In this video, we're going to be taking a look at a new feature in Cloud Access Manager 8.1, which is basically doing multi-factor authentication but through Defender as a service. This is a new offering. And I think it's a pretty good one for people that don't want to have an on-base or an on-premise multi-factor solution.
With this, you use Cloud Access Manager, and it makes its multi-factor authentication calls out to the cloud. So let's see it in action first.
The easiest way to do that is to hit an application that's already been configured for multi-factor authentication in Cloud Access Manager. I've already got this set up. So let's log in and take a look.
Now, the first thing you're going to notice when we get in here is that the UI for a multi-factor challenge is basically changed. I have an opportunity to enter a code from my mobile phone application, or I have push options available to me, like send an SMS, make a phone call, et cetera. And I think what we're going to do for this demo is actually send an SMS and take a look at my phone and what it looks like when we do that.
So I'm going to hit the button. We'll minimize this. Go over to my phone. And there's the message up at the top so. I'll click on that. And take a look at the code, two zero four five seven four zero.
And sure enough, it allows us in right away. Let's take another look at doing this, but this time through the voice, which is, again, kind of hard to show in a recorded video. But I think it still might be fun to listen to.
So let's click on this again. We're going to log in with a fresh session. This way we can be sure that I'll be prompted for multi-factor tokens again.
We're going to hit the basic auth. And this time I'm going to say, give me a phone call. So let's go ahead and minimize, bring this up. There's my phone ringing. See if I can put it on speaker.
Hi, this is JC subscription. If you are expecting this call, please press 1. Your token is 1 4 4 2 6 0 2. Again--
All right, that should be enough to do it. Let's see. And again, that works just fine.
So the notion here is that we don't always want to carry key fobs in our hands. We don't always want to have a message sent through SMS. This way you could even have a phone call made to your desk phone. It's a neat feature that's now available to us.
So how do you set it up? Well, to begin, we're going to go to the Defender dashboard in the cloud.
So here we are in the Defender dashboard. And we can see that I see some information about the users that have connected recently, the calls that have been made, SMS messages made. And this is basically for October.
As you can see, I haven't been too busy in my lab environment in October. Oh, it just changed. There was another authentication that came through. So we've seen the screen update in real time. That's pretty cool.
So how is this actually configured? Basically, once you get your subscription, you simply go and grab your subscription key out of this box. Now, right there is where your subscription is going to be.
Of course, in this video, I blurred it to protect certain private information from my account. Take that key, copy it, and go back in the Cloud Access Manager, where you can configure Defender as a service. Let's take a look at that.
So here, we're going to log in as the administrator. Let's go full screen. We're going to go into Authenticators and pick this one right here. This is where I have it configured.
Go to Two Factor Authentication. And here's where you see your choice. Again, we've kind of blurred out the API key.
But basically, I've made a choice right here. It says, use two factor authentication for specific applications. Again, that's a standard feature in Cloud Access Manager. We have choices here-- Don't use two factor, use it for specific applications, use it for all applications or external users only.
And again, we're not showing this in the context of the security analytics engine. All of this still works with the security analytics engine. It's just a different paradigm. And if you want to see how that works, how we do multi-factor or step-up authentication within the context of a risk engine, go check out that video.
Finally, after we make our choice, we simply choose, do we want to use a RADIUS server, like Defender, Smart Card or X509 certificates, or do we want to use Defender as a service? Then, simply put in your API key and tell me which field in your directory should I be looking for the person's phone number.
Now, this is an important feature. You don't actually prompt the user which phone do you want me to send a challenge too, because an attacker will basically say, well, send it to my cellphone. So we're assuming that in your directory you have a value that we can look at. And we can basically say, this is the number I'm going to choose. And that's the number we send out to our cloud service to do a prompt basically.
Once you've configured the stuff, you just say Finish. And you're good to go.
Remember though, that multi-factor configurations are done per authenticator. Each authenticator in Cloud Access Manager could have a different multi-factor solution.
So for instance, the one I have here doesn't have anything configured. If we go to two factor, there's nothing there. So again, to turn this on just simply choose multi-factors enabled. Tell it you're going to