Case Study

Multi-factor

Authentication (MFA)

The Key to Advanced Cybersecurity

Scenario

Multi-factor authentication (MFA) is a security system that requires users to verify their identity using two or more distinct factors. These factors are divided into: something you know (like a password), something you have (such as a smartphone or hardware token), and something you are (such as a fingerprint or facial recognition).

The lack of MFA solutions exposes systems to higher risks of compromise, making accounts vulnerable to phishing attacks, brute force, and credential theft. Relying solely on a single authentication factor, such as a password, which can be easily bypassed if weak or reused, can lead to data breaches, theft of sensitive information, financial losses, and reputational damage for businesses and users. Additionally, without MFA, the effectiveness of other security measures is significantly reduced, leaving major vulnerabilities in the protection perimeter.

Picture

Credential Compromise: A Widespread Issue

According to recent studies, 76% of organizations have experienced multiple credential compromise incidents in the last 12 months. This data confirms that cyber breaches frequently occur due to lost or stolen credentials. Cybercriminals, in fact, do not infiltrate systems with sophisticated techniques but instead exploit weak or compromised credentials to access company resources.

Barriers to MFA adoption: challenges and critical issues

Despite being recognized as one of the most effective solutions for protecting digital identities, multi-factor authentication (MFA) is still not widely adopted. Currently, only 62% of organizations make MFA mandatory for the entire workforce. The reasons for this lack of implementation are various:

  • Budget limitations for smaller companies.

  • Lack of technical expertise in configuring and managing a secure authentication system.

  • Concerns about productivity and usability for end users.

Context

Under Article 21 of the NIS2 Directive, multi-factor authentication (MFA) becomes a mandatory requirement for important and essential entities to mitigate the risks associated with unauthorized access and ensure a high level of cybersecurity. MFA is not just an opportunity but a necessity imposed by the regulation, emphasizing the importance of adopting advanced security measures to protect against growing cybersecurity threats.

In a rapidly evolving digital world, increasingly exposed to sophisticated threats, implementing MFA is a strategic choice to protect sensitive data and strengthen the trust of customers and stakeholders.

The proactive adoption of this solution significantly reduces the risk of unauthorized access, while ensuring operational continuity and compliance with the highest security standards.

In addition to being a technical measure, MFA provides a competitive advantage for organizations that integrate it in a structured way within their operational practices. This approach allows for the protection of business systems without compromising the user experience, playing a crucial role in the path toward secure digitalization and compliance with current regulations.

Use Cases

For a leading client in the energy sector, and therefore an essential NIS2 entity, with a complex network infrastructure that includes thousands of devices, an advanced multi-factor authentication (MFA) solution was identified and demonstrated. The main objective was to ensure security and centralized access management. This solution integrates with the client's AAA server to first verify credentials and manage privileges, then requiring a second authentication factor for access via CLI (SSH) and GUI (HTTP/HTTPS) to the network devices.

A crucial aspect of the solution is intelligent session management, which eliminates the need to repeat the second factor for a configurable time, even when accessing different devices. This approach not only ensures continuous security but also optimizes operational efficiency and productivity, especially for operational teams needing simultaneous access. Particularly in troubleshooting contexts, where timely fault resolution is critical, the ability to perform multiple parallel logins without re-entering the second factor allows for quicker interventions, minimizing downtime and ensuring the operational continuity of critical infrastructure.

Moreover, the solution is designed to operate without IP or telephone connectivity, ensuring continuous authentication even in isolated environments or with unstable connections.

Solution


The architecture of the proposed solution, shown in Figure 1, was designed in a hybrid mode, combining on-premise and cloud components to provide flexibility and scalability based on the client's needs. The main on-premise component, called the radius-gateway, is installed in a virtualized environment within the client's infrastructure and acts as an intermediary between the AAA server and the MFA solution. The radius gateway can initially delegate the verification of the first authentication factor to the AAA server, which can authenticate the user directly using credentials stored in its local database. Alternatively, the AAA server can forward the request to external directories, such as LDAP servers or other identity management solutions used by the client. Once this phase is completed, the RADIUS Gateway handles forwarding the request for the second factor (2FA), ensuring a secure and integrated authentication process.

The core of the MFA solution includes an advanced orchestration platform that allows for the creation and management of authentication and authorization flows in a simple and customized way.

