MFA for PAM (Privileged Access Management)

Why you need MFA for Privileged Access Management


Privileged Access Management (PAM) is a key component of modern IT systems. PAM protects administrative accounts against privilege elevation. If there’s only one component in your entire IT that you want to protect against account take-over, this is definitely PAM. For this, organizations have long thought that enforcing complex password policies was enough. However, it is now widely accepted that users are better left out of the security equation. MFA is therefore the only efficient way to secure authentication and in turn, to protect privileged accounts.

How to add MFA to your Privileged Access Management

There are 2 main ways depending on your PAM vendor and how you have integrated it.

Some PAM vendors support a delegation of authentication using protocols such as Radius or SAML 2.0. This way, you can configure your PAM to delegate authentication to an Identity Provider enforcing MFA.

Alternatively, if you can configure your PAM to authenticate users using LDAP, you can add an LDAP proxy enforcing step-up authentication on top of the current authentication. This method is usually preferred by organizations since it adds a layer of security with a very minimal impact.

inWebo MFA for Privileged Access Management

inWebo supports all these methods, i.e., a Radius connector, a SAML 2.0 connector, and an LDAP proxy enforcing step-up authentication. They allow different types of controls on the authentication process. If you’re unsure about which one best fits your needs, just ask us. On the user side, the connectors are compatible both with inWebo App-based and browser-based authenticators, while the LDAP proxy enforces App-based step-up authentication.

Over the years, our partners and our customers have implemented inWebo 2-factor solutions with PAM vendors including CyberArk, Wallix, Balabit, and probably many more since our connectors and LDAP proxy work out-of-the-box.

To implement inWebo MFA for PAM, you’ll simply need to create an inWebo account for your organization and to configure both this account and your PAM using one of the aforementioned methods. A step-by-step implementation documentation is available here. Our pre-sales and support engineers are here to help if you face any difficulty.

Why choose inWebo MFA?

Here are some reasons to prefer inWebo:

  • Vendor lock: inWebo MFA is not tied to any application vendor, it is universal and supports a lot of applications. Not only SaaS applications (including Office 365 and G Suite), but also VPN, remote access, SSO, CMS, Windows Logon. Moreover, with inWebo, users only need one authenticator.
  • Convenience: inWebo MFA supports smartphones as authenticators, but also computers, tablets, and browsers, thus making the whole process frictionless including for users who don’t have a smartphone or don’t want to install IT applications on their personal phone.