Akamai has acquired Guardicore to extend its Zero Trust solutions and help stop ransomware. Read more

Blog

Akamai MFA in Action: Single Sign-On is Phish-Proof and Simple to Use

Written by

Keith Tomlinson

October 13, 2021

Breaking news: we just completed an 850-user pilot with Akamai MFA. In this blog, the first in a series, I’ll explain why we switched to Akamai MFA, how we ran our pilot, and employee feedback so far. Check back for my next blog, when we’re midway through our global deployment.

A burglar checks for open windows. Neglecting to lock just one is like leaving the door wide open. In the same way, cyber attackers look for the easiest user accounts to take over — whether that’s network access credentials, email, on-premise applications, or cloud/SaaS applications. If they’re lucky, they can also use the stolen credentials to breach other systems, an action known as lateral movement.

Two make-or-break requirements for MFA

At Akamai, for years we’ve used multi-factor authentication (MFA) to make our “windows” harder to break through. MFA plays an important role in our Zero Trust security model, whereby every user and device must be authenticated before being allowed on the network, is constantly validated, and with the least privilege to get their job done.

We have two guiding principles for MFA. One is to block lateral movement by using different authentication methods for different systems, such as email, SSO for internal web applications, and laptops. That way, if somehow someone gets ahold of a user’s credentials for one system they can’t use those credentials to also get into other systems.

The other principle is to avoid passwords. They’re just too easy to phish. It only takes one fake website that looks real to lure an unknowing employee to sign in and disclose their login credentials.

When Akamai acquired Krypton technology, we quickly partnered with the team at Krypt.co to see about incorporating the technology to strengthen and simplify our authentication. Advanced encryption makes it phish-proof, and an iOS or Android phone takes the place of the hardware token. Our IT team worked with the product engineers to promote features that would be useful both for Akamai and other companies, such as sudo MFA for Linux/Unix, segregation of duties for admin roles, and account lockout customizations, to name a few. The result is Akamai MFA.

Our users like the simple experience

We’ve just completed an 850-person pilot using Akamai MFA to protect our SSO system for internal web applications. Enrollment is simple. Employees receive an email that walks them through the steps to enroll, including downloading a mobile app. The whole process takes just a couple of minutes.

Clicking on a secure link in the email, the employee is guided through the process where a QR code is presented. Scanning the code registers their phone with Akamai MFA and turns it into a highly secure authenticator. The next time the employee visits an internal webpage, Akamai MFA prompts the user to tap a button in the mobile app — the second factor. That’s it!

The back-end work was also simple — mainly just integrating Akamai MFA with our SSO system.

We rolled out in phases—to give “white-glove” service

We started with a small pilot broken out into four waves, each with 50 to 400 new users. We rolled out Akamai MFA to one department at a time so we could provide white-glove service and have a single point of contact — the department head. We held a meeting with each department to educate employees about lateral movement and explain how Akamai MFA keeps our applications and data more secure. During the training session we also shared tips about good security practices — for example, avoiding passwords when possible and using a password manager if not.

As I write this, more than 850 employees are using Akamai MFA, and we just began production deployment. Next up will be six large departments, each with up to 4,000 employees, at a pace of one department every two weeks. It won’t be long before all 8,971 Akamai employees are enrolled in Akamai MFA and using it every day.

Here’s what users say

Summing up, Akamai MFA makes lateral movement much more challenging for attackers to achieve, is easy to integrate with our SSO solution, and adds no extra steps for our users. We’re measuring success based on user satisfaction. Most employees use SSO every day, and they’re glad that they don’t have to change their habits.

Here’s what an early user told me: “I can’t believe how easy it is. I typically shudder at adopting new technologies, but Akamai MFA is so easy it didn’t take any adjustment. And knowing it’s phish-proof gives me extra peace of mind.”

Someone in accounting said, “Using our phones in place of a hardware token is brilliant. I always carry my phone with me anyway, so it’s one less thing to worry about forgetting. Akamai MFA just basically makes it easier for me to sign in securely so I can get right to work.”

Ready to get started?

Take Akamai MFA for a free 60-day test run. Sign-up here to see what the world’s largest edge platform can do for you. 



Written by

Keith Tomlinson

October 13, 2021