Tech topics

What is NetIQ Advanced Authentication?

Illustration of IT items with focus on a laptop

Overview

A standards-based integration framework that provides a multitude of authentication methods. The framework is available as a service or on-premise and is designed to serve as a central point of integration and administration for all authentication organization wide.  To gain central point of administration and security control, organizations commonly use this framework to consolidate their authentication silo. The framework adheres to Federal Information Processing Standard (FIPS) 140-2 encryption, as well as integrates with FIDO 2 methods, all FIDO U2F devices, and OATH tokens. In addition to the server-side authentication capabilities, Advanced Authentication can work from Windows, Mac OS X, and Linux.

NetIQ powers your business

Through identity management, NetIQ helps enable their business through identity-based security. It offers a comprehensive set of identity and access services allowing workers to securely access resources from anywhere, on any device, at any location, and at the right time. NetIQ also empowers organizations to interact with their consumers effectively and securely.

Read the flyer

NetIQ Advanced Authentication

How can advanced authentication help me with MFA?

In recent years, multi-factor authentication has become commonplace across most industries. While organizations that handle regulated information need 2-factor it for compliance, its wide adoption is largely driven by high breach rates and rising digital security risks. Larger organizations turn to NetIQ Advance Authentication for reasons such as: 

  • The attraction of investing in a framework that doesn’t lock it into proprietary implementation or devices. 
  • Offers a wide variety of authentication options. The bigger the list of authentication options provided to the users, the easier it is to find a method that works well for each user’s (employee, contractor, customer, patient, citizen, etc.) situation. 
  • The framework offers a centralized reporting system of how and when each user authenticated. It simplifies both compliance reports and security audits.​​​

Because of their flexibility, large and geographically distributed organizations like the simplified deployment and administration models offered by Advanced Authentication’s Docker form factor. These containers can be configured to scale to any mix of dispersed or centralized authentication hotspots. OpenText also offers Advanced Authentication as a managed SaaS offering.


What are some common approaches to passwordless authentication?

Specifically, multi-factor authentication is the use of different methods (what you know, what you have, what you are) for a particular session, but in reality, strong authentication deployments often involve a mix and match of authentication methods. Here are some common examples: 

For password less access, services like eBay and Yahoo can be configured to be approved with a simple touch of the checkbox on their mobile apps (what you have). With their platform services, Microsoft takes a little different approach to password-less when used with their Authenticator app: 

  • Verified device – Touch finger ID (what you are) to get into Authenticator app then approve access (what you have).
  • New device – Touch finger ID (what you are) to get into Authenticator app; choose the option with the correct number displayed on the Microsoft service (what you have – mobile device and in this case it’s also the browser instance (usually desktop) accessing service, then approve access (what you have – mobile device). 

While these options offer greater protection against phishing attacks, they vary in speed and simplicity (number of steps). Based on their assessed risk and their tolerance for it, each organization can decide how many points of identity verification they want to implement. All the above options have the advantage over passwords in that they don’t require the user to remember yet another set of credentials, were a commonly replicated over the difference services the user consumes, are much harder to compromise then traditional username and password. The phone is a physical device, the fingerprint is biometric, and the OTPs are time sensitive. NetIQ Advanced Authentication supports the use cases above and much more.


What role does advanced authentication play in optimizing the usability of digital assets?

The security aspect of simplifying digital access is the balance between protecting the business and delivering to its users (employee, consumers, etc.). Ideally, what security teams want to do is match the strength is the user’s identity verification to the risk posed by the access request. The lower the risk, the less intrusive the identify verification can be. Characteristics that affect measure risk a user’s request include: 

  • The inherent risk of the information or service itself. 
  • The level of access granted to the user – super users impose significant risk on organizations when their accounts are hacked. 
  • The risk associated with the situation – such as inside the office during business hours vs halfway around the world from a hacker hotbed during the middle of the night.  
  • Expected behavior – does this user typically access this information or is this the first time?  

So, an essential component of optimizing the digital access experience is to apply different authentication strategies to different sensitive levels of the information being accessed. Negligible risk personalized content often will not require any type of identity verification. Highly sensitive information may require multiple instances of identity verification. So far, this use case involves several technologies beyond just authentication: 

  • Identity governance to measure the inherent risk of the digital content being accessed and a way to effectively manage user entitlements of them. 
  • Risk service to measure the risk associated with the context of the current access request of them. For a complete risk calculation, this service will need to incorporate resource risk information from identity governance. 
  • An authentication implementation that the risk service invokes.  

Beyond the three components listed above, the greater the number of authentication options, the easier it is to match one to the situations. Security teams can evaluate and rank each authentication type available for each risk level range. They may determine that some passive authentication types (Windows Hello, voice, type) may need to be layered for higher risk situations. Advanced Authentication is an integrated part of NetIQ’s identity and access management portfolio.


How can advanced authentication be used to build an adaptive access management environment?

You may consider the scenario described in the previous as an adaptive environment, but some organizations need an even higher security level. To reach zero trust level of security at the application and resource layers, organizations look to create a security posture where the default security behavior assumes a hostile environment. At this level, adaptive access requires the ability to measure risk throughout the user’s web session and invoke an authentication request and/or authorization change when predefined risk thresholds are reached. In addition to the criteria listed in the previous scenario, these additional metrics need to be gathered: 

  • Ability to reassess risk at each additional access request as needed (i.e., higher risk resources that merit such protection).
  • The risk engine needs to be able to gather updated context and behavioral risk information through the session.

Beyond gathering risk information throughout the session is the ability to act on it. Adaptive access management is the ability to invoke an action such as:

  • Invoke a multi-factor authentication method such as a one-time password (OTP), biometric, or even a passive method such as type matching, face or voice ID.
  • Clamp down on authorization, limiting what can be accessed or saved during that session.
  • For high-risk situations, break the session altogether.

In short, access management is the ability to recognize a threat and respond to it. The least intrusive option is to reverify or strengthen identity verification. A likely reaction to failed authentication invoked by a risk score would be to terminate the session. 


What methods and integrations does NetIQ Advanced Authentication support?

NetIQ Advanced Authentication integrates with third-party products via RADIUS, SAML, OIDC/OAuth2, ADFS, Kerberos, REST, MobileAPIs, comAPIs and native Microsoft plug-ins.

The NetIQ Advanced Authentication framework supports many methods out-of-the-box, as well as additional specialized integrations. Partners and customers also have the option to leverage AA’s SDK to configure their own integration.

Footnotes