Trust starts with the desktop: Stay in compliance with high-assurance MFA

Or Finkelstein | February 26, 2024

Businesses issue employees laptops pre-installed with applications and security controls needed to access the company’s applications and data used to carry out their jobs. The workers log into these machines with a directory-joined username and password, establishing a baseline of trust between the machine and the company.  

Know the password, have the computer, and you’re in. Sounds good, except for the fact that passwords offer the weakest possible method of identity-proofing,  so weak in fact that a second factor is required almost everywhere except the mission-critical desktop. The very machines that hold your vital business data have access to highly sensitive databases and make the most compelling targets for cyber opponents.

It is a hard pill to swallow, but the only thing separating an attacker from your crown jewels is an eight- or twelve-character secret that has proven to be easily exploited.

Why anchor trust from the start?

People start their workday by logging into their company-issued computers whether they’re in the office, at home, or on the road. This first login starts the cycle of trust. How much faith the business has in that trust is tied to the effectiveness of their identity-proofing. 

Having the absolute assurance that this first login is initiated by the person assigned to that computer is–or at least should be–absolutely essential. So:

Desktop MFA is a critical security control

Which means MFA has a problem. Passwords don’t meet the bar for high assurance, and they haven’t for a long time. Neither do MFA methods that send a one-time password (4 to 8-digit OTP code) over SMS or web-based email. These MFA methods are “weak plus weak,” leaving security teams searching for a magical quantum improvement that attackers can’t phish around.

Why passwordless MFA for desktops?

Passwordless MFA is an MFA that’s rooted in cryptography–not secrets. The vulnerable secret password – “what you know” – gets removed in favor of stronger criteria, “what you have” and “what you are,” to create higher-assurance MFA.

The single step of removing passwords benefits users, admins, and the business itself by slashing the attack surface, unburdening the workforce, and paying compelling business dividends.  Users and admins both become more productive while the company buys down considerable cyber risk. 
And, where other security controls add operational friction, doing away with user passwords improves security while also reducing friction. We know this is true because smartphone users experience the benefits of passwordless every day. No one wants to go back to the bad old days before the iPhone 5S, of having to enter six-digit passwords every time the phone times out. “What you are” and “what you have” is faster and more secure.

“Is it really you?”

Passwordless MFA eliminates most phishing and impersonation threats, but another element is required in desktop MFA to maintain an uncontested audit trail of who did what.

Verifying proximity to the desktop in question adds that extra level. The highest-assurance desktop MFA validates that the user, authenticator, and managed computer are physically together in one place. 

Verifying proximity stops insider collusion and prevents anyone else with physical access to a computer from logging into the machine. Hardware tokens, like device-bound passkeys with biometrics, also meet this criterion. The authenticator is physically plugged into the laptop, and the user provides a fingerprint to prove the computer, authenticator, and user are in one place. But, many businesses are reluctant to distribute hardware tokens as they add cost.  

The Octopus passwordless MFA accomplishes the same feat with mobile push. Proximity assurance is achieved through a cryptographically bound challenge/response over BLE between the desktop agent and mobile app. Combining that with the biometric test ensures the worker physically possesses the approved authenticator and the computer itself.

The option to use either high-assurance push or hardware tokens (or both) gives enterprises flexible choices for applying strong authentication based on what makes sense for each worker’s needs. For example, some physical work areas don’t allow smartphones, and some workers are unwilling to use their personal devices. No problem. Let these workers expense a low-cost self-service device-bound passkey token from Amazon. That said, research shows most people (73%) prefer mobile push over other authentication methods.

See a demo of desktop MFA with FIDO2 passkey here or Octopus mobile push here.

What about compliance requirements?

Government mandates, cyber insurance criteria, and security frameworks use their own tailored language, but most follow a similar pattern outlined below.

For example, NIST 800-171, Protecting Controlled Unclassified Information in Nonfederal Systems, applies to any business that gets money from the government (e.g., FAFSA HigherED, FDIC banking safety net), or that operates in regulated industries (e.g., critical infrastructure). NIST 800-717 states desktop MFA requirements succinctly in requirement 3.5.3:

“Use multifactor authentication for local and network access to privileged accounts and for network access to non-privileged accounts.”

That means privileged users must MFA into everything, including local assesses to desktops and servers, while regular users only have to MFA into remote and networked resources.

Critical Security Controls (CIS) adds more clarity in its statement outlined in Control 6, Access Control Management:

  • 6.3 Require MFA for Externally-Exposed Applications Users 
  • 6.4 Require MFA for Remote Network Access Users 
  • 6.5 Require MFA for Administrative Access Users 

Both, in essence, say the same thing:

Companies meet the minimum requirements as long as IT Admins are required to use Desktop MFA.

An alternative view, based on risk, is outlined in NIST 800-63 (Digital Identity Guideline). This guide grades the need for varying MFA assurance levels based on the potential harm a failed authentication might cause an organization and its stakeholders. 

Rather than stating the requirements from business function, the risk of authentication failure is applied to the importance of the data accessed and the nature of the work being accomplished.

If we take this risk view and push it into the NIST 800-171 and CIS perspective, the concept of a privileged business user arises. If an imposter accessing your worker’s desktop can do moderate or severe harm, then a higher assurance MFA is required.

Securing shared accounts

Shared accounts fail every security, compliance, and cyber insurance test, yet they remain a common practice, even in most critical infrastructure industries. Why? Because shared accounts make some collaborative work more efficient. 

But now, instead of fighting the age-old battle between being secure and productive, IT leaders can leverage passwordless desktop MFA to close security gaps while keeping shift workers, IT admins, and other collaborative workflows moving at the speed of business.

See the demo of a secured shared account here.

Octopus passwordless MFA lets IT or the front-line manager orchestrate individual users’ access to shared accounts. Workers identify their selves through strong passwordless MFA methods, and the Octopus proxies the authentication to the shared account without users knowing the shared account password.

What about WHfB and Mac Touch ID

Mac users love Touch ID, me too. But, just like with Windows Hello for Business (WHfB) in a hybrid AD environment, these technologies are for user convenience, less often used passwords, not passwordless. The user still creates, remembers, and less frequently but periodically types in their directory synced passwords when the machine demands it or when accessing incompatible apps and services.

User experience improved with less frequently entered passwords.  But for security, less frequently used passwords are the most dangerous because they must be simple to remember or written down somewhere accessible when the machine demands them.

Learn more about flexible, highest-assurance MFA

Desktop MFA is a critical security control on the path to zero-trust. Absolute assurance that the legitimate user is in control of managed assets should not be left to easily exploitable passwords or even weak MFA methods.  

Passwordless MFA is a technology that is here today and here to stay. The Octopus MFA platform works seamlessly with modern SSO apps and with password apps, and existing identity infrastructures.

Schedule a demo or read the blog on “High-Assurance MFA for Enterprise” to get a better understanding of how Octopus lets you go beyond checking the MFA box to:

1. Improve compliance

  • NIST AAL3 desktop MFA: cryptographic and proximity assurance that binds the user, desktop, and the authenticator.  Mobile push or passkey token
  • Phishing-resistant MFA with Octopus mobile push or passkey token for web apps, remote access, and on-premise specialized and legacy apps.

2. Begin onboarding users in an hour and execute rollouts in days versus months for other solutions

3. Achieve enterprise-wide coverage with a fraction of the effort in a fraction of the time

One authentication workflow to access all work.

Learn more, start now

For more information about passwordless MFAwatch this short video to learn how you can get started in about an hour. Or, run an ROI calculation to see how much you can save within the first year.