During the Covid pandemic, workers relocated to home offices in huge numbers. Remote working meant that work could continue safely. But it came with serious security implications.
Remote work expanded the threat surface available to attackers. Hackers quickly responded via phishing and interception attacks. For companies, the risk of a security breach instantly multiplied.
Businesses urgently required ways to verify the identity of remote workers. Multi-factor authentication (MFA) stepped in to meet that demand.
This article will explain how MFA secures remote work. We will look at the different types of MFA and their benefits. But first, it’s important to know what MFA is, and how it works.
What is Multi-Factor Authentication (MFA)?
Multi-factor authentication is a family of technologies that requires more than one proof of identity before allowing access to network resources.
MFA operates at network endpoints and supplements standard password defenses. Additional layers of verification provide an extra insurance policy against credential theft. With more factors involved, hackers require ingenuity and persistence. The risk of malicious intrusions is far lower.
The credentials used in MFA must be independent of existing password databases. This can include one-time codes created for each login. Credentials can be stored on independent devices. Or they could derive from biometric data such as fingerprints.
MFA does not usually function alone. Combined with encryption, network segmentation, and access control systems such as IAM, it forms part of robust network security architecture.
Why is MFA important for remote workers?
MFA was much less common before remote working became routine. On-premises networks relied upon strong passwords and in-person security. Security teams could maintain close control over workers or customers. This changed completely when workers shifted to homes or other remote locations.
Remote access reduces the amount of control enjoyed by central security managers for a variety of reasons:
Admins in an organization have no power over who is present in the employees’ homes.
Managers cannot easily force workers to use secure remote connections.
Security teams rarely have direct control over remote access hardware like modems and routers.
Separating business assets from personal assets on home networks is virtually impossible.
Remote work creates novel security vulnerabilities for any organization. The network edge becomes much larger and harder to police. Traditional concepts like moat and castle defense are less relevant. Attackers can now gain access via endpoints that are hard to secure.
Security protocols like Zero Trust Network Access (ZTNA) are one popular response. This security approach dictates that managers apply the principle of least privilege. All users are mistrusted and can only access the resources they need.
ZTNA requires strict authentication at the network edge. MFA is the best way to provide this. Implemented correctly, MFA is a user-friendly, familiar security tool. In a world where data breaches can bring down companies, it is a vital part of any remote access security strategy.
Types of MFA
There are many types of multi-factor authentication. Companies must find a solution that suits their workforce and existing network infrastructure.
There are three broad types of multi-factor authentication:
Information known by users. This includes PINs and passwords.
Information that users possess, including token generators.
Contextual information about users. This includes biometric data and information about the user’s previous activity.
2FA (two-factor authentication) includes two authentication factors for remote access. Generally, 2FA systems require a password and an extra data point.
Main types of 2FA:
Time-based one-time passwords (TOTP) – TOTP systems like Google Authenticator or Auth0 Guardian create unique passwords for every login attempt. Passwords are generated via shared key encryption using a specific time stamp. The unique code accompanies the user’s main password and is destroyed immediately after use.
RSA tokens – RSA tokens are small devices that hold the user’s authentication information. They generate one-time codes for each login. Codes expire within a short time period to maximize security.
Software-based tokens – Token authentication can also be software-based. In this case, authentication details are stored on a mobile device. An on-device app creates a one-time code to log into network resources.
SMS messages – User authentication information is stored securely on a database separate from core employee passwords. A one-time code is sent via SMS to their phone at the login stage.
Email – Two-factor authentication tools can also send one-time codes via email. Authentication tools send a code when prompted. The user checks their email account and finds the code. They then enter this into the login portal.
Push notifications – When users log into the company network, security tools automatically send a push notification to the user’s phone. The user accepts the request and is granted network access. No passwords are needed.
Two-factor authentication is simple, and often the first authentication method companies try.
However, 2FA is not completely secure. Many forms of 2FA use weak secondary credentials. Hackers can compromise mobile devices or use social engineering to bypass authentication processes. MFA methods using extra factors are often preferable.
Biometrics are data points derived from the human body. This form of multi-factor authentication uses data about the user, instead of codes or passwords.
Biometric verification benefits
Biometrics are unique to each user. They provide reliable proof of identity for each login attempt.
As unique pieces of information, biometrics cannot be shared between employees or written down and lost.
Biometric credentials are difficult to replicate. Hackers cannot easily copy the fingerprint or retinal scan of an individual.
