Choosing the Best MFA Approach: Device-Based vs Application-Level Multi-Factor Authentication

Written by Rajat Bhargava on August 6, 2021

Share This Article

The threat landscape evolves constantly. Organizations that do not strive to stay one step ahead of it expose themselves to risk, hence the reliance on strict IT security policies and a myriad of security tools. 

However, all of that does little to address the weakest link: user irresponsibility. An average user has dozens of personal and business accounts they need to manage, so they tend to reuse passwords. What could happen then is the same password they use for admin access on their organization’s cloud could be leaked from the dubious social app they’ve been using. 

Using only a single password to authenticate users leaves an insecure vector for attack. Identity attacks are rarely thwarted solely by the length or complexity of a password – in fact most password compromises are because of phishing so the hacker has the complete password or because they compromised another site where a password was reused. So what should organizations, particularly those with a large number of users, do to ensure a higher level of security?

The solution to this dilemma is actually rather simple. By using Multi-Factor Authentication, IT organizations can address the weakest link in their security paradigm. In fact, you can think of a single password with MFA enabled as having an infinite number of unique passwords because of the MFA addition. While passwords should still be unique, the addition of MFA is transformative to security. Here’s how.

What is Multi-Factor Authentication?

2D illlustration of a lock and phone for MFA page

Multi-Factor Authentication (MFA) is also referred to as two-factor authentication (2FA). It adds an additional layer of security to the sign-in process. The user is required to provide an additional form of identification to gain access.

MFA requires two or more of the following methods for successful authentication:

  • Something you know – Password or passcode
  • Something you have – A device in your possession, like a phone or hardware key
  • Something you are – Biometrics like a face or fingerprint scan

What usually happens is the MFA requirement surfaces once a user logs in with their password. The system may send a code to their registered cell phone, require a code generated by an app like Google Authenticator, or from a Universal 2nd Factor key. It may also require the user to scan their fingerprint or face should the device compatibility exist.

By simply adding this extra layer, organizations can make it extremely difficult for a remote attacker to gain access. Now not only would the attacker need to crack the password but they’d also need access to a physical device (or fingerprint / face in the case of a biometric) that’s in possession of the actual user.

What organizations need to realize is that MFA isn’t a one-size-fits-all solution. Whether device-based or application-level multi-factor authentication would suit an organization better depends largely on its unique circumstances.

What is Device-based MFA?

Device-based MFA requires the user to clear the secondary authentication requirement when logging into their device, either when it boots up or when the login occurs. In order to access the device, the user will need their login credentials in addition to the MFA code.

This significantly reduces the risk of unauthorized access to the device, while adding a secondary, downstream impact on preventing unauthorized use to the IT resources an employee’s device can access. Coupled with full disk encryption, this process can dramatically step-up security on a device.

Device-based MFA is extremely important because the device is often a conduit to a large part of the organization’s IT resources, such as NAS or cloud and on-prem applications. In the event of a breach, the data stored locally on the device would be at risk as well. Through modern, cloud-based solutions, device-based MFA is becoming much more straightforward; IT admins can implement MFA against Windows and Mac devices, while some can even support MFA for Linux-based devices as well.

What is Application-level MFA?

application level mfa image

Application-level MFA is a more granular approach whereby the user is required to clear secondary authentication when seeking access to individual apps. While the underlying principle is the same as device-based MFA, it’s a more frequent occurrence as users may have to go through the process every single time they login.

This MFA method is great for a platform or device-agnostic environment, or ones that support BYOD policies that allow employees to access IT resources via their personal devices. It’s also a core method for conditional access capabilities. For example, users may choose to access an app like Google Drive through a desktop web browser or a mobile app, but if they have MFA enabled they’ll need to clear the secondary authentication before access is granted.

What factors are the best for each MFA method?

Time-based One-Time Passwords (TOTPs) sent on the registered email or cell phone number work well as a secondary authentication factor for application-level or device-level MFA. When a login is detected, the system sends a TOTP to the registered method and only grants access once the correct TOTP is entered by the user.

