Why MFA for Desktop Is Critical for Organizational Security
Michael Rothschild, VP of Product Marketing, HYPR
6 Min. Read | June 7, 2022
Most authentication and authorization systems are geared toward controlling access to enterprise systems and services. While this is understandable, it overlooks one glaring vulnerability: the endpoints to those networks. Single sign-on (SSO) solutions, for example, focus on authenticating users to access corporate applications and websites. Access to the endpoint itself (laptop, desktop or workstation being used to access those company assets) is protected with only a passcode — in other words, virtually defenseless. Devices with a biometric login setup, such as TouchID or Windows Hello, are just as vulnerable since a password or PIN is the backup and biometrics simply serve a convenience function.
Even organizations that implement strict multi-factor authentication (MFA) protocols often neglect MFA into the desktop, leaving the front door to their IT resources unlocked. Security teams can significantly harden defenses overall by enabling MFA on desktops and other endpoints.
What Is Desktop MFA?
Desktop multi-factor authentication protects access to the endpoints themselves. Sometimes referred to as device-based MFA, it requires that users prove their identity through two or more authentication factors during workstation, server, VPN and VDI logins. These factors can include something they are (face or retina scan) or something they have (an authentication key or out-of-band device). This significantly reduces the risk of unauthorized entry to the endpoint and all the corporate assets that device is able to access.
Note that in traditional desktop MFA, a password — and all its vulnerabilities – remains part of the authentication process. This approach generally requires two separate steps: entering the passcode and then authenticating separately through a one-time password (OTP) SMS or push notification. Passwordless desktop MFA, on the other hand, completely removes the password and shared secrets from the process and authenticates to the desktop using multiple factors in a single flow.
Why Desktop MFA Is Important
The assets that can be potentially compromised if an attacker gains access to an endpoint make desktop MFA essential. These include:
- System and other apps that don’t require authentication as they presume the legitimate endpoint owner is the current user. This is especially the case where strong MFA has not been enforced company-wide and also affects web access where passwords are stored in the browser cache or password manager.
- Critical data that may be stored locally on a user’s desktop, laptop or workstation, either for convenience or in cases where cloud access is not guaranteed. This data may be very valuable, including client lists, sales leads, sensitive financial data, IP or other trade secrets.
- Password lists in a spreadsheet or Word doc. Unfortunately, this glaring security mistake is still surprisingly common.
- Communication apps on a device, such as WhatsApp, Slack or Discord, can be used to elevate attacks and normally won’t press for further authentication once the device is accessed.
These resources and directly connected apps and services need to be protected. Not just from outside threats but from malicious insiders looking to steal valuable intellectual property or data, or gain privileged access to corporate systems and data beyond their permission levels.
Remote Working Has Accelerated Need for Desktop MFA
The sudden shift to working from home during the pandemic, which hasn’t fully reverted to the previous status quo and may never do so, exposed major security gaps around endpoint access. Suddenly, the majority of an organization’s workforce were accessing corporate assets from wholly unsecured environments outside the standard perimeter of enterprise cybersecurity defenses.
Not only are employees now working from coffee shops, public Wi-Fi or home networks shared with many others, but their remote work habits often display a critical lack of security awareness. A survey of 3,000 remote office workers and IT professionals found that people continuously re-use passwords across accounts, allow household members to use corporate devices or access company networks on personal devices. To secure a remote or hybrid workforce, it’s essential to secure all corporate network endpoints through strong MFA on the boot screen and lock screen, and provide the same rigid security for offline access when online connectivity isn’t available.
Shared Workstation Environments
Strong authentication at the desktop is also critical when more than one employee uses the same device, such as shared computers or kiosks in banks, retail outlets, restaurants, medical facilities and many other industries. Shared workstation environments see high rates of risky user behavior, including leaving the console logged in between different users, password sharing and posting sticky-notes for passwords. Desktop MFA ensures that the user logging into the device is legitimate and can only access the applications, services and data they should.
Enterprise cybersecurity is not just a matter of putting the company at risk of fraud, ransomware or other attack; it is also a matter of legal obligation. Legislation such as GDPR, the NYDFS Part 500 and the CCPA outline steep penalties for companies shown to be negligent in terms of data protection.
Stronger authentication protocols, including deploying desktop MFA, have been specifically mandated at a federal level through the Executive Order on Improving the Nation’s Cybersecurity and, subsequently, the Office of Budget and Management (OMB). These mandates apply to all federal agencies and their contractors and specifically recommend FIDO compliant MFA as the gold standard. Having strong desktop MFA and authentication protocols is also essential for qualifying for and getting lower premiums on cyber insurance.
Accelerating the Deployment of Desktop MFA
Desktop MFA is absolutely critical to protect corporate assets and for the overall security posture of an organization. Yet, surprisingly, many organizations don’t insist on the deployment of desktop MFA. One of the biggest reasons for this is how desktop MFA can affect user experience and productivity. Multiple login steps on a device, especially if the user has to separately log in to their SSO, can create considerable frustration and disruption.
Organizations can remove this obstacle by adopting a passwordless desktop MFA solution that integrates tightly with the SSO provider, creating a seamless flow from desktop authentication to the cloud. Downstream web applications inherit the same level of security, assurance, and login experience as the desktop.
HYPR Passwordless MFA for the Desktop and Beyond
HYPR’s MFA solution provides True Passwordless™ authentication that starts at the desktop and integrates with all popular Identity Providers (IdPs). HYPR’s passwordless desktop MFA eliminates additional authentication steps such as logging out and back into single sign-on or identity providers, or applications such as Microsoft 365. HYPR is also the only solution providing passwordless desktop SSO for both macOS and Windows, protecting users across the vast majority of desktops, laptops and other endpoint devices.
With HYPR, organizations are able to provide uncompromising authentication security with phishing-resistant MFA that is FIDO Compliant across all components. HYPR protects your resources, eliminates credential reuse, and stops phishing attacks, and, at the same time, accelerates employee productivity. HYPR reduces your attack surface and delivers a seamless, frictionless authentication flow and user experience from desktop to cloud, including remote access endpoints. Moreover, it’s tied to the user, not the device, meaning different users can share workstations yet login with their own credentials and permission levels.