Adding MFA to Windows Systems

Written by Zach DeMeyer on January 6, 2020

Share This Article

Although the password is a ubiquitous security measure, recent security breaches show us that the password by itself isn’t nearly strong enough to protect the entirety of an organization. In fact, compromised credentials represent the number one attack vector hackers use to exploit businesses. That’s why adding multi-factor authentication (MFA) to Windows® system logon is one of the most important measures an IT admin can take. 

What is MFA?

Multi-factor authentication, also known as two-factor authentication (2FA), requires a user to provide an additional factor beyond the usual username/password combination to supplement security for authentication processes. Some types of MFA factors include a time-sensitive one-time password (TOTP), physical token, or biometric identifier.

In other words, MFA requires end users to provide something they know (credentials/password) along with something they have (TOTP/token) or something they are (biometrics) in order to authenticate securely to a resource. That way, even if a hacker compromises a user’s credentials, said hacker will have a significantly harder time leveraging them in an attack. 

Why Windows MFA?

So why are passwords the main target of attack? Security news outlet welivesecurity found that ‘12345’ and ‘password’ were among the most-used passwords of 2019.  Add to that the fact 61% of people reuse passwords like these across multiple resources, and it’s no surprise that hackers utilize passwords as a go-to for exploiting organizations. Additionally, studies show user systems are the second target for cyberattacks.

In the current system landscape, Windows remains the most popular OS — the rise of Mac® and Linux® in the enterprise notwithstanding. Given the fact that passwords and systems are the two top targets for hackers, it’s safe to say that Windows system passwords are incredibly susceptible to attacks.

So, if a hacker compromises a Windows system in any way (i.e. theft), a password cannot act as a system’s sole source of protection. By adding a deliberate layer of security through MFA, admins ensure a compromised system will not present a source of ingress to the organization. Combine that with full disk encryption, and the stolen system will only be useful for parts or as a paperweight.

Why MFA?

But why MFA? The cybersecurity community touts MFA as one of the most effective ways to prevent an attack. Symantec reported that 80% of recent security breaches could have been prevented by MFA. Despite this, only 26.5% of businesses use MFA, meaning that the majority of the world’s enterprises leave themselves at risk to attack by compromised credentials.

When in place, MFA puts great distance between a hacker with a compromised set of credentials and their ultimate goal of breaching a network. After all, while it’s becoming increasingly easy for bad actors to get their hands on username/password combinations, obtaining an end user’s MFA source (i.e. cell phone for TOTP, physical tokens, fingerprint, etc.) is significantly harder.

Regarding the effectiveness of MFA, Google’s Security Blog found the following:

As shown in the chart above, device-based MFA (aka “something you have”) is incredibly effective at safeguarding a specific set of credentials from attack. Knowledge-based (aka “something you know”) MFA also works, but not nearly to the same effect as device-based MFA in most cases. So, for organizations looking to protect their Windows systems, MFA (especially device-based MFA) is an ideal method to secure them. Of course, the question then becomes: How do you add MFA to Windows systems?

How to Add MFA to Windows Systems

Organizations looking to safeguard their Windows systems have several options. Unfortunately, layering on MFA via Active Directory for Windows-based environments is not so simple. When considering MFA for Windows, IT admins also need to keep in mind what other resources must be protected beyond a simple set of credentials too.

After all, macOS and Linux systems are becoming standards in the enterprise, so they too should be secured through MFA. Outside of systems, security-minded IT admins should also be concerned with protecting application access and network connections like VPNs with MFA. Additionally, admins should enforce other key security policies, like full disk encryption and screen lock, preferably from a centralized location in the cloud so it can be accessed remotely.

Thankfully, a solution available from the cloud offers MFA across Windows, Mac, and Linux, as well as for applications and networks. On top of that, this Directory-as-a-Service® provides cloud-based identity and access management with security policy management built-in.

If you need to enforce MFA and other security policies at scale across all three major OS, applications, networks, and more, contact us; we’d be happy to help you. 

Zach DeMeyer

Zach is a Product Marketing Specialist at JumpCloud with a degree in Mechanical Engineering from the Colorado School of Mines. He loves being on the cutting edge of new technology, and when he's not working, he enjoys all things outdoors, music, and soccer.

Continue Learning with our Newsletter