Push notifications operate similarly to TOTPs but are easier on the user. When a login is attempted, the user receives a push notification on their registered device. Access is only granted once the authentication request is accepted. Users tend to prefer push notifications over TOTPs because they do not have to deal with the hassle of inputting a numerical code. Additionally, if push notifications are implemented via a mobile app like JumpCloud Protect, another layer of security exists naturally thanks to the biometrics inherent in today’s mobile phones (e.g. facial recognition login or fingerprint authentication).

Biometrics are a highly secure authentication factor as well. Fingerprint and face scanning is now supported by most high-end phones. Many enterprise-grade laptops also feature fingerprint sensors and some also do facial recognition for login. Access to the device won’t be granted unless the user physically authenticates their identity. 

Physical security keys provide another great secondary authentication factor for device-based MFA. These keys are sometimes USB dongles that have rotating access codes on them. They’re highly secure since there’s no risk of the user entering the code into a fraudulent website or someone reading the code off of the screen. There are also U2F keys that can just be plugged into your computer as well. Apps can be compromised remotely, the physical key can’t.

Things to keep in mind when deploying MFA for Devices and Applications

1. Use MFA methods that work across Devices and Applications

It’s important to be mindful of the end user’s capabilities when deploying MFA for both Devices and Applications. A complex solution involving physical keys might be easily adaptable for the IT administrators in your organization but not for those in a customer support role, for example. The MFA solution must be all things to all people.

There are MFA methods that are suitable for both device-based and application-level MFA. If hardware compatibility exists, fingerprint, facial or even retinal scanning can be utilized for access control. Push notifications can also be used across devices and applications, and provide a frictionless experience for all users, regardless of job title.

2. Convenience for the end user is very important

It is very important to consider ease and convenience for the end user when deploying MFA. The biometric factor is a good choice as it’s not only incredibly secure, but can be very easy to use. 

The end user simply has to place their finger on the scanner or use the device’s camera to scan their face. Not only is the biometric hardware in devices more secure and faster than ever before, but this factor does not rely on any kind of digital communication (such as an email or SMS verification code). This means the possibility of it being compromised is even further reduced. 

Push notifications are increasingly becoming the MFA method of choice for applications as they have a number of inherent benefits to both security and ease of use. They’re incredibly easy for the end user who only has to tap once on a notification from their smartphone (which they are rarely far from) to authenticate. Not only that, but often the user also has to enter their PIN or authenticate via fingerprint or facial recognition to complete the action (or they used that method to gain access to the smartphone), adding in an additional factor seamlessly to increase security. Because this method requires the user to be in possession of the device on which the notification is sent, it is virtually impossible for remote attackers to gain access.

3. Take a more structured approach to your MFA deployment

Organizations that realize the benefits of MFA often rush to deploy it in one fell swoop. That can end up being counterproductive. The initial step before implementation must include user education to avoid pushback, confusion, or a painful rollback. 

The Fine Art of Making MFA Palatable

In this webinar recording, learn tips & tricks for maximizing IT security while minimizing user pushback with DoorDash's System Administrator

Focus on deploying MFA on devices first as they’re the single most important access point to all of the organization’s IT resources, and users can become used to using a second factor with minimal disruption to their workflows. Overall security can be significantly improved by simply enabling MFA on devices. 

Applications that have the most sensitive data come next. Ensure enhanced protection by deploying MFA methods that are both highly secure and convenient for end users, such as push notifications Thereafter, any other app that may require an additional layer of security can be brought into the fold as well.

A Comprehensive MFA Platform with JumpCloud

While IT admins generally recognize the fundamental benefits of multi-factor authentication, it can still be challenging to roll it out across the organization. The JumpCloud Directory Platform reduces the friction typically associated with MFA rollouts and continued use, and enables admins to distribute access to all IT resources through a single, secure identity and layer MFA across devices, applications and more. Learn more about how JumpCloud makes multi-factor authentication a reality.

Continue Learning with our Newsletter