Going beyond multi-factor authentication (MFA) means adding controls and checks to secure the other harbinger of malware and risks to your network - devices, also referred to as endpoints.
But in the quest to gain visibility and enforce policies around users, devices and applications, you have to start somewhere. And that somewhere is by using effective, strong authentication to verify user identities, before granting them access to your applications.
MFA is effective when it’s easy to use and applied across every user and application in your organization. When you use the latest authentication methods like Universal 2nd Factor (U2F) tokens, users get easy, one-tap access with a tamper-proof device that provides strong, public-key cryptography. Learn more about how it works on the FIDO Alliance website.
In addition to strong MFA options, you need the flexibility to adapt your access security policies to match the level of risk presented by your users and their devices. That risk may be based on:
- Location - certain network address ranges, or actual geographic locations
- Device type - corporate-owned and managed, or employee-owned and unmanaged
- Device security - enabled encryption, passcode lock screen, jailbroken or rooted status
- Device health - running the latest operating systems, browsers, plugins and more; patched with the latest security patches
Wendy Nather’s Managing Risk With Adaptive Authentication explains adaptive authentication in more detail.
To go beyond just MFA, you need visibility into both authenticated users and their verified devices.
You might want require additional types of factors of authentication, based on the level of risk determined at login - for example, pairing something you have (security token) with something you are (your fingerprint/TouchID).
Device Visibility and Trust
You can't secure what you can't see.
Conduct a device inventory to discover every device that accesses your systems and applications, including not only corporate-owned and managed devices, but also personal devices owned and used by your employees. Those devices often aren’t updated as frequently and might carry greater risk once introduced to your network.
An easy and automated way to do this is through an access security/authentication provider that already tracks each device used to log in to your corporate applications. By issuing certificates to your managed endpoints, you can also track and monitor trusted devices, while setting up policies to deny access to devices without certificates.
And as stated above, you can use risk-based authentication policies and controls to check that a user’s device meets your minimum security requirements (running the latest operating system, has certain security features enabled, etc.) before either granting or denying access.
Secure Remote Access Without VPNs
It’s not just a convenience thing, but a security thing.
Virtual private networks (VPNs) often provide unfettered access to all of your company resources, making the access point particularly sensitive, should an unauthorized user obtain VPN credentials.
Your many different, traveling users want to be able to access company applications across all of their devices, including phones that may not work well with VPN clients. A web-based option that securely grants certain users access to specific applications can give users the flexibility they need while maintaining access privilege control.
How do you do that? With secure single sign-on (SSO), you can protect applications no matter where they’re hosted while giving your users a single portal to simplify the login process. And they only need their web browser to complete authentication, no VPN client required.
All of the policy and security decisions are made behind the scenes, and your users get a better login experience.
Check out Beyond Passwords: A Better Way to Verify Users to learn more about taking the first steps toward a passwordless future.