10 Considerations When Selecting a Workforce Authenticator App
There are many options available for employees to sign in to business applications and services using mobile device-based authenticator apps. We’ve prepared this list of the top 10 things to look for when evaluating which one to go with for your organization.
Use Cases Supported: Multi-factor authentication (MFA) and passwordless login are the two main uses for authenticator apps. MFA requires a password and then uses the app to complete the authentication process. Passwordless is an evolution of MFA to eliminate the hassle and security risks associated with passwords. By using a mobile device as one factor then another authenticator such as a fingerprint scan, the user is validated using two separate factors, also known as 2-factor authentication (2FA). We strongly recommend solutions that support passwordless as it is the most secure authentication method.
Supported Systems, Services and Platforms: The authenticator app needs to support the operating systems, platforms, and services commonly used in enterprise environments including Windows, Macs, virtual desktops, VPNs, cloud services, and on-premises web applications.
Authentication Methods: The authenticator app should support a wide range of common authentication techniques for the user. At a minimum it should support push notifications to the mobile device (both alerted and silent), biometric authenticators like fingerprint and facial recognition, mobile-app initiated, QR codes, soft tokens, and one-time challenge-response codes.
Offline Mode: For situations where either the mobile or the target system is offline, such as on an airplane or if the mobile doesn’t have service, the authenticator must still operate and do it securely. Some solutions use a stored set of PIN codes shared by both devices. These can be susceptible to hacking, can be depleted if you log in offline too many times, and must be synchronized with all the systems that need to be accessed. To get around this you need a solution that uses public key cryptography and rolling keys, which don't store any shared secrets, enabling you to sign into any system you're allowed to for as many times as you need.
Windows and Mac Biometrics: An authenticator app is great but what if you don't have the mobile device or if it malfunctions? Modern Windows and Mac devices offer built-in biometrics such as fingerprint and facial recognition that don’t need the mobile app to authenticate. This is becoming increasingly common and any solution you choose should support it and offer users a choice of which device to authenticate with.
FIDO2 Support: In situations where the mobile device isn’t permitted or can’t be used, FIDO2 compliant solutions support the use of USB or Bluetooth hardware-based security keys such as Google Titan or YubiKey. If this is a need for your organization, you must ensure the solution supports FIDO2 to the workstation in both online and offline modes.
Risk-Based Authentication: The concepts of zero-trust and Gartner’s CARTA framework are being more broadly adopted by enterprise organizations. Using real-time risk detection, automated policies can be employed to increase or decrease friction based on the user and device trust level. Solutions lacking real-time trust management will quickly become outdated.
Flexibility with an SDK: An authenticator can be provided by the vendor as a standalone app you can download from the iOS App Store or Google Play, or as an SDK you can integrate into an existing corporate application you may already have. An SDK allows you to customize the authenticator app to meet your specific requirements.
Support for Centralized Authentication: A mobile app with biometrics is a great authentication method, but there are scenarios where it can’t be used such as when a remote user needs to onboard a replacement for a lost or stolen device. Features like centralized voice biometrics and OTP over SMS are needed for these special situations.
Key Security: Combined with the authenticator app, the mobile device becomes a highly sensitive security element that holds private cryptographic keys for the user. The keys stored on the device must be rolled automatically on a periodic basis to prevent them from being stolen. This is a mandatory requirement for most enterprise organizations.