Skip to main content
search
All BlogsIdentity-Based Security

MFA for Remote Access: Benefits & Challenges

By April 24, 2024 No Comments

Author: Chase Snyder, Sr. PMM, Xage Security

Remote access to enterprise networks is one of the biggest sources of risk, and of opportunity, for businesses in every industry. Enabling remote access allows businesses to tap into bigger global talent pools by hiring remote working employees, and to be more responsive to emerging events. 

The risk is that remote access tools are also constantly exploited by cyberattackers both for initial access and for lateral movement. There is inherent tension between access and security, and opening up remote access expands the attack surface for motivated adversaries to use against you.

One of the most crucial security measures to prevent data breaches as a result of compromised user accounts is multifactor authentication (MFA). But enabling MFA for remote access is not always a simple procedure. Many organizations encounter challenges along the way that cause them to slow down or halt their deployment, or settle for less secure methods than they’d ideally achieve. Cyber adversaries capitalize on these gaps.

Some of the biggest cyberattacks of the past several years (Colonial Pipeline, Change Healthcare) started with the attackers logging into the target systems using stolen legitimate credentials, in situations where no MFA was required. Other major attacks began with valid credentials and MFA bypass techniques like SIM Swapping (MITRE T1451) and MFA fatigue (MITRE T1621), as in the attacks on MGM casinos and the L.A. County Department of Mental Health.

MFA for Remote Access

MFA with the right methods and factors deployed in the right places can prevent or reduce the impact of almost any cyberattack. But you have to get the deployment right. Some of the biggest challenges enterprises face in reaping the full value of MFA for remote access are:

  • Environment Coverage: Difficulty achieving total MFA coverage across complex enterprise environments with IT, OT, and multi cloud or hybrid cloud environments all in the mix. 
  • User and Asset Coverage: Difficulty rolling out MFA to all users, identities, and assets, particularly in cases where remote working and BYOD are involved. Not deploying MFA broadly enough, or against the right set of critical assets, with rigorous enough authentication methods required. Getting people to use hardware keys (Yubikey, etc) and authenticator apps adds a whole layer of training and reinforcement that can cause some organizations to default to lesser methods.
  • Staying Secure Even If One Layer of MFA Gets Bypassed – There are MFA bypass attack techniques out there. Many organizations that have some level of MFA rolled out would be totally unprotected if the first layer was bypassed. 

Executing an effective MFA deployment can be tough, but the effort is worth it for the extra layer of security it provides, especially to protect one of the most targeted ingress methods into the environment: remote access. Here’s how.

Challenge 1: Integrating MFA with Secure Remote Access

Your options for MFA for remote access are influenced by which remote access methods and technologies you’re using. If you’re using a remote desktop solution or virtual desktop infrastructure, your options are different than if you’re using VPNs and jump hosts. SaaS applications, private apps, client-server apps, and cloud environments all have slightly different implications for how MFA can be deployed.

Optimally, remote access solutions would have MFA capabilities baked right in. Some do and some don’t, but it is worth investigating the available options for a remote access solution with some amount of native MFA capability.

If you don’t have native MFA, you’ll have to integrate with your existing remote access tools. Depending on the technology your users are using to access assets, and the assets they are trying to access, this can be a nontrivial task. Given the onslaught of cyberattacks using insecure remote access technologies as an ingress path, it is worth re-examining your remote access strategy as a whole and considering a tool consolidation that prioritizes the availability of MFA against all assets, but especially your most critical users, machines, workloads, and data.

Challenge 2: Rolling out The Right Level of MFA To All Users and Assets

Even in the best cases, MFA can introduce friction into some users’ day. They have to remember their hardware key, or set up their authenticator app, or remember security question answers and enter one-time codes when accessing stuff they need for work. The friction both in onboarding users and assuring they have the software and hardware they need to use MFA correctly can slow down deployments.

Reducing the amount of user effort to actually set up and ensure the usage of MFA is a great way to both reduce the burden on the user and reduce the ability of a user to avoid setting up and using MFA.

Levels of Multi Factor Authentication and Security Posture

The basic tenet of MFA is that it requires users to have more than just a username and password in order to gain access to the resource (app, data, machine, etc) that they’re trying to access. The password counts as one “factor” and the additional factor(s) can be anything from answering a security question to receiving a code via SMS or email to inputting biometric data or using a unique hardware key. These are often categorized as “something you know (password), something you are (fingerprint), and something you have (hardware key, phone with authenticator app, etc). 

Any MFA is better than none, but some MFA methods are more robust than others. While a security question like “what middle school did you go to?” may provide a roadblock, the answer is likely easy to find online for a motivated attacker. It is much harder for an attacker to steal an individual’s fingerprint. 

To minimize the friction that sometimes accompanies deploying stronger factors such as hardware keys, it is a good idea to select highly targeted critical assets and employees (executives) to enroll in MFA first. 

Challenge 3: How Cyberattackers Bypass MFA, and How To Protect Yourself Anyway

There are many attack methods used by attackers to bypass MFA methods. MFA must be deployed as one component of an overall zero trust security strategy that can minimize an attack’s blast radius even if the attacker successfully logs in. Two of the most common ways for attackers to evade MFA include:

  • MFA Bombing/MFA Fatigue Attacks: Attempting to log in with legitimate credentials repeatedly, so that the legitimate owner of the credentials is spammed with MFA verification requests and eventually gets worn down and clicks “ok” just to stop the onslaught of notifications. Learn more about MFA fatigue attacks.
  • SIM Swapping: Attackers may socially engineer, (persuade or coerce) counter staff at a telecom provider’s storefront (think a Verizon store) to port an attack target’s phone number to a new phone in the possession of the attacker. Then the attacker controls the alternate authentication factor. This is likely what happened at the beginning of the attack on the MGM casino group that eventually cost them half a billion dollars.

Beyond training users to spot and avoid MFA fatigue attacks, there are a few technical ways you can reduce your risk from these attack techniques.

  1. Deploy MFA at multiple layers. If you only have MFA at the perimeter, then it only takes one successful bypass for an attacker to achieve unauthorized access to a wide range of assets in your network. If each subsequent network layer requires another MFA challenge, the attacker has a lot more work to get in and move laterally.
  2. Disable SMS as a factor for MFA, especially for executives or highly critical assets. SMS has been proven too vulnerable to SIM swapping attacks, and should no longer be used as a factor.

MFA Compliance: Regulations Are A Growing Motivator

The intersection of MFA and regulatory compliance deserves its own whole article, which it will get. Here, it is worth noting that the Cybersecurity and Infrastructure Security Agency (CISA) of the U.S. recommends MFA as a best practice. 

As more cyberattacks bypass MFA on their way to causing a data breach, regulators are starting to require, not just recommend, that MFA be deployed. In the financial industry, PCI-DSS regulations are ahead of the curve in requiring MFA for remote access into Cardholder Data Environments. The Department of Defense Zero Trust Strategy Roadmap includes numerous mandates for MFA adoption.

Try Xage Multilayer MFA for Remote Access

Xage offers a zero trust access tool that can enforce multi-factor authentication both for local and remote users, and can require additional MFA challenges not only at every subsequent layer of an environment, but for individual devices, applications, and workloads across IT, OT, and cloud. 

And, due to the Xage Fabric’s distributed mesh architecture, it can continue to provide access and enforce MFA requirements at sites with intermittent, high latency, or even no network connectivity at all. 

Learn more about Xage Zero Trust Access with Multi-layer, Multi-factor authentication.