Using MFA for VPN Security

By Zach DeMeyer Posted July 29, 2019

Virtual private networks (VPNs) are still widely used in today’s organizations. They can securely connect their remote users to their core infrastructure components, whether that is a headquarters office or perhaps their cloud infrastructure hosted by providers such as AWS® or GCP™. These VPN endpoints need to be secured, and multi-factor authentication (MFA) could be the best step forward. Using MFA for VPN security is the best bet for IT organizations, but let’s see why.

VPNs, Then and Now

VPNs have always been useful tools, but in today’s IT networks, they are critical. Traditionally, VPNs catered towards remote workers, like travelling members of the sales team. These employees would require VPNs to safely access the main network in order to open applications, leverage files, and communicate with their colleagues. 

Now, although there has been an increase in the general remote worker population, VPNs are needed in an entirely different way. VPNs are often used by developers and operations teams (or DevOps) to connect to their cloud infrastructure. While both applications of VPN are important and require tight security, arguably, securing DevOps VPN implementations are more critical than ever.

VPN Security Through MFA

As IT admins and DevOps engineers know, multi-factor authentication (often called 2FA) is a game-changing security feature. A user will leverage their normal credentials to access a resource, such as a VPN, but are also required to present an additional code generated by a smartphone or fob device to gain entry. 

While it does add an extra step to a user’s login process, the level of security that it can provide is powerful. In fact, Symantec found that 80% of recent security breaches could have been prevented using MFA.

The Problem with MFA

The challenge with MFA is more often regarding implementation on the administrative side. The level of effort to manage user access to a VPN and then enable MFA capabilities on top of that can be daunting. Done manually, the process can quickly get out of hand, with extensive management overhead to provision, deprovision, and modify user access to the VPN.

To ease the burden of user access to the VPN, many IT admins and DevOps engineers will leverage a RADIUS server to bridge authentication to the core identity provider (IdP), most often a directory service. While this centralizes user access challenges, it also introduces the additional overhead of managing RADIUS infrastructure and the subsequent integrations required between the RADIUS server, the VPN, and the underlying directory service.

A Solution from the Cloud

The good news is that there is a new way to accomplish this without the overhead of building and managing network infrastructure, and, yet, still use a central identity provider to manage access. The solution is called RADIUS-as-a-Service, a cloud-hosted RADIUS server can be secured with MFA, and is a part of JumpCloud® Directory-as-a-Service®.

IT admins can use RADIUS-as-a-Service to connect with their preferred VPN solution, such as OpenVPN, with ease, and then add MFA to further increase their VPN security. Since RADIUS-as-a-Service is already a part of Directory-as-a-Service, it is seamlessly integrated with the core identity provider, making less hassle for IT admins and DevOps personnel.

Besides RADIUS and VPNs, Directory-as-a-Service can be used to manage entire user bases and their access to systems, applications, infrastructure, and more. With JumpCloud, IT admins can enable their users to access virtually all of their IT resources with a single set of credentials.

Try RADIUS-as-a-Service Free

Are you interested in using MFA for VPN security, but want to avoid the hassle of implementing and maintaining them both? Why not use RADIUS-as-a-Service today? You can try RADIUS-as-a-Service and the rest of the Directory-as-a-Service suite right now, absolutely free. All you have to do is sign up for a JumpCloud account to get started with your ten complimentary users in the platform.

If you want to dip a toe in Directory-as-a-Service before diving in completely, you can also schedule a demo to see how the product works before you try. You can also contact us to learn more about using MFA for VPN security or Directory-as-a-Service in general.

Zach DeMeyer

Zach is a writer and researcher for JumpCloud with a degree in Mechanical Engineering from the Colorado School of Mines. He loves being on the cutting edge of new technology, and when he's not working, he enjoys all things outdoors, making music, and soccer.

Recent Posts