MFA for MSPs: Benefits & Implementation of Multi-Tenant MFA

Written by Kate Lake on July 29, 2024

Share This Article


Contents


Multi-factor authentication (MFA) provides clear value to organizations pursuing cybersecurity initiatives. It provides effective identity security and dramatically reduces the risk associated with credential-based attacks and malicious insiders.

However, implementing MFA consistently across the enterprise tech stack is not always easy. It’s an even bigger challenge for managed service providers (MSPs) who need to adopt different policies across a portfolio of client organizations under management.

How MFA Enhances Security for MSPs

MFA adds an additional layer of security that helps complex organizations meet strict security standards. For MSPs responsible for extending their infrastructure to client organizations, the ability to secure each tenant according to its organizations’ unique needs is vital.

MFA as Part of a Comprehensive Access Control Strategy

MFA plays an important role in access control. Before users sign into corporate accounts or interact with IT assets, their identities must be authenticated. Password-only authentication isn’t strong enough to secure network access because it doesn’t provide identity-level information.

A truly robust authentication process should rely on more than one factor. Some of the factors that MFA technologies often use include:

  • Knowledge. Users can prove their identity by divulging information only an authenticated user should know. This is how passwords work.
  • Possession. Users can authenticate by showing possession of a security token entrusted only to the authentic user. Access badges and mobile authenticator apps are good examples.
  • Inherence. Some types of data can authenticate a user’s identity because they are inherent to that user. Fingerprints are a common example, but other forms of biometric data exist.
  • Behavior. Some authentication processes look for behavioral indicators of a user’s identity. Behavioral monitoring may uncover compromised accounts due to unusual activities.

The Role of MFA in Protecting Service Accounts

Service accounts carry elevated insider risk. If threat actors compromise these accounts, they may be able to escalate their privileges and move laterally throughout the multi-tenant environment. This is a classic setup for a devastating supply chain attack.

MFA plays an important role reducing the risk of credential-based threats on service accounts. It is part of a robust, multi-layered security strategy that ensures the legitimacy of service account users.

NIST MFA Recommendations

The National Institute of Standards and Technology (NIST) establishes technical requirements for federal government agencies and contractors. NIST SP 800-63 describes processes for implementing authentication and identity management controls using MFA.

NIST makes an important distinction between standard MFA controls and phishing-resistant MFA. Phishing-resistant MFA secures user accounts with stronger challenge-response protocols. These protocols use asymmetric key cryptography in ways that are very difficult to bypass.

Implementing MFA in MSP Environments

In an MSP environment, each tenant represents a client organization that may have its own data governance and compliance requirements. This adds considerable complexity to the MFA implementation process.

Assessing Client Needs and Requirements for MFA

No two organizations are exactly alike. Crafting robust authentication policies requires in-depth knowledge of the organization’s security posture and risk profile. Before implementing MFA, you must understand how the technology is supposed to help the organization protect the confidentiality, integrity, and availability of its IT assets.

This demands deep visibility into the organization’s existing policies and IT infrastructure. A traditional on-premises enterprise in a highly regulated industry will need an entirely different approach than a small business with remote workers distributed across the globe. 

Selecting the Right MFA Solutions for MSPs

MSPs must deliver consistent security outcomes to many different types of organizations, often using the same technologies and platforms. This is not feasible with a single-tenant MFA solution, because each organization may need entirely different results from its MFA policies.

At the same time, IT leaders at client organizations want to avoid implementing security solutions that impact productivity. Employees spend upwards of 36 minutes a month entering their username and password into different account login pages. That adds up to a large productivity drag when multiplied across an entire enterprise.

This puts pressure on MSPs to deliver streamlined authentication processes that integrate mobile device management features like Single Sign-On (SSO) and Cloud LDAP. Minimizing user experience friction while maximizing identity and access management security against social engineering attacks makes the multi-tenant attack surface much more manageable.

MFA Best Practices for MSPs

Not all MFA solutions provide MSPs with the features and capabilities they need to secure multi-tenant IT environments. Even purpose-built multi-tenant MFA solutions may introduce additional challenges and complexities that IT leaders will have to address.

Common Challenges and How to Overcome Them

Some of the most common issues IT leaders at MSPs face include:

  • User experience friction. If users encounter friction interacting with IT assets, they may bypass security policies by sending sensitive data through unsanctioned shadow IT apps.
  • Unexpected costs. Different MFA providers have different pricing structures, especially in complex multi-tenant environments.
  • Inconsistent adoption. Not all MFA platforms support every operating system. Discrepancies can lead to inconsistent adoption throughout the MSP’s client portfolio.

Training and Educating Clients on MFA Usage

Employee education is crucial to cybersecurity success. MSPs should ensure their clients understand the role MFA plays protecting the organization against data breaches and insider risk. These initiatives should also allow users to provide feedback on MFA implementation so that potential production bottlenecks can be addressed.

Monitoring and Maintaining MFA Systems

Authentication metrics are an important source of data for each organization’s overall security posture. MSPs should proactively monitor MFA performance, send log data to a centralized security information and event management (SIEM) platform, and generate compliance-ready reports for IT leaders at client organizations.

Multi-Tenant MFA Solution from JumpCloud

JumpCloud is the first cloud directory service, connecting users to their systems, applications, networks, and more through a single, authoritative identity. As part of this offering, JumpCloud provides MFA on all three major operating systems (Mac, Windows, Linux), applications, infrastructure, and networks. 

JumpCloud also features the Multi-Tenant Portal (MTP), a capability designed specifically for MSPs. Using the MTP allows you to manage identities and access control, including MFA, across multiple client organizations from a single pane of glass. Since JumpCloud is platform-agnostic and protocol-independent, MSPs can leverage the product across practically any client organization.

For MSPs that want to implement a secure, streamlined login experience with passwordless multi-factor authentication, JumpCloud Go™ offers phishing resistant hardware protection to endpoint devices. It integrates with on-device biometric authentication like Apple Touch and Windows Hello, satisfying cybersecurity compliance requirements while ensuring a best-in-class user experience.

JumpCloud Partner Program

The JumpCloud Partner Program offers MSPs and other IT service providers/resellers the opportunity to pair with JumpCloud’s world-class team with competitive margins, lead generation as appropriate, specialized support, and co-marketing materials. 

You can apply to the Partner Program today absolutely free. If you would like to learn more about our solutions, then check out our resources.

Kate Lake

Kate Lake is a Senior Content Writer at JumpCloud, where she writes about JumpCloud’s cloud directory platform and trends in IT, technology, and security. She holds a Bachelors in Linguistics from the University of Virginia and is driven by a lifelong passion for writing and learning. When she isn't writing for JumpCloud, Kate can be found traveling, exploring the outdoors, or quoting a sci-fi movie (often all at once).

Continue Learning with our Newsletter