Your multi-factor authentication (MFA) tool needs to communicate directly with your central directory to facilitate seamless logins and easy management. For organizations with LDAP-based directories, this can be achieved either through direct integration between the MFA tool and the LDAP directory server, or through an LDAP proxy or middleware that relays information between the MFA tool and the directory. Whether you need such a connector is typically based on whether the MFA solution you choose requires one to communicate with your directory.
The employee experience, security, and functionality are usually key considerations when evaluating MFA solutions. The method of communication between the MFA tool and directory server is rarely assigned the same level of importance, but adding more moving parts can have significant ramifications on the tool’s security and usability for both the IT admin and the user.
Proxies and middleware, in particular, often add unnecessary complexity and risk to an organization’s IT stack. By comparison, direct MFA-LDAP integration keeps the experience streamlined for the user and the admin and secure for the organization.
As business environments become more distributed and IT admins and employees alike need to work quickly and efficiently under new, dynamic conditions, any simplicity and security wins can improve the employee experience and lighten IT’s load. When evaluating MFA tools, consider the following benefits of choosing one that forgoes a connector to directly integrate with your LDAP directory.
Direct authentication avoids the potential for error that proxies bring to the table. MFA-LDAP connectors are an additional element to integrate into your infrastructure. In turn, they add the possibility of configuration errors or breakdown when making changes to the directory or MFA tool, an additional component to update and secure, and a potential point of failure. Troubleshooting MFA issues can also be more difficult with the added connector element to examine.
The ability to authenticate directly to the LDAP server bypasses these risks, leaving admins with an easy-to-manage tool and users with functionality they can rely on.
MFA/LDAP connectors shouldn’t require frequent management; in fact, providers that use them generally boast that the connector works quietly in the background, requiring few touchpoints and little management. However, tools that require highly infrequent management often generate friction when they do require attention due to IT’s lack of familiarity with the tool. This is often the case with MFA/LDAP proxies when they need work: because IT teams don’t work with them frequently, they haven’t developed the muscle memory to troubleshoot and manage them efficiently.
For example, while updating the proxy may be a cut-and-dry task on paper, in reality it might take hours for an admin to re-familiarize themself with the proxy and how to update it, implement the update, and then test it. That’s about an hour and a half for an ostensibly quick update. Time spent on tasks like these eats into IT’s availability, which can create bottlenecks that affect everything from operations to customer service.
Any problems with the proxy often require a similar re-familiarization and typically take more time than routine work for admins. For companies that contract with a managed service provider (MSP) and don’t have network technicians on-site, any work on the connector would require a call to their MSP, which could take even more time.
In short, enabling MFA to authenticate directly to the LDAP server eliminates an element in your infrastructure that needs to be managed. Hard-pressed IT teams can save time and energy on seemingly small elements like these can add up to significantly improve their productivity and performance.
Just about every IT infrastructure component incurs some level of risk. This goes for MFA tools as well as any connectors they may use. While you can vet an MFA tool for security and compliance, it’s often harder to vet its proxy or middleware as thoroughly; however, it shouldn’t go unexamined during the tool evaluation process.
First, while proxies and middleware might come with the purchase of a tool, they may not be solely manufactured and managed by the same provider; the provider could have contracted with a third-party to provide the connector. This adds the element of an unknown and unvetted vendor into your IT stack, which can create security, compliance, supply chain, and functionality risk, even if you’ve vetted the MFA tool vendor.
Second, aside from vendor risks, proxies and middleware can be difficult to vet for security separately from the tool itself; security flaws in connectors may be hard to spot.
Because every additional step presents more potential for compromise and risk, authenticating directly eliminates a component that could become a critical weak spot in an exploit.
Centralize and Unify Resources
As distributed environments become not just a possibility but a business norm, centralizing and unifying resources is critical to empowering employees and IT admins alike. In a work-from-anywhere world, employees need seamless experiences to achieve office-level productivity from anywhere. IT admins need simple, intuitive tools to power these experiences efficiently and securely.
Choosing an MFA tool that can authenticate directly to your directory is just one example of centralizing and unifying your organization’s resources. In a distributed environment, all work resources need to be accessible and integrated — preferably all answering to one source of truth. Cloud directories are becoming an increasingly popular means to accomplish this.
Cloud directories connect users to their resources without the traditional tether to legacy environments. Robust, multi-protocol ones like JumpCloud® are compatible with virtually all the resources users need to Make (Remote) Work Happen™. JumpCloud unifies all resources around a single, cloud-based source of truth, making them seamlessly and securely accessible to users wherever they are. One of the (many) ways JumpCloud delivers this security is with its own MFA tool that comes with the directory.
JumpCloud’s MFA tool is free to try when you sign up for a free directory trial. It even includes JumpCloud Protect™, which facilitates MFA via push notification. The platform is free to try for your first 10 users and 10 devices, so you can try out the platform and tooling obligation-free. Get started with JumpCloud Free today.