What is Desktop-level MFA?

In today's hyper-connected world, conventional security perimeters have become obsolete. Gone are the days when employees could only access firewall-protected corporate applications when connected to the office network.

The rise of remote work and the increasing adoption of cloud-based applications have made it necessary for employees to have ubiquitous access to critical resources. This shift to a perimeter-less world has created several challenges for security teams.

Traditional security controls, such as firewalls and VPNs, are no longer enough to secure a distributed infrastructure or support a remote workforce. Additionally, security teams must balance security and convenience, as hampering productivity with overly cumbersome security measures is not an option.

To solve these challenges, security teams need a robust new strategy that can adapt to the evolving threat landscape, while delivering a seamless user experience. Enter Desktop MFA, aka device-level MFA, a strong authentication approach that protects user devices. Once a user has logged in to their desktop, the Desktop MFA solution may offer passwordless single sign-on access to corporate applications and resources.

Desktop MFA adds a cryptographically secure second factor to the endpoint and user authentication process. This ensures that users can only access applications they are authorized to access, from endpoints that are registered on the access management system.

Desktop MFA is typically implemented as a two-factor authentication mechanism. Typically, the first factor is their password, and the second factor is a One-Time Password (OTP) or hardware token.

The steps involved in Desktop MFA are:

1. The user logs in to their device using a password
2. The user is then prompted to provide their secondary authentication factor
3. Once the user is logged in to the desktop, they can often log in to some sort of portal without the need of a password based upon a certificate or a private key that is used to verify the user’s device
4. Once both the above factors are authenticated, the user is granted access to the portal which acts as a gateway to all corporate applications

Desktop MFA helps strike a balance between security and experience, especially when authenticating remote employees. By configuring desktop MFA on endpoints, organizations can often provide remote employees with a passwordless-yet-secure way to access apps wherever they are.

Employees only have to log in to their device once, and the Desktop MFA tool handles the rest. This reduces the need to maintain multiple passwords and decreases the overall attack surface of the organization. Moreover, in case of a stolen or compromised device, an administrator can seamlessly revoke access by invalidating the certificate or key.

Enabling MFA for remote desktop connections is a great way to increase your overall security posture. There are different ways you can go about it:

1. Leverage built-in support provided by the remote desktop solution. For example, Microsoft’s Remote Desktop Services (RDS) offers native support for enabling MFA for remote connections.
2. Install an MFA plugin for your remote desktop tool. For example, Microsoft’s NPS extension for MFA allows you to leverage the Azure MFA service for remote desktop connections.
3. Use a Desktop MFA tool that supports remote desktop connections. Such a tool will allow you to create encrypted sessions with a remote machine, using your registered certificate or key as the secondary factor.

Desktop MFA offers numerous advantages for businesses:

• It enables organizations to maintain centralized control over user access. Administrators can manage and enforce security controls from a central dashboard, which increases efficiency and decreases chances of misconfigurations.
• Desktop MFA improves productivity by making it easier for remote workers to access the resources and applications they need.
• Configuring device-level MFA helps cater to compliance requirements of different regulatory frameworks and standards, including PCI DSS and HIPAA.
• Desktop MFA products are typically designed to be scalable, meaning they can easily integrate with new cloud apps and onboard many more users without any major changes to the underlying infrastructure.
• Simplified onboarding and offboarding of endpoints reduces operational costs.