PingID Security Hardening: Your Guide to Achieving Five-Star MFA Security

Back
January 11, 2018

Co-authored by Oren Sternheim, Product Security Engineer & Richard Cardona, Manager of Product Security

 

"Identity will make or break trust in digital ecosystems"

-- Forrester 2018 prediction

 

As a general guideline, here at Ping we recommend you use multi-factor authentication (MFA) for access to any moderate- to high-risk resource. Making certain that users are who they say they are is the security cornerstone in a digital world increasingly under attack from cyber-criminals.

 

To provide appropriate security while maintaining end user productivity, the type of MFA utilized and the user experience impact (UX burden) should be selected to match each distinct use case.

 

Ping is pleased to announce a new guide for security administrators to help achieve optimal security. The PingID Security Hardening Guide was designed to offer technical guidance in increasing the security of your PingID deployment configuration, while enabling you to optimize the end user experience.

 

Multi-factor Authentication Options

The PingID Security Hardening Guide is a single point of reference for:

 

  • configuration options that enhance security
  • best practices regarding the security configuration of PingID MFA system

 

When it comes to choosing the best configuration options for your digital enterprise, clearly you have to consider many factors for each use case, such as type of end user (customer, employee, partner), security level required and more. While PingID offers several methods of authentication, some methods are considered more secure than others. One of my favorite parts of this guide is the table showing the relative strengths of different MFA options:



The document delves into recommendations and limitations for specific MFA authentication methods, including recommendations when disabling an authentication method.


PingID Configuration

PingID is configured as part of the PingOne Web Portal and provides a substantial number of options and considerations. Here are some of the highlights, along with our recommendations:

 

  • Email Notification. It is recommended that you turn this option on so that every time a new device is registered with PingID for a specific user, they will get an email notification.
  • OTP Fallback. Although disabling OTP fallback may be more secure, it will prevent offline authentication, such as when a user is on an airplane.
  • Fingerprint Authentication. It is recommended that this option is set to required, forcing users to use their fingerprint for authentication, if supported by their device.
  • Authentication While Device is Locked. Available only for Android, it is recommended you disable this feature.
  • Device and Pairing. Some critical features improve security, including turning on Device Lock Required and turning on No Jailbroken Devices.

 

PingID also supports an integration to PingFederate and there are considerations for the LDAP PCV, the PingID Adaptor and the Radius PCV when configuring PingID. The guide takes you through these in some detail.

 

In addition, you'll find information on Windows Login/SSH integration, the importance of keeping your PingID clients updated, and recommendations regarding the use of PingID as the primary method of web single sign-on (SSO) authentication.

 

To get a copy of the PingID Security Hardening Guide, Ping customers can access it here: https://ping.force.com/Support/PingIdentityArticle?id=kA31W000000XZiWSAW. And if you need help, please contact us at our Community/Support site.


Oren SternheimProduct Security Engineer