Why User Security Starts With the Desktop

MFA is a critical tool within the enterprise security arsenal.  Many organisations have deployed MFA in a siloed and disjointed way, often resulting in reduced user take up, poor usability and reduced security effectiveness.  The MFA component was often physical in nature – part of the something you have authentication category – and typically interrupted the user journey – resulting in reduced user productivity and happiness – which often resulted in the initial desktop login event, being reduced to a basic username and password.

Start Security at First Login

Even in today’s distributed working environment, the end user's security journey will start with authentication to their desktop or laptop environment.  It is no longer common practice to leverage just a username and password as part of this initial security validation process and MFA must become a stable part of this security step.  The commonality of locally cached passwords and the ability for credential theft and multi-user credential sharing is just not in sync with modern security practice.  Both vendors and organisations need to handle both the usability and security considerations of applying an MFA component to the main user directory authentication step.  

The underlying corporate directory that the desktop is likely integrated with, will be relied upon by multiple different systems and applications for their authentication validation processes.  Malicious access to an account within this directory will have cascading effects.  Security needs amplification with respect to authentication here, and the initial desktop login step is the ideal entry point to start the MFA process.

Remove Barriers to Adoption

But how to remove barriers to adoption and increase user uptake?  One is to potentially leverage existing tools, technologies and processes.  Many staff will have either corporate issued mobile phones or their own devices integrated into the business landscape.  The ability to reuse the mobile as a security key – by using standards such as FIDO end-to-end – could go a long way in improving usability with familiarity and increase productivity by removing the need for new hardware or tools.

Become Phishing Resistant

An interesting concept associated with the likes of FIDO based authentication, is to remove the threat associated with phishing based attacks – an attack where an end user is induced to release their username and password to malicious third-party sites that claim to be legitimate.  Phishing attacks are on the rise, are becoming more sophisticated and are difficult to combat.  The use of a phishing resistant MFA is essential to maintain system security and protect data privacy.  Any reliance on a shared secret or stealable credential is unlikely to provide a level of protection to these types of attacks.

A Need for Broad Coverage

Another consideration however, is how to apply the MFA process to a range of different desktop login scenarios?  Organisational personas will be varied and different system types, use cases and levels of access broad. Any successful MFA component needs to be able to seamlessly integrate with the likes of the Windows and iOS desktop and remote desktop protocol sessions as well as virtual desktop infrastructure and virtual private network connections.  A consistent look and feel, with similar registration and reset flows are essential as is the need for a simple-to-roll-out client for initiating the desktop authentication process.  Applying MFA to only one login journey is no longer an option for a consolidated security model.

SSO Integration

Broad coverage typically leverages the use of a single sign on and session management infrastructure to provide authentication assertion services to on-premises, cloud and third party applications and services.  This identity provider (IDP) infrastructure will leverage standards such as SAML2 and OpenID Connect as well as legacy agents and more flexible gateway and reverse proxy technologies to extend the coverage into as many applications as possible.  The use of strong MFA and passwordless authentication technologies at the IDP layer has often led to technology lock-in, a lack of agility with respect to changing threats and requirements as well as increased complexity with respect to integration.

A more decoupled approach to strong MFA and passwordless authentication provides flexibility with respect to technology evolution with a more composable and specialised set of capabilities.

Left Shifting SSO to Initial Login

SSO services however, have traditionally been associated with on-premises web applications.  Since then IDP integration has extended to include cloud SaaS based resources as well as third party relationships and the existing on-premises data centre and private cloud applications.  The entry point however, has always been a web trigger.  Today, the desktop (or laptop…) is the main pinch point to authentication to enterprise resources, and it seems sensible to start the downstream SSO process at this point.  Not only does this improve usability, it also helps reduce the number of moving parts, complexity and risk associated with user authentication.  Starting the SSO process from the initial control-alt-delete action of the Windows desktop or Mac Touch ID login provides a seamless join into the downstream protected systems.

Consolidate and Migrate

A broad coverage approach in turn allows for a more strategic consolidation model, where existing MFA components can be collapsed into a more centralised and decoupled model.  This helps reduce the operational overhead and cost, but also helps reduce risk that arises from having to support a complex and distributed set of MFA tools.  Migration into a single model for MFA that covers a range of desktop integrated services not only improves security, but is likely to provide the business with increased technological agility that can allow for the speedier rollout of new services, improved response to competitive pressures and the associated monetary gains that could provide.

In Summary

The corporate directory and the user accounts used everyday by employees and contractors are a large and profitable target for adversarial activity.  The desktop login is the main entry point for those credentials and the application of MFA to this initial authentication event is critical.  For a successful rollout, usability and security need to be handled as dual-priorities with the ability to deliver improved MFA capabilities to a range of systems and scenarios that the desktop login will be used for.

The benefits associated with improved security - such as improved employee confidence and compliance adherence - as well as improved business agility and employee productivity should guarantee modern desktop MFA is a top priority for the CISO and associated security and identity practitioners.