Using MFA to Protect Remote Workers Across the VPN

Don Shin | November 29, 2023

When the workforce went home back in 2020, IT’s first challenge was scaling virtual private networks (VPNs) to support most if not all the company’s employees—a feat they accomplished virtually overnight. Extending existing VPNs allowed masses of remote workers to connect to onsite computers, applications, and databases via private, encrypted channels to keep businesses going.

Next came Challenge Number 2—bolstering VPN security to meet the unprecedented scale and plug new gaps. A large percentage of authentication still takes place remotely, often from personal devices connecting to VPNs via Wi-Fi networks shared by entire households.

Now, for many businesses, their digital crown jewels are only separated from attackers by VPN logins that traverse the internet. Businesses need 100% assurance that remote access requests are coming from authorized users and IT-managed workstations–i.e., strong authentication is a must (watch this video on high assurance authentication).

With users, devices, and multiple networks all representing prime targets for attackers, multi-factor authentication (MFA) became “table stakes” for strong authentication. BUT: MFA that uses passwords proves inadequate with users still getting phished and impersonated too easily, and far too often.

This blog will look at how you can implement MFA to give IT powerful centralized controls and protect VPN users from risk on multiple fronts.

Why VPNs became prime targets for cyberattacks

Back when only a few employees routinely connected in from the road, people logged into VPNs using standard username/password combinations. So long as it was just a few users, the fact that compromised credentials lead to a vast majority of breaches presented IT with a manageable risk.

Now, the fact that passwords routinely get lost, leaked, forgotten, and stolen poses a huge problem. Not to mention the explosion of “services” selling credentials on the dark web.

How big is the risk?

Suffice to say hackers might as well set up shop inside the building. A set of active VPN credentials equates to a shiny new set of keys that usher them past the firewall and other perimeter security undetected. Once inside the castle walls, they can usually deposit and later explode malware, or gain higher privileges and start moving laterally toward highly privileged systems before triggering attention. 

Companies know they can’t afford to let VPNs remain a major weak link in the security chain for long.

MFA up-levels remote workforce security

The simple step of making it harder to log onto the VPN goes a long way in frustrating hackers. So, most companies rolled out some form of two-factor authentication (2FA) during the pandemic, if they hadn’t done so already, and 2FA evolved into what we now call MFA to create even stronger authentication. 

2FA/MFA helps to prevent compromised credentials from being used by unauthorized parties to gain initial access. Initially, IT accomplished this by sending texts or emails with one-time passcodes (OTPs) to the authorized user that they could enter when prompted to verify their identity. The thinking being: if the attacker doesn’t have access to the right phone or email account, they won’t be able to finish the authentication process.  

Many solutions add different pillars of identity verification on top of the traditional “something users know,” namely their passwords. OTPs and push notifications to approve authentication requests added “something users have,” namely the right phone or email account. Some solutions use stronger forms of something users have like X.509 smartcards, hardware-based security tokens, USB-type devices. 

Today’s MFA continues to evolve to keep pace with digitalization—and more importantly—sophisticated cyberattacks. Many methods now include biometrics – fingerprint, voice, and iris scanning – added the third and significantly more secure dimension of “what or who users are.” 

MFA lessens the risk of compromised credentials leading to a breach considerably, so standards like PCI and HIPAA began requiring organizations to implement MFA to safeguard the process of logging in via VPNs. MFA strengthens authentication and provides unified use case coverage for logging into the VPN as well as to SaaS- and cloud-based services used for collaboration and file sharing. 

But . . .

VPNs pose unique challenges for MFA

For one thing, with so many users working remotely for good, VPN access needs to be fast and easy. In general, MFA as we know it falls into the “annoying” category. With too many steps or multiple devices to juggle, users might waste up to 5% of their workday just logging into things.

Too long.

VPNs can’t have gaps in use case coverage

Traditional MFA works best with web-based applications. Once you get past the sign-in screens, VPNs specifically are not inherently web apps. 

Remote users need secure access to lots of different things—desktops, IDP portals, legacy or custom apps, cloud/SaaS services—either from or in addition to the VPN. Web-based MFA doesn’t work with many critical business services and systems that run legacy or specialized networking protocols such as RADIUS. 

These “exceptions” are quite common and may leave dangerous gaps in VPN security if access cannot be secured well by MFA.

MFA should adapt to users—not the other way around

Every user’s situation is different, especially in remote work scenarios. Faced with urgent pressure to tighten controls, IT needs solutions that balance security and compliance requirements with user experience (UX). 