Using biometrics is quick and simple. Employees apply their fingerprints in an instant. There is no need to waste time on passwords and code requests.
Users are familiar with biometric scanning due to the popularity of smartphones.
There are many types of biometric authentication, including fingerprint and retinal scanning. Advanced systems may also scan users' faces or even assess typing styles to identify users.
Biometrics are extremely secure. It is possible to spoof biometric identity factors, but the work and cost involved deter most attackers. Despite this, relatively few companies have adopted biometric MFA systems. There are some good reasons for this.
Downsides of biometric authentication:
Cost. Dependable biometric technology is expensive to source as companies need additional software and equipment for every employee.
The uniqueness of biometric data can be a problem. Retinal scans cannot be replaced if hackers steal biometric data.
Employees may have privacy concerns. While biometrics are also associated with information-gathering in authoritarian countries.
MFA can also work with tools that scan user devices or activity for contextual information. Authentication software assesses each login attempt based on this information, before deciding what level of access to provide the user concerned.
For example, authentication systems combine with device security posture checks to provide a more detailed picture of who is accessing the network. Security tools may check the device’s location via IP address information. It is also possible to use behavioral data to determine whether users are who they claim to be.
This type of adaptive authentication works alongside other factors. It is generally not used alongside password identification but can supplement 2FA or biometrics to add another protective barrier.
SSO & user provisioning
Using both of these methods, authentication can also be streamlined.
Single Sign On (SSO) is an access management tool that provides a single login portal for multiple business assets. It offers a simple and secure way to access diverse cloud resources.
Single Sign On is not a form of multi-factor authentication, but it may well include MFA as a component. Companies can implement MFA to verify users at the sign-on stage. This protects cloud resources against malicious actors.
Single Sign On is a good way to simplify MFA. Companies may need to secure complex network architecture while maintaining a good user experience. SSO meets both goals.
User provisioning is an Identity and Access Management (IAM) process. It involves assigning unique privileges to each network user. Privileges are based on job roles, departments, workgroups, and projects. They define the resources available to the user after accessing the network.
User provisioning applies from the onboarding of users to their departure. Privileges change over time and control access at a granular level. Security teams can dictate exactly who has access to CRM systems, communication tools, or OS admin privileges.
Provisioning works with MFA, extending authentication to individual apps and workloads. Companies can use biometrics or one-time passwords at the network edge to secure Single Sign On portals. User provisioning systems apply inside the perimeter, creating a zone of trust around each user.
Benefits & use-cases of MFA for remote access
MFA has a range of benefits for companies reliant on remote connections. Implementing some form of MFA is critical to robust remote working security measures. Major benefits include:
1. Maximum security for remote access
MFA ensures that every remote user is who they claim to be. 2FA systems based on one-time passwords provide some reassurance. But 2FA combined with additional authentication factors like biometrics delivers almost complete accuracy for remote workforce authentication.
2. Secure third-party access
MFA is also valuable when connecting third parties to company resources. For instance, eCommerce companies may need a secure link between customers and payment portals. MFA assures customers that payment processes are secure. Robust authentication minimizes the risk of financial or personal data loss.
3. Strong compliance
MFA is always included in data security and remote work best practices. It is also a core component of compliance frameworks for industry regulations. Whether companies meet GDPR, HIPAA, or PCI-DSS regulations, multi-factor authentication helps secure sensitive data.
4. Compatibility with SSO
Companies can combine SSO, user provisioning, and MFA in their security architecture. Most SSO systems are designed to work with multiple authentication methods. This balances secure remote working and user convenience.
5. User familiarity
MFA is familiar to most remote workers. The rise of smartphones has made fingerprint scanning an everyday task. Two or more login credentials can slot into remote work routines without disrupting workflows.
6. MFA bolts onto security infrastructure
Implementing MFA generally does not require adding invasive security tools across the entire network. Authentication software operates at the network edge. It does not adversely affect systems within the perimeter.
How NordLayer can help implement MFA
Multi-factor authentication is an essential part of remote access security. Companies must authenticate all remote connections. MFA tools allow security managers to identify users accurately by requesting two or more authentication factors.
NordLayer makes it easy to include MFA in your security posture. NordLayer accounts can combine with TOTP services like Google Authenticator or SSO services like Microsoft Azure AD. Add biometrics to authentication processes if desired, and extend these requirements across your entire enterprise to enforce tight access security.
Authentication is the first step in securing modern business networks. Find an MFA solution that suits your workers and delivers flexible, robust protection.