Since I have SAML on the brain right now, it’s an opportune time to blog a bit about multi-factor authentication and Tableau Server. This was a scenario we hadn’t gotten to in earlier versions of the product, but is available in 8.1.
What is multi-factor authentication?
From Wikipedia (you should donate a few bucks to these guys, too):
Multi-factor authentication (also MFA, two-factor authentication, TFA, T-FA or 2FA) is an approach to authentication which requires the presentation of two or more of the three authentication factors: a knowledge factor (“something only the user knows”), a possession factor (“something only the user has”), and an inherence factor (“something only the user is”). After presentation, each factor must be validated by the other party for authentication to occur.
Two-step verification (also known as two-factor authentication) is a process involving two stages to verify the identity of an entity trying to access services in a computer or in a network. This is a special case of a multi-factor authentication which involves the presentation of two or more of the three authentication factors: a knowledge factor, a possession factor, and an inherence factor
To provide an everyday example: an automated teller machine (ATM) typically requires two-step verification. To prove that users are who they claim to be, the system requires two items: the ATM card(application of the possession factor) and the personal identification number (PIN) (application of the knowledge factor). In the case of a lost ATM card, the user’s accounts are still safe; anyone who finds the card cannot withdraw money as they do not know the PIN. The same is true if the attacker has only knowledge of the PIN and does not have the card. This is what makes two-step verification more secure: there are two layers of security.
How does Tableau Server implement multi-factor authentication?
Via SAML, of course. Many SAML Identity Providers (IdP) include authentication modules which support validating possession or inherence factors. Take for example the much beloved RSA SecureID dongle: OpenAM supports it, among others:
https://wikis.forgerock.org/confluence/display/openam/OpenAM+out+of+the+box+authentication+modules
To carry out multi-factor authentication in Tableau Server, you simply need to:
- Run Tableau Server in SAML mode
- Integrate with an IdP that supports authenticating possession and/or inherence factors.
As a Tableau Server administrator, you get to avoid the hard stuff – that is, configuring the IdP to deal with an RSA token or some other possession factor. All you need to do is get Tableau working with SAML …then lean on the functionality most IdPs provide in this regard.
How can I experiment, and keep it cheap?
SSOCircle is your friend. In my previous post, I blogged about setting up Tableau Server to use it as a SAML IdP.
All we need to do is take things one-step further and turn on an additional authentication feature in your SSOCircle profile. Doing so which will enable possession validation
I don’t run an RSA SecureServer (duh), so I’ll use a different hardware-based token. It’s called a Swekey, and it costs twenty bucks when ordered online.
Rather than reading an LCD screen on the dongle to get a passkey, you actually plug the token into your machine’s USB port. It works under Windows, Mac, and Linux.
As you can see, I’ve plugged this dongle into my laptop, told SSOCircle to detect it, and set a PIN for good measure. Moving forward, I can choose a login type which:
- Requires the key to be plugged into the machine I’m logging in from (possession factor)
- Requires a PIN to be specified (knowledge factor)
There you go! Instant two-factor authentication.