In the IT world, there are two interesting approaches to multi-factor authentication (often referred to as 2FA or MFA).
The first of the two approaches is device-level multi-factor authentication. This approach protects your systems by requiring a generated code or token at the time of login. The second is application-level multi-factor authentication. Similarly, this approach protects your applications by requiring another generated code or token at the time of login.
Both of these approaches are valued and serve important purposes. However, they are different, and when examined can offer some insights about what the organization values. For many organizations, the question becomes “Should we use device-level MFA or application-level MFA?”
Security Multiplies With Multi-Factor Authentication
The purpose behind multi-factor authentication has been to dramatically increase security. It is common to see logins that are just a username and password. This is classified as information that somebody knows. If this is compromised, then a hacker has access to the account. There would be no other barrier. The innovation with MFA was adding a second factor to the login credentials. This is classified as something that somebody had. Combined, the user needed to have something that they knew, and something that they had in order to log into an IT resource. This made it far more difficult for a hacker to break into an account, because now if they stole the credentials a user knows, they still have to find out what the code the user has is. This made security much more difficult to breach.
Device (System) Multi-Factor Authentication
Initially, the multi-factor approach was predominantly used with device logins. RSA Security was a pioneer in the space and produced key fobs that had rotating access codes on them. These codes would then be used when logging into a Windows or Linux device. This protected the system from being hacked, and substantially increased security. The RSA key codes were especially valuable for mobile devices such as laptops.
Device-level MFA became extremely popular because of its ability to control the central device that end users leverage to access all of their IT resources. The Windows, Mac, or Linux devices became far more secure, and with the device being the primary conduit to a variety of IT resources, including on-prem and cloud applications, the network, and file storage, it needed to be highly protected. Additionally, with many laptops and desktops housing significant data, processing data and applications exclusively in the cloud was not possible for everything. This is where we saw organizations that believed their user’s devices were valuable, start to adopt device-level MFA, and realize how critical it was.
Application Multi-Factor Authentication
After seeing the popularity of multi-factor authentication with systems, the concept of MFA was also extended to various applications. The early implementations of these application-based MFA’s were centered on banking for consumers, however since then application-level MFA has been greatly expanded. This level of MFA can be driven by developers providing applications, or by IT administrators via a single sign-on solution where users enter a captive portal and then gain access to the site from that central location. That user portal is often a central point of control, and with that, an added MFA token can help control access. This approach is particularly valuable to organizations that have users accessing cloud applications from a variety of different systems, like having shared machines in the office or different machines at work and home.
Device MFA versus App MFA
Both device-level multi-factor authentication and application-level multi-factor authentication are valuable tools for IT organizations. Their use depends on what is most critical for your organization. If you would like to learn more about whether device MFA or app MFA is right for you, drop us a note. Alternatively, take a look at JumpCloud’s device-level MFA for Mac and Linux, and our application-level MFA into the JumpCloud portal. Both could offer great value to your security.