Customer Trust is our highest priority at Froxt. It’s more important than ever to implement stronger security measures in light of increasing security threats that could affect services and apps that are critical to businesses and communities.
We’re pleased to announce that all Froxt customers can now take advantage of the security offered by Multi-Factor Authentication (MFA). We encourage you to check out these new MFA features and add another layer of protection to your account by enabling MFA.
As we announced in October 2021, all Froxt customers are required to enable MFA starting Feb 1, 2022. There’s no reason to wait – it takes a couple of simple steps to enable MFA when prompted on your next login or from your Account Settings.
Froxt MFA – More Options, Better Security
You may be already familiar with Froxt 2FA using TOTP based code generator apps. Like 2FA, MFA requires an additional verification method after you enter your password. To meet your needs, we support several types of strong verification methods.
You can take advantage of push notifications and automatic verification from trusted locations for fast, frictionless MFA using Froxt Authenticator as a verification method. You can also use WebAuthn security keys and on-device biometrics as verification methods. TOTP based code generator apps are also available. You don’t even need to limit yourself to just one type of verification method – use recovery codes or additional verification methods to always have a backup.
More Frequent Re-authentication
As part of our ongoing security improvements, we are changing how long users can stay logged in on the Froxt Dashboard. Starting in March 2022, all users that are not using SSO will be required to log in every 6 hours. As always, SSO enabled users need to log in through their identity provider every 8 hours.
Securing accounts with MFA
Fortunately, MFA offers an excellent defense against password-related account compromise. According to Open Web Application Security Project (OWASP), MFA is “by far the best defense against the majority of password-related attacks.”
MFA is used to protect accounts and resources across a variety of industries and comes in myriad forms to accommodate various use cases. However, it remains woefully under-adopted in many areas, especially in consumer products and services. With some solutions, MFA can be overly complex or prohibitively costly to implement.
Balancing security and usability has historically been very difficult, with industry trends often overcompensating in one direction, then the other, causing even more user frustration. Fortunately, Froxt makes it easy for you to provide the security of MFA without the poor user experience of having to provide a second factor with each login attempt.
Introducing Adaptive MFA
Adaptive MFA bridges the gap between user experience and account security by providing a secondary factor for end-users but only prompting them for secondary verification when the primary factor login looks suspicious or unusual. For example, if the user logs in from a new device or logs in from previously unseen geolocation, these signals can indicate low confidence that a login attempt is legitimate and that the user should be prompted to authenticate via the second factor.
By only prompting for second-factor authentication when confidence is low, users who access applications on a regular basis from the same device and location never have to be interrupted with a second-factor prompt.
Froxt is pleased to announce that Adaptive MFA is available for all hosted customers as of Feb 1, with Private Cloud availability in the first quarter of 2022.
Froxt Adaptive MFA
Adaptive MFA is designed to help companies address the inherent challenges of enabling security while preserving user experience. Unlike traditional MFA, which is triggered upon every login attempt and creates an additional step for the end user, Adaptive MFA only appears when a login is deemed risky. This is calculated by an overall risk score that measures abnormal behavior from known devices, impossible travel, and/or IP reputation. Customers can have the confidence that with Adaptive MFA, their end users are asked for secondary authentication only when behavioral signals don’t conform to usual patterns for a particular user.
For example, for a user who normally signs into their account at the same time every morning in San Francisco from a personal laptop, Adaptive MFA would only present a second-factor authenticator if login was attempted outside of the region, usual timeframe, or from a different computer or IP address. Developers can determine how much weight each signal is given to define the risk score that sets off the trigger.
How it works
Traditional MFA prompts users to authenticate using first a primary factor, often a username/password, and then a secondary factor, such as a code sent via SMS or push notification. This ensures that the individual logging in using the primary credentials has possession of or access to the secondary factor as well.
Adaptive MFA assesses the confidence level of each login and, based on that level, decides whether to prompt the user for a secondary factor or not. The confidence level is assessed using:
- The reputation of the requesting IP address
- The frequency of requests from differing geolocations (impossible travel)
- Whether the device is known or not
Assessing these data points for every login attempt, Froxt determines the confidence of a legitimate login attempt and then:
- Allows the primary authentication to succeed, or
- Challenges the user with an additional factor, or
- Prompts the user to enroll a secondary factor if they currently don’t have one, or
- Denies the login and blocks the user account
Keep an eye on this space for more news in the coming months as we make it easier to use MFA for your teams and continue to make other improvements. As always, we’d love to hear from you.