What Role Does Multi-Factor Authentication Play in a Zero Trust Security Model?

Written by Kate Lake on October 6, 2021

Share This Article

The cybersecurity landscape is rapidly becoming more challenging as the pace of attacks increases and new threat vectors emerge. The increasing reliance on remote work necessitated by the COVID-19 pandemic has only added to these challenges. 

In this new normal, there’s a greater need for a security model that’s well-suited to a cloud-first, remote organization. Traditional security methods are falling to the wayside as newer approaches, like Zero Trust Security, emerge to address these security challenges.

Because Zero Trust is built on the premise of never trusting without first verifying, technologies that can engage end users to verify their identity throughout the access transaction are critical to this model.

This article will outline the problems with traditional security, how Zero Trust solves these problems, and the criticality of multi-factor authentication (MFA) in this model. We’ll also cover how organizations can best leverage MFA to optimize their Zero Trust strategy.

Defense-in-Depth No Longer Cuts It

Traditionally, organizations approached security with layers in a “defense-in-depth” architecture. This approach places valuable data and information at the center and layers a series of defensive mechanisms on top. 

The idea is to increase the system’s overall security with intentional redundancies to protect against different attack vectors. If one layer of security fails, there’s one right behind it to prevent the attack.

An attacker would thus have to breach all of these different layers to access the critical digital assets. On the other hand, authorized users would simply bypass all layers of security if they logged in with a trusted machine from inside the network perimeter.

This model can work for on-prem networks (though major flaws do exist). However, with organizations increasingly shifting to the cloud, and employees working from anywhere but the on-prem network, layered security architecture just doesn’t cut it.

How Zero Trust Solves Modern Cybersecurity Challenges

Modern cybersecurity challenges stem from the increasing number of endpoints that organizations now have within their network, whether through cloud-based machines and apps, SaaS tools, or allowing employees to use personal devices for work. 

The Zero Trust model addresses this challenge by never trusting without first verifying. It operates under the assumption that valid credentials are not enough to prove that the “right” person is accessing an IT resource, as potential attackers exist both within the network and outside it, so every request to access the system requires multiple checks to be completed  before authorization is granted.

Thus, the traditional network perimeter is eliminated, and a perimeter (of sorts) is instead wrapped around each individual, minimizing threat vectors that could emerge through compromised identities, devices, and networks.

What Are the Components of a Zero Trust Architecture?

Identity Trust

In a Zero Trust model, identity verification is one of the prerequisites for access. The user must be identified based on the attributes, role and group that they’ve been assigned. However, identity trust alone is not enough to grant access. This is due to the weakness of the traditional password: shared, reused, and easily guessable passwords help make stolen credentials the cause of the majority of cybersecurity breaches. 

Device Trust

Even if the right credentials are used, the Zero Trust model wouldn’t allow access unless the request originates from a device that’s known to the organization and deemed to be secure through device-installed agents and certificates linked to specific users. Device trust is key to maintaining the full understanding of its posture.

For example, organizations can implement device trust by not allowing all or certain employees to access the network through their personal devices. In addition, specific users could be allowed access to “non-critical” or “low-risk” resources (no matter where they reside) from personal devices but only with MFA enabled. 

Network Trust

With the right tools, organizations can maintain granular control over which IP addresses to allow and deny. This ensures that access requests originating from whitelisted IPs are processed while others are denied. Employees can thus only access resources from networks that are known to the company and verified to be secure.

For some organizations, however, whitelisting may be too burdensome or time consuming. Blacklisting certain IP addresses or ranges can also help ensure network trust. Many attacks around the world originate from specific set countries, which when blocked can reduce the attack surface and minimize the impact of automated, “low hanging fruit” attacks.

To enforce network trust, organizations can prevent employees from accessing sensitive data from their home IP addresses and require them to pass multi-factor authentication and use a company VPN instead

Method for Establishing Trust

Identifying the components of trust is only half the battle: we’ll also need to specify how to establish this trust. This is where MFA comes in.

Passwords can no longer be trusted on their own to demonstrate that a user is who they say they are. Similarly, because devices aren’t hooked up to physical networks and employees work remotely from various networks rather than one central one, it can be hard to distinguish valid remote access attempts from malicious ones.

And since more and more resources are hosted externally through SaaS models, IT admins may be completely blind to malicious access attempts against critical resources.

MFA is the critical ingredient to combat this by challenging the user with more than one simultaneous proof point, making it incredibly difficult to fake (or use maliciously) a trusted identity, device, or network. Here’s how and why it works.

Why MFA Is Critical Component to Zero Trust

MFA adds an extra layer of security through which the identity of a user first has to be proven before access can be granted. It requires a combination of something the user knows, which would be the password, and something that they have or are.

This could either be an app-based passcode generator, a registered device for push-notification authentication, or a hardware key. MFA can also rely on biometrics such as fingerprint or facial recognition.

The MFA challenge is presented once the user attempts to log in with the correct credentials. Before they’re provided access, they need to pass the MFA challenge either by providing a code, approving the login through a push notification or by using a biometric sensor on their device. 

It’s a critical part of the Zero Trust model because even if an attacker is able to compromise a particular component, the MFA challenge would still prevent them from gaining access. Persistence and lateral movement attacks can also be mitigated through MFA as a successful verification is generally not valid for longer than a single session.

In short, MFA makes it much more difficult (and thus more costly) for an attacker to gain access to an organization’s resources through legitimate credentials, which has been the primary method of malicious access for many years. If an organization makes it too difficult to compromise their resources, attackers will move on to a target that is easier to attack.

Leveraging MFA for Zero Trust 

Small to medium-sized enterprises stand to benefit immensely from the implementation of MFA in a Zero Trust model, largely due to its reliable security and, when done right, its user-friendly nature. With relative ease, they’re able to ensure a high level of security for their devices, networks, resources, and users. 

However, the success of MFA hinges on the ability for organizations to balance tight controls with a seamless user experience: too much friction, and users will start developing workarounds that create new security risks. 

Methods exist for creating intelligent and adaptive MFA policies that improve the user experience without sacrificing security. JumpCloud, for example, provides organizations with a single platform to implement Zero Trust security with granular controls over when to require multi-factor authentication.

These controls include conditional access policies, which can step up or waive MFA challenges based on given criteria. For example, an MFA challenge may not be presented when employees are accessing the network from their workstations at the office but must absolutely be passed if they attempt access from a personal device at home. 

Combining MFA and Directory Solutions

MFA verifies identity before authorizing users to access their solutions; what if it were to combine with the source of truth for those identities?

That’s the idea behind JumpCloud, a cloud-based directory service that offers Cloud MFA and develops the integrated authenticator app JumpCloud Protect™ which supports both TOTP and push notifications as a second factor.

Combining a directory and MFA helps streamline information flow, maintain data hygiene, prevent security gaps that arise unintentionally through third party applications and integrations, and cut down on costs by offering multiple solutions in one.

It can also help with compliance with HIPAA, SOC, GDPR, and other regulations. Further, with JumpCloud, everything is managed from a single web-based console without the need for on-prem infrastructure or additional tooling.

JumpCloud’s most recent initiative in streamlining the user experience while maintaining high security was in its rollout of JumpCloud Protect for mobile MFA push notifications. The app is free and comes with the JumpCloud console, allowing companies to keep their information consistent and their users happy. Learn more about JumpCloud Protect free push MFA notifications in our blog. 

Kate Lake

Kate Lake is a Senior Content Writer at JumpCloud, where she writes about JumpCloud’s cloud directory platform and trends in IT, technology, and security. She holds a Bachelors in Linguistics from the University of Virginia and is driven by a lifelong passion for writing and learning. When she isn't writing for JumpCloud, Kate can be found traveling, exploring the outdoors, or quoting a sci-fi movie (often all at once).

Continue Learning with our Newsletter