MFA vendors, when, where and who to use

I've been selected to be part of a small team for a MFA project. The main reason for MFA is to secure Office 365. There could be another possibility for it, which is for VPN logins.

After a little site browsing, Duo Security and PingIdentity seem like good solutions. We have not spoken with either. One of the project team members is pushing very hard for Microsoft Azure MFA solution. A few of his reasons are its easy to setup, its microsoft and we want it for office 365, and you can put in a trusted IP range, so when users are in the office, they don't have to use the second factor.

The last point really has me wondering. I understand it can be annoying for a user to enter a 2nd factor every day, but with that setup, the guy sitting next to me can be an internal attacker, steal my password and use it as long as he's in the office. Maybe I'm overreacting but this doesn't seem very secure to me.

Also, when does it make sense to use MFA for windows logins? FWIW, we are not a government, health or financial company.

Any thoughts or suggestions/recommendations on this?

Find more posts tagged with

Comments

paul78

The use of MFA is a favorite topic of mine.

If you are thinking about Ping, I would recommend that you also check out Okta.

But that said - if you are mostly a Microsoft shop and you don't need federated authentication into other SaaS applications - I personally would recommend that you just use the Microsoft solution.

Your concern about setting up a trusted network and disabling MFA is unfounded, you don't have to disable MFA. We don't. It's a feature that is offered by O365 and GSuite to restrict access as an additional feature.

As for using MFA for Windows logins - that depends largely on your risk tolerance. I assume that you realize that implementing MFA on endpoints makes sense only after you already enforce hard-disk encryption on your endpoints. Personally, I use a Yubikey for MFA onto my Windows laptop.

Also - if you intend to integrate LDAP auth into your VPN as you implied, I think that using a Microsoft solution could be simpler - but someone else would need to comment.

mnashe

Thank you for responding. What's the benefit of Okta over Ping?

paul78 wrote: »

Your concern about setting up a trusted network and disabling MFA is unfounded, you don't have to disable MFA. We don't. It's a feature that is offered by O365 and GSuite to restrict access as an additional feature.

As for using MFA for Windows logins - that depends largely on your risk tolerance. I assume that you realize that implementing MFA on endpoints makes sense only after you already enforce hard-disk encryption on your endpoints. Personally, I use a Yubikey for MFA onto my Windows laptop.

Not sure I follow. I'm not saying disable? My team member is recommending the Microsoft solution because there is an option to add a trusted IP, and then when users are in the office, they won't get prompted for MFA. I guess I was asking what everyone thinks of this? I understand the convenience, but to me, it takes away from the security, as internal attacker can easily login as me if they get my password. Is it common to set it up this way?

Also, the one thing I don't like about Microsoft MFA is that there is no way to disable SMS as a backup method. While SMS MFA is better than nothing, from what I've read it's not recommended to use. I'm no security pro, so I can be wrong.

I see what you're saying about full disk encryption, but not sure that's the only reason it makes sense. At my company, nobody is allowed to save files locally. However, we use have VPN software set to login before windows. If a laptop is stolen and the password is found, without MFA, the person would have access to our network. In my environment, I don't think MFA for endpoints is truly needed, but I was curious what others do

paul78

mnashe wrote: »

What's the benefit of Okta over Ping?

No particular reason other than it's a good competitive product with Ping. And I always feel that you ought to POC at least 2 solutions to see what's better for your use-case. I do tend to run into Okta more often though and it seems to be simpler to implement for smaller enterprises - although I know a few CISO's that use it in their large enterprises.

mnashe wrote: »

Not sure I follow. I'm not saying disable? My team member is recommending the Microsoft solution because there is an option to add a trusted IP, and then when users are in the office, they won't get prompted for MFA. I guess I was asking what everyone thinks of this? I understand the convenience, but to me, it takes away from the security, as internal attacker can easily login as me if they get my password. Is it common to set it up this way?

Ahh, I misunderstood your original comment. I have seen setups where MFA is disabled if there is a trusted network. But I'm not a big fan of that practice, especially if access to the network isn't secured with NAC controls. The convenience benefit isn't really a good argument unless there is some sort of culture clash and this can be a good way to introduce MFA into an organization that traditionally has weaker security culture.

mnashe wrote: »

Also, the one thing I don't like about Microsoft MFA is that there is no way to disable SMS as a backup method. While SMS MFA is better than nothing, from what I've read it's not recommended to use. I'm no security pro, so I can be wrong.

I believe that you can disable self-service password reset. I have to check but I think we looked at it recently. https://support.office.com/en-us/article/let-users-reset-their-own-passwords-in-office-365-5bc3f460-13cc-48c0-abd6-b80bae72d04a

mnashe wrote: »

At my company, nobody is allowed to save files locally. However, we use have VPN software set to login before windows. If a laptop is stolen and the password is found, without MFA, the person would have access to our network. In my environment, I don't think MFA for endpoints is truly needed, but I was curious what others do

Do you actually have a technical control that prevents someone from saving files locally? I'm curious how you accomplish that. Given your use-case, I would agree that MFA for endpoints may be unnecessary. We use it because we are very small and it's not difficult to implement because of our size.

mnashe

Thanks for the additional reply, now I follow you. I'll check out Okta too. I agree, there should be multiple vendors involved.

This is the Microsoft MFA that I was referring to. This does pretty much disable MFA for users behind these whitelisted IPs. I don't think it's the way to go, but there's a big push for it
https://cloudblogs.microsoft.com/enterprisemobility/2014/04/25/enhancing-azure-mfa-with-contextual-ip-address-whitelisting/

Not my area, but from what I was told, for the technical control, we just redirect profile folders to a network share and change permissions on root of C: drive. We've always redirected profile folders, but recently have tried the permissions changes on the root with new deployments. It's still in test mode.