sign-on, multi-factor authentication and directory integration with AD, LDAP.

7. References
1. M.Aldwairi and S.Aldhanhani, ―Multi-Factor Authentication System Multi-Factor
Authentication System,‖ Am. Sci. Publ., no. August, 2017.
2. A. Ometov, S. Bezzateev, N. Mäkitalo, S. Andreev, T. Mikkonen, and Y. Koucheryavy,
―Multi-factor authentication: A survey,‖ Cryptography, vol. 2, no. 1, pp. 1–31, 2018, doi:
10.3390/cryptography2010001.
3. M.Aldwairi & S.Aldhanhani. Multi-Factor Authentication System Multi-Factor
Authentication System. Am. Sci. Publ. (2017).
4. ZELLEKE, L. (2021, December 17). 7 Best Ransomware Protection Tools. Retrieved from
comparitech: https://www.comparitech.com/net-admin/ransomware-protection-tools/
5. Malik, Z. (2021, OCTOBER 18). 8 Benefits of Multi-Factor Authentication (MFA). Retrieved
from pingidentity: https://www.pingidentity.com/en/company/blog/posts/2021/eight-benefits-
mfa.html
6. Sobers, R. (2016, July 13). The Difference Between Active Directory and LDAP. Retrieved
from varonis: https://www.varonis.com/blog/the-difference-between-active-directory-and-ldap

ACNS Page 13