Authentication

How to Implement MFA for Legacy Applications

image of a green apple with an orange inside

There was a time when usernames and passwords were enough to protect software applications from unauthorized users. Then, single sign-on (SSO) came along, to improve security. It worked just fine when everything was behind a firewall, but in today’s distributed, hybrid and multi-cloud world, SSO on its own, can’t keep bad actors out. 

Applications now commonly ask for your username and password to log in and then require a second confirmation of your identity — usually by sending a code to your phone or email address. This is your standard multi-factor authentication (MFA) process (which is actually becoming substandard). 

Hackers have figured out ways to make man-in-the-middle attacks where they intercept the one-time code that gets sent to a cell phone. Because hackers’ technologies are continually advancing, MFA technologies must constantly work to stay one step ahead. 

That’s one of the reasons why Biden’s executive order on cybersecurity is such a big deal — especially if you have a legacy app that can’t use MFA.

Biden’s executive order applies to your company

President Biden’s executive order in May 2021 put federal agencies’ feet to the fire to modernize their cybersecurity defenses. Among the requirements is a mandate for true MFA technologies to be in place. Software applications can no longer get away with merely using a username and password.

But it isn’t just government organizations that need to comply with the executive order. If your company is part of the federal government supply chain — even if you’re a vendor to a company in the supply chain — you must also comply with the executive order. In fact, you could be a part of the government supply chain and not know it.

The deadline to comply with Biden’s executive order has come and gone. If you aren’t already in compliance, your company may be subject to heavy penalties and fines.

But what do you do if your legacy application isn’t designed to implement MFA technology?

MFA challenges for legacy applications

The problem for many companies is that their applications aren’t equipped to handle advanced MFA. They were developed before passwordless technologies existed, so they can’t take those kinds of demands. Yet, very few of those applications can adopt the latest MFA technologies like YubiKey or Hypr.

So, you need to make your legacy application more secure, but there’s no way to get there easily. You’re faced with some dreaded options — usually, rewriting the application, moving it over to technology like Microsoft or Okta, and using the options they provide.

If you rewrite your application to understand an MFA solution, you’re looking at hundreds of hours and thousands of dollars in labor costs. And because MFA technologies are constantly evolving, this isn’t a one-time investment. Development will most likely be a continuous cycle. It’s just not realistic.

That’s the bad news. But there’s good news, too: you have another option that’s both low on development and low on cost.

Apply MFA without touching your apps

You can pair an identity orchestration platform with your legacy application to equip it with the latest MFA technologies. You don’t need to change the application itself, you don’t have to rewrite it, and you don’t have to move it over to Microsoft or Okta.

An identity orchestration platform sits between your application and the user. It can make a policy runtime decision that says, to get to the next thing you want to access, we’re going to redirect you to an MFA technology first. The orchestration determines which pages or assets are sensitive and makes policy decisions without touching the application itself.

This solution can be implemented quickly — in just hours, instead of months of development work. Have the latest MFA solutions always available to you, and avoid being out of compliance with Biden’s executive order for a lengthy period.

Other MFA benefits through Identity Orchestration

Identity orchestration resolves additional challenges that often plague applications with built-in MFA technologies.

One common business challenge is the fact that there isn’t a single authenticator or MFA provider that everyone likes. For example, RSA is ubiquitous in some places, while, no one uses it in other regions. Your application needs various MFA technologies, based on the user. That’s too difficult to handle even with solutions like Azure and Okta.

An identity orchestration can do those kinds of contextual checks and support many-to-many relationships very easily.

There’s also the problem of losing your phone or another physical token. Many MFA solutions rely on devices that can be lost or stolen. Replacements take time, and that means you could be locked out of doing your work for a full day, a week, or longer. MFA can become so strong on protection that you actually lock out valid users.

But an identity orchestration platform can give you the flexibility to rely on multiple MFA options, with several recovery scenarios that allow you to keep working without interruption.

MFA is possible for your legacy applications

There’s good news for companies with legacy applications that can’t use MFA technologies. You can add MFA capabilities to your application without investing lengthy development time or labor costs. Strata’s Maverics platform can be implemented in a matter of hours, and will always give you access to the latest MFA technologies.

Stay compliant with Biden’s executive order. Provide your customers with peace of mind that their information is secure. Protect your company’s sensitive data from cyberattacks. Most of all, avoid the downward spiral of continually rewriting and updating your application to stay current with evolving technologies.

Future-proof your legacy application without trouble. Learn more about how to use Maverics Identity Orchestration Platform to make MFA work for legacy apps. 

Connect with an Identity Orchestration expert