Multi-factor authentication (MFA) is an authentication system that requires more than one distinct authentication factor for successful authentication. It is one of the easiest, most effective ways to enhance login security and help safeguard your business and data against threats like phishing attacks and account takeovers. It is critical to have an all-encompassing MFA strategy for integrations. In this article, I’ll walk through the steps you need to take to achieve full MFA adoption with Anypoint Platform
Login security is key for your integrations
The ongoing transition to remote work makes MFA more important than ever. The global cyber threat landscape is evolving and the types of attacks that can cripple businesses and exploit consumers are on the rise. When it comes to integration, trust is amongst the most important aspects. The confidentiality, integrity, and availability of your and your business partner’s data are vital.
MuleSoft takes your security and the protection of your and your stakeholder’s data very seriously. There is a full suite of built-in and configurable security features, aids, and settings you need for secure integration. Login security is one of them and natively supported in Anypoint Platform. Below you’ll find the options available to help you build your MFA strategy.
Achieving full multi-factor authentication adoption using Anypoint Platform
There are two components to consider regarding MFA adoption. The first is the native MFA functionality in Anypoint Platform. The second is the need to ensure MFA is set up at the login process so anyone that logs into Anypoint Platform is fully authenticated from the start. With these two components in mind, there are three different MFA options available to explore:
- Leveraging your organization’s MFA-based SSO
Organizations that do not allow any user to access Anypoint Platform without first going through the organizational or corporate Single Sign-on (SSO) procedure do not need to use the native Anypoint Platform MFA feature in case this SSO is MFA-based. In this situation, you are good on MFA for your Anypoint Platform access. Note: If your users access Anypoint Platform through an SSO without MFA then additional steps are still needed. These are described in scenario #3 below.
- A mix of MFA-based SSO and Anypoint Platform MFA
If your organization has a mix of MFA-based SSO and non-SSO users, you can use a combination of these options. For example, you can use your organization’s MFA-based SSO for most of the users and enable MFA directly in Anypoint Platform for users who do not access through the SSO. A common scenario here is contractors who do not all go through your organizational onboarding. - Full Anypoint Platform MFA
In case your users can reach Anypoint Platform without an MFA-based SSO service, then you should enable the native Anypoint Platform MFA functionality for all users. This applies both to organizations that allow Anypoint Platform access after passing a SSO without MFA, as well as to organizations that allow direct Anypoint Platform access without any SSO enforcement.
MuleSoft’s MFA features and supported standards
If and when you implement MuleSoft’s MFA features, you can count on a complete set of management tools. In a nutshell, MuleSoft offers the following key features:
- Enforcement: Ability to require all versus specific local Anypoint Platform users to log in with MFA.
- Exclusion: Features to easily exclude specific users from accessing specific integrations (i.e. “service user” use cases).
- Revocation: Ability to remove MFA from a user (i.e. when they lose a device).
- Reporting: Insight and visibility to see who is required, enabled, or exempt from the MFA requirement.
- Ease of management: End-users can manage MFA verification methods from the user profile page.
MuleSoft also supports the following list of standards and categories:
- Open verification standards
- Salesforce Authenticator
- Third-party TOTP authenticator apps (i.e., Google Authenticator)
- WebAuthN-compliant security keys
- Built-In authenticators (i.e. Touch ID)
Key considerations
Once you have gone through the above options, it is important to verify if your described organizational state reflects reality. Some customers have shared that they have the policy to leverage the organization’s SSO, but in reality, there are still some “unmigrated” users. You will need to consider if there is a backlog on sign-on approaches, and provision MFA accordingly.
In the described scenario, option #2 – a mix of SSO and Anypoint MFA – is used for a fixed set of time. After that time period, the organization should have completed the migration and fully uses option #1, leveraging the organization’s MFA-based SSO.
Something else to consider is the level of checks in place to prevent, detect, and correct any risk of deviation to the SSO and MFA policy when it comes to accessing MuleSoft Anypoint Platform.
Suggested next steps
There are 4 steps to complete your review and plan for a fully compliant MFA environment for Anypoint Platform:
- Choose: Determine the sign-on approach for Anypoint Platform.
- Validate: Validate the compliance and onboarding procedure to support your chosen approach.
- Complete: Complete the required steps, if any, to comply with your chosen approach, including possible interim scenarios.
- Consolidate: Ensure the user management (including onboarding and periodic reviews) is solidly embedded in your organization’s procedures to guarantee a sustained MFA solution and assurance.
Your MuleSoft team is here to help
Integration security is an integral part of our commitment to you, your organization, and your partners. And with Anypoint Platform, APIs have security controls at every layer of the API-led connectivity approach. Now is the time to implement the available MuleSoft MFA capabilities available to set your team and company up with the tools it needs to combat potential cyber threats.
For any help leveraging the MuleSoft MFA capabilities, reach out to your MuleSoft Customer Success Manager or Account contact.
