Skip to main content

Introduction

GuardianKey Auth Bastion Enterprise is an innovative and robust solution aimed at advanced protection of access to web systems, specially designed for corporate environments, government institutions, and critical infrastructures, where authentication security is essential.

Its main purpose is to provide an additional security layer based on multi-factor authentication (MFA), without requiring changes to the source code of the protected system. This is made possible through an authentication bastion, which acts as an intelligent reverse proxy between the user and the target system.

The Problem with Traditional Authentication

Authentication based solely on static identifiers (such as email, CPF, or username) and passwords has proven to be highly vulnerable to modern cyber threats. The main risks include:

  • Phishing: social engineering attack used to trick users and capture credentials.
  • Credential leaks: data obtained by attackers in previous incidents is reused to compromise new systems.
  • Brute force and dictionary attacks: automated login attempts with different password combinations.
  • Man-in-the-Middle (MitM): interception of communications between client and server.
  • Authentication denial-of-service attacks: mass login attempts overload servers, causing downtime.
  • Legacy systems: often use plain text authentication, weak hashing, or outdated standards, making them easy targets.

According to the DBIR 2023 report (Verizon Data Breach Investigations Report), 36% of successful attacks involved phishing techniques. This highlights the fragility of traditional authentication models in the face of increasingly sophisticated attacks.

Challenges in Adopting MFA in Legacy Systems

Multi-factor authentication (MFA) has been strongly recommended by entities such as:

  • CIS Controls (TCU)
  • PCI DSS

However, its implementation faces several obstacles, especially in legacy or critical systems, such as:

  • Unavailable source code for modification.
  • Old architectures and incompatibilities with modern libraries.
  • High adaptation costs, both technical and financial.
  • Regulatory requirements that prevent changes to the original system.
  • User experience (UX) issues, leading to resistance.
  • Complex MFA key management and insecure storage in databases of already vulnerable systems.

These challenges create significant barriers to adopting secure authentication mechanisms, especially in mission-critical environments.

What GuardianKey Auth Bastion Enterprise Solves

GuardianKey Auth Bastion Enterprise was developed to overcome the limitations mentioned above. Its reverse proxy-based architecture allows it to act as a "security bastion", performing second-factor validation before the original system is accessed. This way, the protected system remains unchanged.

Problems the solution solves:

  • MFA implementation without the need to change code in legacy systems.
  • Second-factor validation before the original authentication, protecting even against attacks targeting the login form.
  • Compatibility with legacy and modern systems.
  • Isolation and external management of second-factor credentials, preventing the original application from accessing or storing this data.
  • Flexibility in second-factor methods, including:
    • TOTP (Time-based One-Time Password)
    • Email tokens
    • SMS tokens
    • Integration with external notification services
  • Reduction of phishing and brute force attack risks.
  • Easy integration with protected system APIs to obtain emails or identifiers.
  • Intelligent observation mechanism that analyzes the authentication response from the original system, allowing dynamic second-factor enrollment.

Solution Benefits

  • 🔐 High security with multi-factor authentication before the original system.
  • 🛠️ No need to modify the protected system's source code.
  • ⚙️ Easy deployment, ideal for critical environments.
  • 🧩 Compatibility with heterogeneous systems and varied architectures.
  • 📉 Significant reduction in operational costs for MFA adoption.
  • 👤 Improved end-user experience, with a clear interface and support for multiple authentication channels.
  • 🌐 Corporate scalability, with the possibility of using a single bastion instance for multiple systems.

Conclusion

Given the increasing complexity and volume of cyberattacks, combined with the difficulty of adapting old systems to modern security standards, GuardianKey Auth Bastion Enterprise positions itself as a strategic, secure, efficient, and cost-effective solution to ensure the integrity of the authentication process in any environment.

The proposal of an external authentication bastion, fully decoupled from the protected application, represents a significant advancement in applying second-factor authentication to legacy systems, enabling its adoption without reengineering and with maximum protection.