How to Choose your MFA Approach

By Rajat Bhargava Posted November 29, 2016

Multi-factor authentication is one of the most critical security measures that you can take. It is a step function increase in your security.

Instead of your users logging in with just their username and password, they will need to enter a code or pin generated by your smartphone or a fob. This forces your users to not only know their password but also have something with them in order to log in. It becomes extremely unlikely that a hacker will have both of these ‘factors’. As a result, there is a massive increase in security.

Two Approaches to Multi-Factor Authentication


There are two approaches to multi-factor authentication that you can leverage. One is at the system or device level and the other is at the application level. Both approaches have real value for any organization. In fact, ideally, an organization would use both the system-level MFA and application-level multi-factor authentication approach.

Generally, both are reasonably easy to implement. That said, they do have different end-user impacts. The system-level MFA is a little bit of a lighter touch with the end user, whereas the application-level MFA can be a bit tedious if used for just about every application.

MFA at the System Level


System-level MFA is when the multi-factor authentication code (or sometimes called two-factor authentication) is leveraged at the point of login to the device. After the system boots up or when a login occurs, the user is prompted for their username, password, and MFA code. This ensures that the device cannot be accessed by somebody without both factors. Generally, this approach is used when the IT organization believes that user desktops and laptops have value. There is likely data being stored on the device, and the device is viewed as a conduit to an organization’s network and/or applications.

Many IT admins believe that laptops and desktops are largely ‘throw away’ and don’t need protection. The key item to think about is that even with cloud servers, users store confidential data on their device as well as credentials to access a variety of sites and networks. Unless your users are truly using their device as a dumb terminal, system-level MFA is a critical feature to implement.

MFA at the Application Level


Application-level MFA puts the two-factor authentication code at the application access point. When a user is logging into an application, the code or pin must be entered. The process is largely similar to the system-level MFA, but it can occur more frequently because it happens when you login to each application. This level of multi-factor authentication is critical for platforms such as Office 365 and Google Apps. Since those systems host your users’ email, they are particularly susceptible to being attacked. If a user’s email has been compromised, all of their other services likely have been as well. Password resets to your email are the norm when you’ve forgotten your credentials. Hackers will use that mechanism to their advantage and take over all of your accounts.

There are a number of other applications where you will want to use MFA as well. Perhaps the easiest way to implement MFA at the application level is to leverage a True Single Sign-On solution. The user portal for an SSO solution is the entry point to applications. By placing MFA upon login to the user portal, end users still must have the second factor to enter an application. However, it is done once for all applications, thereby reducing friction.

Choose Your Multi-Factor Authentication Approach

Both the system-level and application-level multi-factor authentication approach are useful and powerful. If you would like to learn more about how you can implement both, drop us a note. JumpCloud’s Directory-as-a-Service® platform can implement system-level MFA on your Mac and Linux devices as well as application-level MFA when your users access our end-user portal for SSO.

Rajat Bhargava

Rajat Bhargava is co-founder and CEO of JumpCloud, the first Directory-as-a-Service (DaaS). JumpCloud securely connects and manages employees, their devices and IT applications. An MIT graduate with two decades of experience in industries including cloud, security, networking and IT, Rajat is an eight-time entrepreneur with five exits including two IPOs, three trade sales and three companies still private.

Recent Posts