Why Passwordless Desktop MFA Is Critical for Organizational Security

Pen Michael Rothschild, VP of Product Marketing, HYPR

Clock 6 Min. Read | June 7, 2022

Most authentication and authorization systems are geared toward controlling access to enterprise systems and services. While this is understandable, it overlooks one glaring vulnerability: the endpoints to those networks. Single sign-on (SSO) solutions, for example, focus on authenticating users to access corporate applications and websites. Access to the endpoint itself (laptop, desktop or workstation being used to access those company assets) is protected with only a passcode — in other words, virtually defenseless. Devices with a biometric login setup, such as TouchID or Windows Hello, are just as vulnerable since a password or PIN is the backup and biometrics simply serve a convenience function.

Even organizations that implement strict multi-factor authentication (MFA) protocols often neglect MFA into the desktop, leaving the front door to their IT resources unlocked. Security teams can significantly harden defenses overall by enabling MFA on desktops and other endpoints.

What Is Desktop MFA?

Desktop multi-factor authentication protects access to the endpoints themselves. Sometimes referred to as device-based MFA, it requires that users prove their identity through two or more authentication factors during workstation, server, VPN and VDI logins. These factors can include something they are (face or retina scan) or something they have (an authentication key or out-of-band device). This significantly reduces the risk of unauthorized entry to the endpoint and all the corporate assets that device is able to access.

Note that in traditional desktop MFA, a password — and all its vulnerabilities – remains part of the authentication process. This approach generally requires two separate steps: entering the passcode and then authenticating separately through a one-time password (OTP) SMS or push notification. Passwordless desktop MFA, on the other hand, completely removes the password and shared secrets from the process and authenticates to the desktop using multiple factors in a single flow.

Why Desktop MFA Is Important

The assets that can be potentially compromised if an attacker gains access to an endpoint make desktop MFA essential. These include:

  • System and other apps that don’t require authentication as they presume the legitimate endpoint owner is the current user. This is especially the case where strong MFA has not been enforced company-wide and also affects web access where passwords are stored in the browser cache or password manager.
  • Critical data that may be stored locally on a user’s desktop, laptop or workstation, either for convenience or in cases where cloud access is not guaranteed. This data may be very valuable, including client lists, sales leads, sensitive financial data, IP or other trade secrets.
  • Password lists in a spreadsheet or Word doc. Unfortunately, this glaring security mistake is still surprisingly common
  • Communication apps on a device, such as WhatsApp, Slack or Discord, can be used to elevate attacks and normally won’t press for further authentication once the device is accessed.

These resources and directly connected apps and services need to be protected. Not just from outside threats but from malicious insiders looking to steal valuable intellectual property or data, or gain privileged access to corporate systems and data beyond their permission levels.

Remote Working Has Accelerated Need for Desktop MFA

The sudden shift to working from home during the pandemic, which hasn’t fully reverted to the previous status quo and may never do so, exposed major security gaps around endpoint access. Suddenly, the majority of an organization’s workforce were accessing corporate assets from wholly unsecured environments outside the standard perimeter of enterprise cybersecurity defenses. 

Not only are employees now working from coffee shops, public Wi-Fi or home networks shared with many others, but their remote work habits often display a critical lack of security awareness. A survey of 3,000 remote office workers and IT professionals found that people continuously re-use passwords across accounts, allow household members to use corporate devices or access company networks on personal devices. To secure a remote or hybrid workforce, it’s essential to secure all corporate network endpoints through strong MFA on the boot screen and lock screen, and provide the same rigid security for offline access when online connectivity isn’t available.

Shared Workstation Environments

Strong authentication at the desktop is also critical when more than one employee uses the same device, such as shared computers or kiosks in banks, retail outlets, restaurants, medical facilities and many other industries. Shared workstation environments see high rates of risky user behavior, including leaving the console logged in between different users, password sharing and posting sticky-notes for passwords. Desktop MFA ensures that the user logging into the device is legitimate and can only access the applications, services and data they should.

Regulatory Compliance

Enterprise cybersecurity is not just a matter of putting the company at risk of fraud, ransomware or other attack; it is also a matter of legal obligation. Legislation such as GDPR, the NYDFS Part 500 and the CCPA outline steep penalties for companies shown to be negligent in terms of data protection. 

Stronger authentication protocols, including deploying desktop MFA, have been specifically mandated at a federal level through the Executive Order on Improving the Nation’s Cybersecurity and, subsequently, the Office of Budget and Management (OMB). These mandates apply to all federal agencies and their contractors and specifically recommend FIDO compliant MFA as the gold standard. Having strong desktop MFA and authentication protocols is also essential for qualifying for and getting lower premiums on cyber insurance.

Accelerating the Deployment of Desktop MFA

Desktop MFA is absolutely critical to protect corporate assets and for the overall security posture of an organization. Yet, surprisingly, many organizations don’t insist on the deployment of desktop MFA. One of the biggest reasons for this is how desktop MFA can affect user experience and productivity. Multiple login steps on a device, especially if the user has to separately log in to their SSO, can create considerable frustration and disruption.

Organizations can remove this obstacle by adopting a passwordless desktop MFA solution that integrates tightly with the SSO provider, creating a seamless flow from desktop authentication to the cloud. Downstream web applications inherit the same level of security, assurance, and login experience as the desktop.

HYPR Passwordless MFA for the Desktop and Beyond

HYPR’s MFA solution provides True Passwordless™ authentication that starts at the desktop and integrates with all popular Identity Providers (IdPs). HYPR’s passwordless desktop MFA eliminates additional authentication steps such as logging out and back into single sign-on or identity providers, or applications such as Microsoft 365. HYPR is also the only solution providing passwordless desktop SSO for both macOS and Windows, protecting users across the vast majority of desktops, laptops and other endpoint devices.

With HYPR, organizations are able to provide uncompromising authentication security with phishing-resistant MFA that is FIDO Compliant across all components. HYPR protects your resources, eliminates credential reuse, and stops phishing attacks, and, at the same time, accelerates employee productivity. HYPR reduces your attack surface and delivers a seamless, frictionless authentication flow and user experience from desktop to cloud, including remote access endpoints. Moreover, it’s tied to the user, not the device, meaning different users can share workstations yet login with their own credentials and permission levels.

To learn more about passwordless desktop authentication, download this whitepaper by analyst firm KuppingerCole or contact HYPR for a demo.

New call-to-action

Michael Rothschild

VP of Product Marketing, HYPR

Related Content

Six Best Practices to Secure Authentication for Energy and Utilities

The clear and present cyberthreat to energy and utility companies has taken center stage with the...

Takeaways From the 2022 DBIR: It All Comes Back to Passwords

Like clockwork for the last 15 years, the Verizon Data Breach Investigations Report (more...

Passwordless MFA Goes Mainstream

Apple made the announcement that it’s “killing the password” when it comes to authentication. This...