Why MFA is a Part of Cloud Directory Services

By Greg Keller Posted August 4, 2016

Identity Management is central to an organization’s efficiency and security. It’s a field that’s changing very quickly, with some disruptive innovations arriving in just the last couple years.

Historically, the Identity and Access Market (IAM) has been segmented into a number of smaller sub-markets. At the foundation of identity management sits directory services. Legacy solutions such as Microsoft Active Directory and OpenLDAP used to be the only two real solutions in that category.

Quick Overview of the Identity Management Market

Because of that concentration and monopoly power that Microsoft had with AD, everybody else built on top of the core identity provider. See below:

Multi-Factor Authentication

Privileged account management was one of the first adjunct markets where logins to Unix systems, network infrastructure, and other more technical applications was controlled. Single Sign-On came into the fold and then exploded with the shift to cloud applications.

Multi-Factor Authentication was also a separate category, with RSA paving the way for many years. So since it used to be a separate, you may be wondering, “Why is Multi-Factor Authentication (MFA or 2FA) a part of cloud directory services now?”

To answer that question, let’s first understand the factors that have been driving rapid evolution and innovation in the IAM.

The Cloud has Changed Everything

Mass migration to the cloud has completely transformed enterprise IT.


Work gets done on the cloud, with the core productivity solutions Google Apps and Microsoft Office 365 leading the charge. Infrastructure is now cloud-based too. Just look at the huge impact of cloud infrastructure innovators AWS and Google Compute Engine.

But cloud adoption isn’t the only big factor driving change. The popularity of Mac and Linux machines has contributed to more and more heterogeneous operating system environments. Throw in WiFi connectivity and the traditional directory service solutions (such as AD and LDAP) are no longer adequate.

IT organizations are searching for solutions that can centralize user management, enable users with a True Single Sign-On, bridge hybrid cloud situations, and dramatically increase security.

But until recently many cloud-based IAM solutions have only seemed like band-aids. They help fix individual issues, but they don’t address the core of the problem. In order to truly address the challenges that IT faces in Identity Management once and for all, you need to fix the foundation of your IAM:  the directory service.

JumpCloud’s Directory-as-a-Service® (DaaS) platforms aims to just that.

Moving Directory Services to The Cloud

DaaS connects employee identities to the IT resources those individuals need, whether they are systems, applications, or networks. JumpCloud believes that a solution that is cross-platform, location agnostic, and multi-protocol is what is required in today’s complex IT environment.


A core part of that vision is to integrate Multi-Factor Authentication (MFA) into devices – or, said another way, at the point of login to the operating system.

Identity compromises are the most significant IT risk that organizations face today. Multi-Factor Authentication is the antidote to the poison of a breach.

Should Multi-Factor Authentication be Part of Your Directory Services?

There is little controversy in the IT community as to the benefits of Multi-Factor Authentication.


It is widely believed to be the single most significant security increase that organizations can make. A hacker can compromise a username and password, but will still not have the account because of the second factor – a token generally produced on a smartphone within the person’s possession.

The debate has centered on whether this is best delivered within the core directory service or as a separate application. Historically, AD has left this up to the customer and a thriving third-party market emerged to fill the gap.

Today, modern organizations are demanding that MFA be included with their directory services. An identity’s authentication process is commonly including MFA, so the question for IT organizations has become, “Why isn’t this capability included?”

The answer with JumpCloud’s cloud-based directory service is that it is indeed included.

MFA Tightly Integrated into Directory Services…Finally

JumpCloud recently added the ability to provide MFA with Mac OS X devices.

By adding Multi-Factor Authentication at the device level, it prevents a stolen or lost laptop from potentially being compromised. The hacker is unable to login to the device without the associated MFA token.

As we have articulated many times before, Multi-Factor Authentication is the single greatest security step that IT organizations can take to secure identities. We’ve advocated it on Google Apps (or Microsoft Office 365 for that matter) and with AWS. Those are critical pieces of infrastructure for any organization. So are your Mac laptops and desktops.

MFA should be a part of your core identity provider’s solution. If it isn’t, you are missing a great opportunity to easily and cost-effectively increase your security posture. If you would like to learn more about how JumpCloud’s Identity-as-a-Service platform can step up your security game with our new Mac OS X multi-factor authentication, drop us a note.

Or, feel free to give the capability a try for yourself.

Greg Keller

Greg is JumpCloud's Chief Product Officer, overseeing the product management team, product vision and go-to-market execution for the company's Directory-as-a-Service offering. The SaaS-based platform re-imagines Active Directory and LDAP for the cloud era, securely connecting and managing employees, their devices and IT applications.

Recent Posts