Adopting OIDC Standard For MFA
This blog is part of an ongoing blog series for Duo’s Universal Prompt Project. The project is a major re-architecture and redesign of the Duo multi-factor authentication experience. In this post, we’d like to discuss a “behind the scenes” change we’ve made that helps achieve the overall project goals — improving security and delivering a better user experience. The change involves adopting the OpenID Connect (OIDC) standard to integrate with supported applications to deliver the prompt for MFA. But before jumping into the details, it might help to understand the open standards in discussion.
Understanding OAuth 2.0 Framework and OIDC Protocol
Problem to solve: Apps and services need a way to share data with each other
Years ago (back in the early 2010s!), applications shared sensitive information by asking users to enter their credentials from one application into another. Many applications offered services which would tie together functionality from other sites. For example, mobile applications such as Yelp requested your Gmail address book to encourage more signups by emailing your contact list on your behalf. Similarly, budgeting applications like Mint.com needed access to your banking credentials to help track your spending, and website developers wanted ways to post users’ tweets on their own websites.
These were all great services that provided benefits to everyday users, but users needed to share their username and passwords with these services to realize those benefits. Sharing credentials or passwords with multiple applications not only increases the risk of a compromise (yes, that same password you also use for online banking), but also gives third-party applications full access to your account.
This is a big no-no! Once credentials are compromised, hackers can take over user accounts; even change the passwords and lock users out. Even today, according to Verizon’s 2020 Data Breach Report, 37% of credential theft breaches use stolen or weak credentials.
The main problem to solve here was authorization — in particular, how can we verify that an application or service is authorized to access information about the user?
This problem was solved with the creation of the OAuth framework.
The OAuth 2.0 framework essentially allows a third-party application to access information on behalf of the user. Think about how you might provide a friend an extra set of keys when they’re visiting so they can come and go as they please. However, there’s a key difference: You already know your friend, so you don’t need to authenticate them. Instead you just need a way to authorize them to access your home.
Once applications were able to successfully share data with each other, developers realized that this framework could also be used to implement some form of authentication. The OAuth 2.0 framework gained popularity and significant adoption to become an industry standard. However, it was not explicitly designed to support/enable authentication. And that’s why the OIDC authentication protocol was developed as an identity layer on top of the OAuth 2.0 framework, to explicitly provide support for authentication. Specifically, OIDC protocol allows you to log into multiple websites using a single set of credentials. Depending on the use case, the protocol provides several workflows.
This entire workflow is like checking into a hotel. To make this flow more understandable imagine that a traveler, let’s call him Bob, is checking into Hotel Duo.
Authentication workflow: Bob arrives at Hotel Duo and walks up to reception. Here the receptionist checks that Bob is who he says he is, actually has a reservation, and provides him with a key card (access token) for access to his room.
- The hotel receptionist here is the OIDC provider, who is responsible for verifying Bob is who he says he is and that he meets the right criteria to get a key card.
Authorization workflow: Next, Bob enters his room with his key card. Once Bob settles down in his room, he has time to get in a quick workout, maybe at the gym or at the swimming pool. Bob’s room key card also authorizes him to access other amenities like the gym or the swimming pool, but not facilities like the conference room unless Bob explicitly requests it.
Benefits of Adopting OIDC for Duo MFA: Reliability and Security
One thing to note is that today, Duo does not support OIDC for identity federation. Rather, Duo leverages the protocol to integrate with applications for MFA.
Now, let’s take a look at what the new Duo authentication experience looks like when using the OIDC-based integration:
- Bob is authenticating with an application
- Bob succeeds his first factor
- Bob is redirected to the Duo prompt
- Bob succeeds his second factor with Duo
- Bob is redirected back to the application
The new Duo MFA experience for Bob is very similar to the current experience, but the prompt is now on a Duo-hosted web page. While only the savviest of users might notice the change, this approach enables Duo to deliver strong authentication that is more reliable and secure.
Ultimately, by utilizing the OIDC Auth API or WebSDK 4 to integrate with an application, Duo provides developers a familiar and simple way to build MFA into their products and applications. Also, because this integration mechanism redirects to a Duo-hosted page for MFA, developers and customers need to build an integration only once and continue to get improvements for security and user experience.
We've received a lot of positive feedback from customers who have participated in the private preview. And we can't wait for all our customers to try Duo’s next-generation authentication experience. Until then, you can get started by learning more with:
- New guide for Duo administrators: Universal Prompt Playbook
- How to update to Duo Universal Prompt: Duo Universal Prompt Update Guide
- Duo Knowledge Base: What is the Duo Universal Prompt?
Try Duo for Free
Want to test it out before you buy? Try Duo for free using our 30-day trial and get used to being secure from anywhere at any time.