Why Every Mac Needs MFA / 2FA

Written by Cassa Niedringhaus on June 23, 2020

Share This Article

Apple’s macOS has expanded its desktop market share, which means that IT administrators need to strategize about how to protect these systems and organizational data from threats.

Microsoft’s dominance in the workplace has faced challenges from Linux and other operating systems, but macOS adoption is most striking, and more users expect the option of using a macOS system at work.

One key way admins can ensure greater security of their macOS machines is by enabling multi-factor authentication (MFA) at login. In this post, we’ll examine why MFA is necessary, what other key measures can protect macOS systems, and methods to implement them easily from the cloud.

Macs Need to be Protected: Why MFA/2FA?

Macs haven’t been the target of viruses much in the last few decades, but that’s changing as they become more prevalent. They’re also often the target of theft, especially Apple’s fleet of sleek mobile devices, including MacBook laptops.

Enabling 2FA at login — whether through a TOTP token, a security key, a push notification, or another method — has proven remarkably effective at guarding IT resources from hacking and phishing attempts. This is particularly relevant as we consider security vulnerabilities with traditional passwords. 

The Password Problem

A Digital Guardian survey found that the average person has 90 or more accounts that require passwords — and the number in the workplace might be even higher. Password manager LastPass, for example, found that the average business user tracks 191 passwords. It falls to admins to ensure organizational passwords remain safe, which they can do via a variety of methods including using a central source of identity, requiring strong passwords, and educating end users about proper password hygiene.

However, reuse of passwords across devices and platforms is still a rampant issue, and even educated users can fall victim to phishing attempts. It’s particularly important to consider how to protect user systems because those systems serve as the access point to virtually all their IT resources and organizational data, including single sign-on (SSO) portals and applications, networks, and servers. A hacker with login credentials could essentially have “the keys to the kingdom.” But you can decisively prevent this with MFA/2FA.

Better Mac Security through MFA/2FA

You can weigh the strengths and weaknesses of alternatives to MFA before choosing which one to implement in your organization. SMS MFA, for example, is one of the least secure methods, and biometrics might be subject to deepfakes. More secure methods include TOTP tokens, like Google Authenticator, because they’re only valid for a short period of time.

Regardless of which method you choose, you can pair it with additional measures to further safeguard your macOS fleet. We recommend the following security measures in addition to MFA/2FA:

  • Enforce full-disk encryption (FDE): In the event that a macOS machine is lost or stolen, full-disk encryption protects the hard drive and its data. 
  • Set a lock screen: A lock screen is a simple way to ensure that the machine doesn’t remain unlocked after a defined period of inactivity, such as 120 seconds.
  • Employ an MDM: An MDM allows you to lock and wipe remote machines, among other actions.
  • Use secure password-change workflows: If users change their passwords directly on their machines (and those changes are written back to your core identity provider), they are less likely to fall for phishing emails or webpages.  

How to Get MFA on Macs

One option to implement MFA across your fleet is JumpCloud® Directory-as-a-Service®. JumpCloud is a full-suite cloud directory service with deep system management capabilities not only for macOS but also Windows® and Linux systems. From JumpCloud’s web-based Admin Portal, you can require users to set up MFA to use at login to their systems. You can require MFA for user access to other JumpCloud-managed resources, including SSO portals and VPNs, too.

You can then apply pre-configured Policies to managed machines to enforce FDE and set lock screen times. JumpCloud now offers MDM functionality to lock, restart, shut down, and wipe remote macOS systems as well. Click here to learn more about deploying MFA and securing your fleet of systems from the cloud. 

You can also test drive JumpCloud’s full functionality, including macOS management, by setting up a free account. Your first 10 users and systems are free forever — along with 10 days of 24×7 in-app chat support from our customer engineering staff.

Cassa Niedringhaus

Cassa is a product marketing specialist at JumpCloud with a degree in Magazine Writing from the University of Missouri. When she’s not at work, she likes to hike, ski and read.

Continue Learning with our Newsletter