Multifactor authentication in the cloud: Assessing provider services

Expert Dave Shackleford discusses authentication in the cloud, including details on the multifactor authentication services of major cloud providers.

In recent years, many cloud-based service companies, including Zappos, Evernote and LinkedIn, have been breached,...

with a countless number of users' passwords exposed as a result. While much has been written about secure password management and storage in reaction to such incidents, reality dictates that access to cloud services needs to transcend simple username and password authentication.

Fortunately, an ever-growing number of cloud providers are offering stronger authentication measures, as well as more robust authorization and role-based access control. How do the authentication offerings from each provider stack up, however?

In this tip, we'll explore the multifactor authentication options from some major cloud providers, and detail the challenges and benefits involved with using more capable authentication and authorization technologies in the public cloud.

Multifactor authentication in the cloud

When public cloud providers are being discussed, two big names tend to stand out -- Amazon Web Services (AWS) and Microsoft Windows Azure -- so we'll focus on the authentication capabilities of those two providers.

Reality dictates that access to cloud services needs to transcend simple username and password authentication.

Microsoft recently released its Windows Azure Multi-Factor Authentication Server, which is the Redmond, Wash.-based vendor's update to the PhoneFactor software it acquired in 2012. In a nutshell, it provides some simple authentication features. In addition to an Azure user's password, developers can now require that users be notified via email, phone call, text and other means when an authentication event takes place, with an additional PIN or authentication token required to fully complete the authentication action.

Microsoft has made this form of authentication attractive by integrating natively with both on-premises and Azure-based Active Directory user repositories, allowing on-premises deployment and integration with Active Directory and applications. In addition, multifactor authentication can now be combined with RADIUS, Lightweight Directory Access Protocol (LDAP) and Internet Information Server (IIS) Web applications, and can also be readily extended to and integrated with the Azure cloud. The ability to integrate multifactor authentication capabilities both on-premises and in the Azure cloud provides a strong benefit to customers, allowing for more protection to hybrid cloud deployments, as well as to internal cloud and public cloud scenarios.

How does AWS stack up to Microsoft's latest cloud authentication products? First, Amazon offers multifactor authentication for both administrative AWS accounts and users within created AWS Identity and Access Management (IAM) roles. Amazon Web Services also allows for soft-token integration with computers, tablets and smartphones that run applications based on the Time-based One-Time Password standard, prominently including Google Authenticator, AWS Virtual MFA for Android and Authenticator for Windows Phone devices. Alternately, users can purchase a Gemalto hardware token and use that instead.

Numerous other cloud providers offer multifactor authentication options that are similar to Microsoft's and Amazon's, with most focusing on mobile devices and leveraging a combination of texts, phone calls or locally generated codes of some sort. Google, for example, offers second authentication factor (in addition to a username and password) by generating a verification code via a local application on a mobile device, or having a text or voice call sent to the mobile device with the code. The code has to be entered after the username and password have been accepted to complete access to any Google application.

Cloud authentication hurdles

We've established the authentication features available through some of the premier cloud providers, but what are the major challenges enterprises face when deploying and managing multifactor authentication in the public cloud? First, as mentioned, most options focus on mobile devices, so if these are lost or stolen, user accounts are potentially at risk for at least a short time. However, this is a risk inherent to most "soft" token authentication tools, and one that enterprises will need to accept when traversing this path. Another issue is that of helping users who forget a PIN code or lose a hardware token, especially if the cloud provider handles support. Be sure to investigate different support service-level agreements and options when you work with a cloud provider's authentication tools and supported products.

Finally, compatibility with existing applications and enterprise IAM infrastructure can be a challenge, especially when an organization already uses a multifactor option that differs from the cloud provider's. As a result, some enterprises are turning to Identity-as-a-Service providers that can handle strong authentication, authorization and federation rather than implementing such capabilities internally or solely at the provider level. For this reason, Microsoft's recent authentication additions may offer more flexibility than most other cloud providers' products for hybrid cloud deployments and integration with internal applications and systems.


Much like traditional enterprise IT environments, authentication remains a thorny issue in cloud environments. The multifactor authentication services currently in place at cloud providers like Microsoft and AWS are a promising start in addressing these issues, but enterprises must still be vigilant about the problems that can surface if weak or incompatible authentication measures are selected. By taking the time up front to ensure a cloud provider offers effective and compatible authentication services, much effort and many headaches can be avoided later.

About the author:
Dave Shackleford is the owner and principal consultant of Voodoo Security LLC; lead faculty at IANS; and a SANS analyst, senior instructor and course author. He has consulted with hundreds of organizations in the areas of security, regulatory compliance, and network architecture and engineering, and is a VMware vExpert with extensive experience designing and configuring secure virtualized infrastructures. He has previously worked as CSO at Configuresoft, as CTO at the Center for Internet Security, and as a security architect, analyst and manager for several Fortune 500 companies. Dave is the author of the Sybex book Virtualization Security: Protecting Virtualized Environments, as well as the co-author of Hands-On Information Security from Course Technology. Recently, he co-authored the first published course on virtualization security for the SANS Institute. He currently serves on the board of directors at the SANS Technology Institute and helps lead the Atlanta chapter of the Cloud Security Alliance.

Dig Deeper on Public Cloud Computing Security