Moreover, it can visually build, manage, and customize the various processes that regulate how users access applications, verify their identity, and interact with business systems without complex coding. The creation of flows is done through a visual dashboard that allows users to graphically connect various "blocks." If required, the orchestrator sends a push notification to the user's mobile device, activating a session caching mechanism (e.g., 4 hours) made possible by an adaptive policy on the orchestrator within a dedicated two-factor authentication flow, allowing users to avoid re-entering the second factor for a specified period, even when accessing different network devices. If the orchestrator receives an authentication request for a user for whom the second factor caching mechanism is still active, it immediately responds to the radius gateway with a RADIUS-Accept message. This allows the operator to access the device using only the password, without having to repeat the multi-factor authentication process.

The main challenge

The main challenge was to identify a market-leading vendor capable of fully meeting the client's security and operational requirements, with a specific focus on managing the persistence of RADIUS/TACACS+ authentication sessions for SSH access. This aspect is particularly critical because, by definition, each authentication performed through these protocols is treated as independent, making it difficult to implement caching mechanisms or session tokens without compromising security.

Many solutions currently available do not properly handle session storage in these cases, forcing users to repeatedly enter the second authentication factor too frequently, thereby compromising the user experience. In fact, most products on the market implement authentication state storage mechanisms for HTTPS access using cookies, session tokens, and Single Sign-On (SSO) methodologies based on protocols such as SAML or OAuth2.

In enterprise environments, Single Sign-On (SSO) based on protocols like SAML or OAuth2 is used to simplify access to corporate resources without requiring repeated credential input.

For example, an employee logging into the corporate VPN with their business account can automatically gain access to instant messaging, webmail, and SharePoint without needing to authenticate again. This is possible because the central authentication system issues a token valid for multiple federated applications, enhancing security and operational efficiency while reducing the number of authentication requests for the user. However, these approaches are not directly applicable to SSH access authenticated via RADIUS or TACACS+, where each request is treated as independent and stateless. For this reason, our research focused on advanced technologies that, in addition to ensuring security and compliance in data protection, optimize session storage for methods beyond HTTPS.

After a thorough scouting process, we identified the ideal vendor, whose solution stands out for its robustness, security, scalability, and full integration with the client’s infrastructure. It allows for a reduction in repeated authentication requests within a defined time window without compromising access security.

Benefits for Clients

The adoption of multi-factor authentication (MFA) offers numerous benefits for clients, improving the security and reliability of systems. Here are some of the key advantages:

MFA adds multiple layers of verification, making it more difficult for an attacker to bypass security systems. Even if a malicious actor obtains a password, without the second factor (such as a code sent to the user's phone), they will not be able to access the account.

Even if a user is tricked into revealing their password through phishing, MFA prevents unauthorized access by requiring a second authentication factor, such as a code sent to the phone or biometric verification.

MFA helps organizations meet various regulatory requirements and industry standards, demonstrating their commitment to data protection.

When customers know that an organization uses strong security measures like MFA, their trust in the security of their personal and financial data increases.

MFA helps organizations avoid substantial costs associated with incident response, legal fees, regulatory fines, and reputational damage.

Our Strength

Thanks to its laboratory, Net Reply was able to simulate the client's critical infrastructure, ensuring the effectiveness and robustness of the identified solution. This approach allowed us to validate the solution without requiring investments for a proof-of-concept (POC) directly within the client's network, optimizing both time and resources.

During this phase, we tested the compatibility between different components, authentication flows, and the solution's behavior in complex scenarios, including edge cases such as connectivity loss. The adopted strategy enabled us to identify and resolve any issues, ensuring that the system fully met the required security, usability, and efficiency standards.

The tests confirmed the system's ability to integrate seamlessly with the existing infrastructure, guaranteeing a reliable and smooth authentication process for end-users. Finally, the results were presented to the client, highlighting the solution's potential.

The Role of Net Reply

Net Reply played a key role as an agnostic System Integrator, providing specialized consulting and technical support throughout every phase of the project. As an expert advisor in Network Security, it conducted an in-depth analysis of the customer's security posture, identifying strengths and areas for improvement to ensure compliance with the NIS2 directive.

Based on this assessment, Net Reply designed and implemented a tailored MFA solution, integrating technologies from multiple vendors to create a hybrid, flexible architecture aligned with the highest security standards. The entire configuration was tested and validated in Net Reply’s laboratories, minimizing operational risks and optimizing integration with existing systems.

This successful use case demonstrates Net Reply’s effective approach to delivering advanced security solutions. As an agnostic consulting firm, it goes beyond offering standard solutions by thoroughly analyzing each client’s existing infrastructure to develop a customized architecture. The goal is to ensure seamless integration with current technologies while precisely addressing operational and security needs.

Picture