General solution for Multi-factor Authentication (MFA)


Android  iOS
Trial version

2Element - Multi-factor authentication (MFA)

  • General solution for organizations and companies
  • It complements problematic passwords with other factors
  • MFA is mainly used for:
    • Privileged accounts (various administrator rights) – for all access types
      • VPN, server login, password administrator, …
    • User accounts – especially for Internet access to the organization (or to the cloud)
      • VPN, remote desktops (RDP), …
  • Czech and English language support (other languages can be added)
  • Flexible solution for authentication – of employees, partners, customers
  • On-premise installation option (entirely at the customer's site only, no cloud)

Example of the VPN Client login (typical for Home Office)

Factors for authentication in general

  • Authentication factors are categorized into three groups:
    • Something you know (such as a password or PIN).
    • Something you have (such as a phone or a HW token).
    • Something you are (such as a fingerprint, facial scan or other biometric data).
  • MFA requires the user to authenticate using two or more authentication factors from different categories (e.g. "something you know" in combination with "something you have").
  • The modern method of Push notifications for smartphones with biometric authentication combines all three of these categories. Logging in with your name and password (something you know) is complemented by Push notifications on your mobile phone (something you have), which must be confirmed after biometric verification (something you are).

Supported factors of authentication

  • PUSH authentication
    • from mobile application (2Element Mobile for iOS or Android)
  • TOTP authentication
    • from mobile application (2Element Mobile for iOS or Android)
    • from SMS message
  • Hardware tokens
    • YubiKey pro OS Windows, MacOS a Linux

Download presentation

Compliant with recommendations

2Element includes security technologies and processes, that help fulfill the recommendations of authorities NÚKIB, CISA.

Security

Detailed logging (audit log) of all processes in the whole solution.
Registration and authorization of mobile applications is ensured by asymmetric cryptography.
Private key in modern mobile phones is stored in a dedicated security storage site and is protected biometrically.
The administrator defines the required security policies for the user.
Data transmissions are encrypted by default using SSL / TLS.
Export of logs using Syslog for external processing (SIEM support).
Login (SSO) integration with SAML or ADFS providers.
The application is tested by penetration tests according to the OWASP methodology.
Possibility to provide source code for audit.

Features

Link to AD or ADFS

  • Link to Active Directory, including setting which trees or user groups to synchronize and how.
  • Concurrent support for both local groups and users, as well as those transferred from AD.
  • Possible operation even without link to AD. Local users can be created directly in the MFA server. Suitable for installations without AD or users who are not in AD.
  • Support of other LDAP compatible directories is also possible.
  • Integration into ADFS logins – this makes it easy to extend the entire ecosystem with MFA, supporting ADFS logins and also SAML as a chain-type response.

MFA integration options

  • Open API for integration into third party applications
  • Connection to ADFS and SAML (e.g. customer cloud services)
  • RADIUS support (e.g. for VPN)
  • SMS gateways
  • Password administrator – we can deliver turnkey solutions

Typical services and applications for MFA

VPN accesses (Fortinet, Cisco, CheckPoint, …)
Administrator RDP accesses to MS servers
Remote desktops (RDP) for users, incl. Terminal Server access
Local user logins for the computer
ADFS (Active Directory Federation Services) integration
Cloud services (O365, …)
Customer's own application (Helpdesk, Intranet,…) using API, SAML
Gateways and solutions for partners and customers
Other integration protocols with Radius or LDAP

Screenshots

Services

Installation of MFA servers at the customer

  • Installation on dedicated servers (Linux CentOS)
    • Installation into virtualisation is recommended - VMware, Hyper-V, KVM
  • Web interface for administrators available
  • Optimally divided into two sections:
    • In DMZ – MFA WEB server - it communicates to the Internet (Push notifications, etc.), provides API
    • In VLAN - MFA Authentication PROXY server - Auth proxy, it mediates communication with AD and RADIUS
  • A scalable solution for large installations that meets the required SLAs.
  • MFA servers can be installed in a cloud environment

Consultation and on-line presentation

  • Professional consultation for customers and partners
  • An explanation of all concepts such as FIDO2, WebAuthn, U2F, TOTP, ...
  • Demonstration of MFA solutions using Teams or other conference platforms
  • During the conference, we help analyse MFA application for the customer

Trial version and PoC installation

  • TRIAL licences for internal testing and PoC (Proof of Concept) installation
  • MFA server installation can be under our hosting.
  • Installation into the customer’s infrastructure.
  • Within PoC, professional consultation for further integrations.

Customer solution

  • For larger implementations, we offer a solution that is popular today, for example, in banks under the names such as – KB key, RB key, …
  • This means delivering a customized mobile application to the customer that can be used for all MFA accesses.
  • Appropriate consolidation of all applications that should use MFA authentication.
  • “White label” customization
    • for server (own name and design)
    • for mobile applications (own name, design and fixed connection with the customer's server)

Supported platforms

VPN by RADIUS
Fortinet Cisco Checkpoint
Hardware tokens
Yubico

Contact and request for Price offer / Trial version

Sonpo, a.s. Sonpo, a.s.

SONPO, a.s.

Klapkova 546
182 00 Prague 8
Czech Republic


This website uses cookies to provide services, personalize ads and analyze traffic. By using this website, you agree to this. More about the use of cookies.ok