Whatever mode of MFA you choose should accommodate individual VPN users’ risk levels and preferences for being contacted. An “adaptive” MFA solution lets IT apply and automate policies for secondary authentication tailored to a broad range of user and application needs, including VPNs. 

Adaptive MFA uses contextual data to decide which factors should be used to verify identity in any given situation. Often combined with single sign-on (SSO), adaptive MFA automates sequential steps for authentication based on rules set by IT around a range of logical factors:

  • Geo-location
  • Thresholds for failed login attempts
  • Device type  
  • Time/date
  • User authorization and requested actions 
  • IP address

IT wins, too

The flexibility of adaptive MFA suits both users and IT. Users get the same or similar login experience at work, from home, and from the road. IT gets to step up or relax controls accordingly. 

The right adaptive MFA solution creates a win-win, but industry influencers like the Cybersecurity & Infrastructures Security Agency (CISA) in the U.S. have come to realize that, adaptive or not, traditional MFA is not enough.

Most MFA can’t stop phishing

Why isn’t MFA as we know it enough? Because it won’t always stop phishing.

Why can’t it stop phishing 100% of the time? More often than not, it’s because the authentication process still starts with users entering credentials. 

Governments and regulators increasingly view MFA as a critical milestone on the road to a Zero Trust security posture. But, the Cybersecurity and Infrastructure Security Agency (CISA) writes:

Not all forms of MFA are equally secure. Some forms are vulnerable to phishing, “push bombing” attacks, exploitation of Signaling System 7 (SS7) protocol vulnerabilities, and/or SIM Swap attacks. These attacks, if successful, may allow a threat actor to gain access to MFA authentication credentials or bypass MFA and access the MFA-protected systems.

Phishing-resistant MFA is the gold standard for MFA. See the Phishing-Resistant MFA Implementations section for more information. CISA strongly urges system administrators and other high-value targets to implement or plan their migration to phishing-resistant MFA. 

While authorities are yet to stipulate that phishing-resistant MFA must be passwordless, industry leaders like Google, Microsoft, and Apple are heading there on their own, particularly in remote access situations.

 Removing passwords reduces risk and Double Octopus created a suite of phishing-resistant features that enhance protection against modern attacks on remote user login.

Benefits of passwordless MFA to VPN users

Passwordless MFA: 

  • Secures VPNs against phishing (and everything that comes after) by effectively taking away the bait, i.e., user credentials that can be impersonated or shared.  The addition of biometrics as a primary factor ensures that only the authentic user has remote access. 
  • Eliminates password-driven help desk calls that account for about 40% of all calls
  • Pays for itself within one year through streamlining authentication, buying down risk, and lessening the burden on IT

How it works

Most of the time when users authenticate into the VPN from a PC, the passwordless MFA solution sends push notifications to the users’ registered mobile device. The user presents their biometrics and taps “OK” and they’re in. Once they’re on the VPN, they can log into SSO SaaS portals and other services using this same simple process – hit enter, tap OK. 

While the push notifications function similarly to SMS-based OTPs, tapping yes or no takes less time than juggling devices and applications to open and copy or type in 6-digit PINs. Saving even a few seconds a time adds up when vast numbers of users authenticate into countless apps and services all day long.

How you get there matters

In terms of how you should implement phishing-resistant MFA, CISA specifies two approaches:

  • FIDO/ WebAuthn authentication which predominately works only for web-based services
  • Public key infrastructure (PKI)-based solutions which CISA acknowledges are not widely available

Secret Double Octopus supports both FIDO and PKI but offers a third option that strikes the balance between urgency, use case coverage, and user experience. This win-win-win gets created by doing all four critical things:

  • De-coupling back-end directory infrastructures from user authentication – Passwordless MFA doesn’t use passwords but custom or legacy applications and password-centric directories still can in the backend
  • Using push notifications (users love these) to streamline and secure authentication
  • Choosing adaptive MFA to suit individual styles and situational security challenges
  • Cryptographic key-pair pinning user devices directly to applications so devices can become trusted without users ever having to set, enter, or rotate passwords 

With these capabilities, the Octopus platform lets MFA resist both classic phishing and more sophisticated man-in-the-middle (MITM) attacks that put users at risk.

Learn more, start now

For more information about passwordless MFA, watch this short video to learn how you can get started in about an hour. Or, run an ROI calculation to see how much you can save within the first year.