System-based MFA vs Application-level MFA

By Rajat Bhargava Posted November 10, 2016

Multi-factor authentication is rightfully taking a very important place in the security arsenal of IT organizations. With identity theft and corporate security breaches at all-time highs, IT organizations are looking for effective tools in their fight to keep their IT infrastructures secure.

A key part of that fight is leveraging Multi-factor authentication technologies. IT organizations need to consider two major types of MFA, also sometimes called 2FA.

This blog post will detail the differences between system-based MFA and application-level MFA.

Overview of MFA and Password Management


Before we dive into the differences between the two types of two-factor authentication systems, let’s review exactly what MFA does. Multi-factor authentication technology is adding a second method to authenticate and/or authorize a user for access to a particular IT resource.

Username and password combinations have been the de facto standard for authenticating into IT resources (e.g. systems, applications, or networks). The challenge with just leveraging passwords is that they are subject to being compromised. Short passwords can be easily guessed or hacked in an automated fashion. Even long passwords could be compromised because those same passwords could be leveraged at a site that has been hacked. Once compromised, those passwords can be used for your critical IT systems.

By leveraging another factor – something that somebody has – hackers now need to compromise your account at two levels. That is far more difficult.

The MFA piece of the authentication process is usually a pin or code that is generated by a smartphone or key fob. That code can only be generated by something that the person has and is synched with the IT resources. As a result, the code is unique to the person. Therefore, a hacker needs to have that smartphone or fob in order to complete the login process. With MFA enabled, the user’s account is far less likely to be compromised.

Different Types of Multi-factor Authentication: System-based MFA and Application-level MFA

There are two levels of MFA available at the device (system) and application levels. While both have positives and negatives, they are incredibly valuable.

System-Based MFA

Device-level MFA is valuable because it ensures that a user cannot log into their laptop, desktop, or server without knowing the username, password, and MFA code.

Despite many assertions that systems wouldn’t be valuable because of the cloud, they have never been more important. There are more system platform available to end users, including Windows, OS X, and Linux. These systems hold a great deal of confidential data.

Perhaps more important, though, is that they are the conduit to a variety of other IT resources. Users leverage those systems to access other systems, including AWS, cloud and on-prem applications, and their WiFi network. Many of those credentials are cached on the system. Without system-level MFA, a compromised user account could access the device and subsequently a whole range of IT resources.

System-level MFA can stand in the way of that compromise.

Application-Level MFA


Application-level MFA is attached to the access of an application. Instead of thinking of it at the system layer, this approach ties MFA to each application login.

The theory behind this approach is that people may access applications from a variety of systems. Also, this supposes that some applications are more critical than others, so having MFA turned on for them is critical.

The implementation of application-level MFA can be at the login for the app or it can be at an aggregated level. For instance, a user portal that provides access to a user’s applications can be a central point to enable MFA. This approach deems the application far more important than the device.

MFA in Your Unified Cloud Directory

Both approaches to MFA are valuable, but they are different. The utilization of each is dependent on what is of more importance. There is no denying that systems are still critical, but there are also important applications that deserve an additional layer of security.

That’s why many organizations are leveraging both methods. This is possible, for instance, through a unified cloud directory that gives you control over both systems and the user identities used to access applications.

If you would like to learn more about how the Directory-as-a-Service® platform from JumpCloud® can enable system-based MFA and application-level MFA, drop us a note. Please try JumpCloud’s unified cloud directory with multi-factor authentication capabilities. Your first 10 users are free forever.

Rajat Bhargava

Rajat Bhargava is co-founder and CEO of JumpCloud, the first Directory-as-a-Service (DaaS). JumpCloud securely connects and manages employees, their devices and IT applications. An MIT graduate with two decades of experience in industries including cloud, security, networking and IT, Rajat is an eight-time entrepreneur with five exits including two IPOs, three trade sales and three companies still private.

Recent Posts