Do you use 2FA to protect your mobile VPN users?

Hi All,

We are debating this change within our IT Team - should we force our users to use 2FA when they connect to the Mobile User VPN. We do it with Office 365, but not the user VPN. We have this set-up and can switch over at anytime (we use RADIUS and the Microsoft authenticator app) but all our users would then need the MS App installing on their smartphone, assuming they have a compatible smartphone ;-)

Do you enforce 2FA on your mobile user vpn? If so, why, or why not? Any opinions much appreciated :-)

TIA
Stuart

Comments

  • Absolutely positively 100% YES. No question, no debate, PERIOD.

    That is of course, just my humble opinion!

    I use both AuthPoint and Duo Security MFA apps for my network, and just Duo Security at two other clients due to the pricing model of AuthPoint.

    Gregg Hill

  • Thanks Greggmh123 for your humble opinion ;-) It is one I share, and something I hope to propose to the firm shortly. We use the MS Authenticator and I can only seem to get it to work with Push notifications, so I will raise a case with support to help me out as I know many of our staff will refuse the app on their personal phones :-(

  • edited August 2021

    We use AuthPoint on ours. MFA all the things.

  • Two-factor authentication (2FA) prevents hackers from accessing your network using compromised credentials. 2FA requires users to validate their identity by presenting a second security factor in addition to their password. When connecting to a corporate network, users must first enter their Active Directory credentials, followed by a time-based one-time password (OTP) or HMAC. This OTP (a digital code) is displayed on something that a user “owns”, such as a specialized smartphone application called an authenticator or a programmable hardware token such as Token2 or YubiKey.

  • It’s definitely recommended. There have been some bugs lately with Microsoft radius authenticator and WG since there are some RADIUS parameter bugs on the Microsoft side.. not sure if those ever fixed?

    If you have a firewall that can support 12.7.1 you can get a direct integration with AuthPoint. Without that, you usually have to do push notifications since OpenVPN is only smart enough usually to do push or OTP. With the WG integration this allows the option of both push and OTP at the same time if needed.

    That said, if your firmware only goes to 12.7.1 you still have some options with AuthPoint but you’d have to make a list of users who can do push vs those that can do OTP as it would not allow a user to use push/OTP at the same time without the direct integration.

    ~T
Sign In to comment.