Regarding MFA (Multi Factor Authentication) the well-known administrator mantra “Never change a running system” is not accurate anymore, given today’s speed of IT technology development. In fact, regular changes have become a necessity to keep up with competitive markets. This is particularly true, if the new technology is driven by steady development to avoid unnecessary issues in the foreseeable future.
LinOTP brings substantial benefits for MFA-backed environments. It has no token vendor lock-in, it is open source and API-first developed. It is easy to set up and to integrate in the first place – it takes only about half a day in a standard environment. And we make sure that transitions from existing MFA solutions to LinOTP are stable, fast and painless for architects as well as for the performing administrators and the users.
How to set up LinOTP – a guide in 4 steps
The Smart Virtual Appliance is a convenient way to setup LinOTP
- Make a plan of the existing and future authentication infrastructure
- What is currently secured by MFA? Are there additional systems to outfit with MFA protected authentication?
- What (hardware) tokens are already in use?
- Which new kinds of tokens sound interesting (like the KeyIdentity Push Token)
- Install KeyIdentity LinOTP Smart Virtual Appliance
- The installation and the initial setup is really quick – it takes usually no longer than 20 minutes.
- A web based installation wizard (seven steps only!) guides through the procedure, gives hints and avoids configuration errors.
- Connect LinOTP to the existing user storage(s)
Tokens are assigned to already existing users. It only needs read access to the user storages – no write permissions or changes are required according to LinOTP’s “minimal impact” attitude. Configure LinOTP to access the Active Directory via the token management web GUI.
- Get accustomed to the LinOTP GUI for token management
Now it is time to explore the easy to use management web GUI!
How to handle existing tokens?
Migration usually means that tokens are already purchased and in place with the users. Two questions arise from that:
- Can the old tokens be used?
- How is it possible to assign the tokens to the same users as before in the new MFA solution?
It supports a wide variety of hardware tokens which can be mixed according to the customer’s needs. So – beside many others – SafeNet’s OATH based OTP tokens are fully supported by LinOTP. The seed files can be imported conveniently via the management GUI. On top of that, it provides highly customizable options for users and administrators to associate the tokens with the original users:
Assigment via API
If it is known which token serial number belongs to which username, the assignment can be performed via the LinOTP API. SafeNet stores this information in the Active Directory. We just need to export this data and start the fully automated assignment process via a script provided by LinOTP.
LinOTP features a powerful technique called auto assignment. If a user authenticates against LinOTP and has no token assigned yet, LinOTP figures out the correct token and performs the assignment automatically. So all tokens are allocated automatically to the correct user over time.
Manual Assignment via the selfservice portal
As a third option the users can perform the assignment themselves in the LinOTP User Selfservice Portal which provides additional useful features (like the option to disable tokens) to take pressure from the help desk team.
Automatic resync of event based tokens
LinOTP addresses a potential issue with previously used event based tokens by automatically resyncing tokens if required.
MFA Migration scenarios to fit your Needs
The migration from the old MFA solution can be carried out in different ways.
All at once
This requires to prepare the involved authentication clients (e.g. Citrix NetScaler) to authenticate against LinOTP. The switch from the old solution to LinOTP is performed for all involved systems simultaneously. The tokens are either already assigned to the users via API, are getting assigned while used for the first time (auto assignment) or get allocated another way. LinOTP supports the transition by optionally authenticating users without tokens until the migration is finished while users with tokens have to provide a valid OTP.
Some systems still authenticate against the old solution while others are already communicating with LinOTP.
It is even possible to use LinOTP as a relay to the old MFA solution via RADIUS protocol. So the clients’ authentication requests are forwarded by LinOTP. Thanks to the extensive policy framework this forwarding can be made conditional. This means that users of an AD group or from certain clients are forwarded, while others are authenticated by LinOTP itself.
Start migrating today
Replacing an existing MFA solution with LinOTP is neither time consuming nor complicated. Should help be required however, competent consultants from KeyIdentity GmbH are ready to offer counsel for individual migration procedures.
Author: Mirko Ahnert