Securing VPNs with MFA

Written by Zach DeMeyer on June 17, 2019

Share This Article

We live in an age of the remote worker. After all, 68% of global employees surveyed work from home at least once a month (Owl Labs). Of course, while there are benefits to employee satisfaction, remote work also presents a security risk. Since they are not physically on the network, remote workers can fall prey to attackers without the proper protection. A powerful defense mechanism that’s being used is the VPN. That’s why many IT admins are looking into securing VPNs with MFA.

Why MFA?

Traditionally, a VPN, or virtual private network, acts as a sort of tunnel between remote workers and the on-prem network. In essence, using a VPN creates a facsimile of the physical on-prem network experience and its associated protections that employees can use to work remotely without worry.

Unfortunately, in this day and age of identity security breaches, even VPNs can be compromised. For instance, if a bad actor has somehow made off with a user’s credentials through phishing or other means, they can then use those credentials to prey on the core network through the VPN.

What is MFA?

By implementing multi-factor authentication (MFA), IT admins have found that they can reduce attack vectors on their network dramatically. MFA adds an additional layer to the traditional login process (username and password), most often using a time-sensitive token generated by a phone app, a USB token, or even biometrics.

Adding this secondary factor gives hackers a large hurdle to leap. After all, they would need either an employee’s phone, USB, or other secure token in addition to their core username and password in order to authenticate and log in. Symantec found that adding an additional time-sensitive layer to authentication reduces the chances of a breach by 80%.

Securing VPNs with MFA

So, MFA is obviously a great way to step up identity security. How then can an organization start implementing MFA to help secure their VPN access?

The first step is to connect the VPN’s identity source to be a core directory service. Users will be prompted for their credentials, and through a setting in the directory service, can enable the requirement to add another factor for login. This second factor is attached to the user’s core identity and the 2FA process can be used on the VPN at login. Further, this second factor could potentially be used elsewhere, for example with systems and web applications.

In this cloud era, IT admins need solutions that are agile and cloud-forward, and perhaps more importantly, don’t break the bank. What options do IT organizations have then?

MFA for VPN and More, From the Cloud

There is a solution available to IT organizations that secures VPN access, among other things, with MFA. The solution is a cloud directory service, which also features SSO with SAML, LDAP app management, system management, and more, in a single solution.

One way admins can use this cloud directory service, JumpCloud® Directory-as-a-Service®, is to manage their users VPN access using RADIUS or LDAP. Admins can then use JumpCloud’s MFA for RADIUS to lock down VPN access even further.

Directory-as-a-Service doesn’t stop there, however. IT organizations can leverage JumpCloud to control their users and their access to systems, networks, applications, infrastructure, and more from a single admin console. This creates a True Single Sign-On™ experience, allowing end users to leverage one set of credentials for all of their IT resources?

Try JumpCloud Free

You can leverage all that JumpCloud has to offer for free, just by signing up for Directory-as-a-Service. A JumpCloud account includes ten users that your organization can use for free forever, and requires no credit card information. We also offer free live demos if you would like to see the product in the hands of an expert. Questions or comments? Feel free to reach out to us; we’d be happy to help you.

Continue Learning with our Newsletter