Critical Infrastructure Can Skip Traditional MFA for Passwordless MFA

Don Shin | September 7, 2022

Critical infrastructure industries face fast-approaching deadlines to prove they meet MFA mandates organization-wide with 72-hour incident disclosure timelines. Although the Biden executive order calling out MFA by name caught the headlines, it’s happening globally with the UK, Australia, and other governments stepping up regulatory mandates similar to the EU’s Network and Information Security Directive (NIS2).

MFA coverage is the highest priority highlighted in the implementation guides for these regulations. The everywhere concept challenges the agencies and businesses under critical infrastructure mandates as their operations are filled with custom and legacy applications that are difficult to modify or replace. And in many of these entities, their mission-critical infrastructure runs on air-gapped islands without external connectivity or limited remote access.

Unfortunately, traditional MFA doesn’t work with air gap environments, requiring communications through the internet. Alternatively, legacy smart card approaches have proven expensive and inflexible to keep pace with workforce velocity needed in today’s competitive markets and against aggressive cyber extortionists.    

Today, it isn’t enough to check the MFA box with partial coverage. Post-incident investigators, cyber insurance auditors, and attackers will inevitably discover gaps, including access to and within the air-gapped islands.

A modern MFA approach that protects the operational jewels housed in air gaps and that extends to the corporate workforce MFA needs is required.

Why Passwordless MFA

First, Passwordless MFA is MFA. It uses the more reliable “what you have” and “what you are” elements of identity proofing to form strong authentication. By eliminating the users typing passwords from authentication, passwordless MFA breaks the dysfunction of having users be password administrators. After all, the user creates the password and is the protector of that password. Unfortunately, identity and security administrators play a supporting role in this security train wreck workflow we have trekked for decades.

Instead, passwordless MFA relieves the user from creating, typing, or exposing passwords, because the user never knows the password if done right. Unfortunately, many claims to passwordless are really “less often typed” passwords, as the user has to create and remember an infrequently used password (e.g., Windows Hello for Business, SSO). When the users are truly removed from password management, secrets are in the hands of the administrators, where it belongs.

This simple act of eliminating the user from password management dramatically impacts organizations. First, users are happier and more productive with a streamlined login that doesn’t require remembering and typing passwords. However, for the identity and security administration team, significant gains are realized, including:

  • Security risk is dramatically reduced.
  • Time-draining password reset help desk support tasks eliminated.
  • Month-long password rotation projects are a simple click of the mouse to the backend directory services.
  • Identity administration’s own secret management.

Passwordless MFA in Air Gap island

Many critical infrastructure organizations struggle to extend MFA into their IT infrastructure that supports OT environments. Unfortunately, MFA mandates don’t give an abatement for hard-to-implement parts of the infrastructure. Furthermore, due to the severity of downtime, these OT environments have heavily restricted and, in some cases, no connectivity to the internet or corporate networks. Making these air-gapped environments challenging to implement traditional MFA.

Note, how traditional MFA works:  Traditional MFA first requires the user to type the user name and password. Then a message is sent over the internet to an email or mobile text message with a one-time code. Once received the user types in the six-digit code as the second factor. Nearly 70% of MFA is accomplished this way.

Interestingly, the air gap islands are ideal places for passwordless login. Many of these environments are challenging for people to free up two hands to type complex 12-digit passwords with an upper case, a number, and a special character. Relief from these dextrose tasks would be a welcome relief for these mission-critical specialists working time-critical, error intolerant, and potentially life-threatening tasks.

Passwordless MFA supporting air gap islands should include two types of access:

Passwordless MFA in the air gap: The modern approach uses FIDO2 keys from companies like Feitian and Yubico with passwordless MFA authentication applications deployed on-premises with the local directory in the air gap. These systems are self-contained, requiring no external communications.

Passwordless MFA to the air gap: For many organizations, remote desktop services (RDS) is a required compromise between security and productivity. E.g., Absolute isolation may not be practical, especially for IT administrators that may be thousands of miles away from a physically locked down factory.  Adding strong authentication to Remote Desktop Protocol (RDP) and Virtual Desktop Infrastructure (VDI) access to the air gap enhances productivity with acceptable security.

SDO Passwordless MFA for Critical Infrastructure 

Secret Double Octopus (SDO) passwordless MFA is an industry-proven air gap and corporate environment solution.  The Double Octopus platform on-premises deployment works in closed air gap systems for local and remote workers.  For corporate environments, customers can self-manage on-premises or leverage the speed and scaling of the Double Octopus Cloud.

Our critical infrastructure customers chose Double Octopus authenticators because they get passwordless MFA that works with their existing network, directories, and authentication methods for their business applications

(e.g. LDAP, Radius). 

Unlike other passwordless MFA vendor systems, with SDO you focus on adding passwordless MFA innovation to your organization, not rearchitecting your infrastructure, punching holes in firewalls, or rewriting critical applications to meet MFA mandates.

These capabilities translate to the following:

  • Delight users with a passwordless MFA workflow.
  • Close MFA compliance gaps, passwordless.
  • Prove evidence of strong authentication organization-wide to regulators, auditors, and cyber insurance adjusters.
  • Speed passwordless MFA security and productivity gains frictionless with existing identity infrastructure.

Learn more about how to bring passwordless MFA to your critical infrastructure: