MFA For VPN

By Vince Lujan Posted June 4, 2019

With a surge in VPN (virtual private network) usage in the past decade, many IT admins are curious if multi-factor authentication or MFA for VPN is possible. After all, VPNs are used to connect remote users to an organization’s critical data and applications. So, it makes sense that IT admins would be interested in beefing up VPN security with MFA.

Interestingly, however, there are not many platforms that can provide MFA for VPN without the help of additional third-party tools. Fortunately, a new solution called Directory-as-a-Service® enables IT admins to enforce MFA for VPN from the cloud. It does so through the use of the RADIUS and TOTP protocols, but without requiring any infrastructure on-prem. Let’s take a closer look below.

Why Use a VPN?

A virtual private network traditionally refers to a mechanism that creates an encrypted pathway for users (generally remote) to connect to a network where IT resources are hosted. VPNs have historically been used to create what is essentially an extension of an on-prem network.

As such, the concept of a VPN has been especially relevant in Microsoft® Active Directory® (AD) environments. AD is a traditional directory services platform that was originally designed for use with on-prem networks of Windows®-based IT resources.

When AD came to market in 1999, most IT organizations were on-prem and Windows-based. IT admins could leverage AD to manage user access to critical data and applications throughout their on-prem, Windows domain.

As WiFi and a highly mobile workforce became the new norm in the mid-2000s, remote users needed a way to securely connect back to the on-prem network. VPNs were essentially created to allow remote users to phone home to the core IdP in a secure manner in order to ultimately access their IT resources that were hosted on-prem.

Interestingly, however, the concept of a VPN continues to evolve with the shift to the cloud. A modern use case of VPN has been enabling developers and ops personnel (DevOps) to access various cloud infrastructure components such as staging/production environments at AWS or GCP, for example. Thus, ensuring the use of VPN for another generation.

Where Does MFA Fit In?

Historically, MFA, which is also known as two-factor authentication (2FA), has required a separate solution entirely in traditional environments. IT admins would layer an MFA solution on top of their existing IAM infrastructure, with AD usually playing the role of the core IdP.

MFA works by adding an additional factor to the user authentication workflow. In most cases, the second factor is either a hardware token (e.g., YubiKey) or perhaps a six-digit numerical code sent from the Google Authenticator app, for example.

As a user attempts to access an MFA-enabled IT resource, they are challenged to provide their core user credentials in addition to their secure MFA token. As a result, the authentication workflow is more secure because you end up with multiple layers of security rather than just one.

What’s MFA for VPN All About?

As you can see, both MFA and VPNs are all about securely enabling user access to critical data and applications. So, it makes sense that they would complement each other.

The challenge is actually implementing what has traditionally been a complicated, on-prem setup that effectively requires AD and multiple add-on solutions to achieve the desired result. Fortunately, a new solution has emerged that can provide MFA for VPN from the cloud without the need for AD on-prem or a traditional domain.

The solution is called Directory-as-a-Service, from JumpCloud®, which is effectively Active Directory and LDAP reimagined for the modern era. MFA for VPN is a unique feature of the DaaS platform, which enables IT admins to enable MFA for VPN via RADIUS-as-a-Service.

As a result, IT admins can leverage the advantages of MFA for VPN from the cloud. In fact, the JumpCloud Directory-as-a-Service platform enables admins to securely manage and connect their users to virtually any IT resource with nothing more than their core user identity. Unless, of course, you choose to add MFA for VPN, WiFi, systems, or applications.

MFA for VPN with JumpCloud

Sign up for a free account and check out our MFA for VPN functionality today. We offer the full functionality of the Directory-as-a-Service platform free, for up to ten users. You can also contact the JumpCloud team to schedule a demo and answer any questions, and don’t forget to check out our webinar with OpenVPN®.

Vince Lujan

Vince is a writer and videographer at JumpCloud. Originally from a small village just outside of Albuquerque, he now calls Boulder home. When Vince is not developing content for JumpCloud, he can usually be found doing creek stuff.

Recent Posts