Thick Clients Don’t Have to Mean Thick Heads When It Comes to MFA

Thick client applications don’t work with your traditional multifactor or single sign-on (SSO) solutions. Why? It’s because most legacy, thick client applications don’t expose the capability to bolt on multifactor authentication.

Passwords, Passwords, Passwords

We all know password-based authentication is insanely insecure yet it’s still rampant in many enterprises, especially in important legacy applications that have thick client interfaces. These applications are usually business critical to the enterprise because they’re deeply integrated into revenue generating processes and aren’t going away anytime soon.

After all, why would you keep an old mainframe around unless it was running your core business like a champ? It’s no surprise that no one wants to mess with bolting SSO and multifactor onto legacy applications to add more security.

Even if it was a relatively easy task, it would still be a tough sell to cost-conscious executives. Try telling your CEO that you may need to take several days of downtime to make these applications more secure.

Why Modern Approaches Fall Flat

The modern approach to securing applications relies on web-based infrastructure and federation standards. When you’re deploying single sign on with multifactor authentication, any of the following methods can be used:

  • Proxy-based where SSO tokens are checked in the browser
  • Federation mechanisms like SAML 2.0 and WS-FED
  • Auto-fill feature for web forms with a previously recorded username and password

The main reason these approaches don’t work with legacy applications is in many cases, federation standards are not available and/or there is no web interface to secure. After all, it’s only a thick client. A few examples:

deploying multi-factor authentication on thick clients   deploying multi-factor authentication on thick clients

What Can You Do?

One method to securing legacy applications is to modernize all platforms with a web-based solution so that multifactor and single sign on can be deployed. Good luck getting the funding for that.

Alternatively, you can strengthen security by using a combination of process and technology. Diligently auto-rotate passwords for your users and protect the front door by securing the logon to Microsoft Windows and thick clients using multifactor authentication.

Luckily for companies in this predicament, Crossmatch’s DigitalPersona platform offers 100% coverage and secures access for all network, legacy and web-based applications. DigitalPersona’s Password Manager enables users to manage all passwords and secures logon at the front door (using biometrics or OTP). The benefit of this approach is that customers can address security concerns in their critical legacy applications without having to modernize them on day one.

We all know the legacy applications will still be around for some time, let’s make the effort to have them be as secure as our other applications.

Manny is a Director of Solutions Engineering at Crossmatch. He is responsible for designing and deploying DigitalPersona security solutions. He draws from over 20 years of experience in trends and standards for information security including identity and access management, FPKI audit/compliance, NIST guidelines, public key infrastructure, access control, mobility, biometrics, and data security. Manny has held positions in top tier cybersecurity and technologies companies including Centrify, Oracle, Entrust, and L1 Identity Solutions.

Biometric Technology Gaining Traction in User Authentication
A Bridge Too DFARS: Authentication and the DoD Deadline for Cyber Compliance
Why You Should Consider FIDO Universal 2-Factor Authentication
There are currently no comments.