MFA vendors, when, where and who to use
I've been selected to be part of a small team for a MFA project. The main reason for MFA is to secure Office 365. There could be another possibility for it, which is for VPN logins.
After a little site browsing, Duo Security and PingIdentity seem like good solutions. We have not spoken with either. One of the project team members is pushing very hard for Microsoft Azure MFA solution. A few of his reasons are its easy to setup, its microsoft and we want it for office 365, and you can put in a trusted IP range, so when users are in the office, they don't have to use the second factor.
The last point really has me wondering. I understand it can be annoying for a user to enter a 2nd factor every day, but with that setup, the guy sitting next to me can be an internal attacker, steal my password and use it as long as he's in the office. Maybe I'm overreacting but this doesn't seem very secure to me.
Also, when does it make sense to use MFA for windows logins? FWIW, we are not a government, health or financial company.
Any thoughts or suggestions/recommendations on this?
After a little site browsing, Duo Security and PingIdentity seem like good solutions. We have not spoken with either. One of the project team members is pushing very hard for Microsoft Azure MFA solution. A few of his reasons are its easy to setup, its microsoft and we want it for office 365, and you can put in a trusted IP range, so when users are in the office, they don't have to use the second factor.
The last point really has me wondering. I understand it can be annoying for a user to enter a 2nd factor every day, but with that setup, the guy sitting next to me can be an internal attacker, steal my password and use it as long as he's in the office. Maybe I'm overreacting but this doesn't seem very secure to me.
Also, when does it make sense to use MFA for windows logins? FWIW, we are not a government, health or financial company.
Any thoughts or suggestions/recommendations on this?
Comments
-
paul78 Member Posts: 3,016 ■■■■■■■■■■The use of MFA is a favorite topic of mine.
If you are thinking about Ping, I would recommend that you also check out Okta.
But that said - if you are mostly a Microsoft shop and you don't need federated authentication into other SaaS applications - I personally would recommend that you just use the Microsoft solution.
Your concern about setting up a trusted network and disabling MFA is unfounded, you don't have to disable MFA. We don't. It's a feature that is offered by O365 and GSuite to restrict access as an additional feature.
As for using MFA for Windows logins - that depends largely on your risk tolerance. I assume that you realize that implementing MFA on endpoints makes sense only after you already enforce hard-disk encryption on your endpoints. Personally, I use a Yubikey for MFA onto my Windows laptop.
Also - if you intend to integrate LDAP auth into your VPN as you implied, I think that using a Microsoft solution could be simpler - but someone else would need to comment. -
mnashe Member Posts: 136 ■■■□□□□□□□Thank you for responding. What's the benefit of Okta over Ping?Your concern about setting up a trusted network and disabling MFA is unfounded, you don't have to disable MFA. We don't. It's a feature that is offered by O365 and GSuite to restrict access as an additional feature.
As for using MFA for Windows logins - that depends largely on your risk tolerance. I assume that you realize that implementing MFA on endpoints makes sense only after you already enforce hard-disk encryption on your endpoints. Personally, I use a Yubikey for MFA onto my Windows laptop.
Not sure I follow. I'm not saying disable? My team member is recommending the Microsoft solution because there is an option to add a trusted IP, and then when users are in the office, they won't get prompted for MFA. I guess I was asking what everyone thinks of this? I understand the convenience, but to me, it takes away from the security, as internal attacker can easily login as me if they get my password. Is it common to set it up this way?
Also, the one thing I don't like about Microsoft MFA is that there is no way to disable SMS as a backup method. While SMS MFA is better than nothing, from what I've read it's not recommended to use. I'm no security pro, so I can be wrong.
I see what you're saying about full disk encryption, but not sure that's the only reason it makes sense. At my company, nobody is allowed to save files locally. However, we use have VPN software set to login before windows. If a laptop is stolen and the password is found, without MFA, the person would have access to our network. In my environment, I don't think MFA for endpoints is truly needed, but I was curious what others do -
paul78 Member Posts: 3,016 ■■■■■■■■■■What's the benefit of Okta over Ping?Not sure I follow. I'm not saying disable? My team member is recommending the Microsoft solution because there is an option to add a trusted IP, and then when users are in the office, they won't get prompted for MFA. I guess I was asking what everyone thinks of this? I understand the convenience, but to me, it takes away from the security, as internal attacker can easily login as me if they get my password. Is it common to set it up this way?Also, the one thing I don't like about Microsoft MFA is that there is no way to disable SMS as a backup method. While SMS MFA is better than nothing, from what I've read it's not recommended to use. I'm no security pro, so I can be wrong.At my company, nobody is allowed to save files locally. However, we use have VPN software set to login before windows. If a laptop is stolen and the password is found, without MFA, the person would have access to our network. In my environment, I don't think MFA for endpoints is truly needed, but I was curious what others do
-
mnashe Member Posts: 136 ■■■□□□□□□□Thanks for the additional reply, now I follow you. I'll check out Okta too. I agree, there should be multiple vendors involved.
This is the Microsoft MFA that I was referring to. This does pretty much disable MFA for users behind these whitelisted IPs. I don't think it's the way to go, but there's a big push for it
https://cloudblogs.microsoft.com/enterprisemobility/2014/04/25/enhancing-azure-mfa-with-contextual-ip-address-whitelisting/
Not my area, but from what I was told, for the technical control, we just redirect profile folders to a network share and change permissions on root of C: drive. We've always redirected profile folders, but recently have tried the permissions changes on the root with new deployments. It's still in test mode.