MFA for VPN and Remote Access
Why you need MFA for VPN
VPN is a simple way for employees to remotely access the resources and applications provided by your organizations and thus to work exactly as if they were at the office. A laptop, a VPN client or just a browser, an Internet connection, that’s all what’s needed.
In terms of security, a VPN sets up an encrypted tunnel between your network and the connected user, making sure the traffic is confidential. However, anyone finding (i.e guessing, hacking, eavesdropping, phishing…) a valid user password now also has access to these resources and will quickly figure how to harm your organization.
Preventing these attacks requires a secure authentication mechanism. Organizations have long thought that enforcing complex password policies was enough. However, it is now widely accepted that users are better left out of the security equation. MFA is therefore the only efficient way to secure authentication and in turn, to protect remote access to your organization.
How to add MFA to your VPN
Most VPN and remote access solutions support PKI-based authentication as well as delegated MFA.
For PKI-based authentication, your organization must issue, deploy, and manage certificates for the devices that need to connect to the VPN. Historically, organizations have been having a hard time doing that because their PKI was not flexible enough to handle the new, rapidly evolving OS powering the diversity of user devices. More recently, MDM (mobile device management) has helped filling that gap. Also, although setting up a PKI server can sometimes be done in a matter of clicks, defining a secure configuration requires a level of expertise not frequently available in end-user organizations. Finally, tying authentication to the device used to access the VPN limits which devices can be used, which most organizations find too restrictive.
Alternatively, with delegated MFA, you can add a layer of security while keeping flexibility – since that layer doesn’t have to be tied to the device connecting to the VPN – and avoiding the complexity and OS-compatibility concerns of a PKI. The most common ways are to configure your VPN gateway to use SAML 2.0, Radius or LDAP to delegate all or part of the authentication process to an identity provider enforcing MFA. This method is preferred by most organizations due to its very minimal impact.
inWebo MFA for VPN and Remote Access
inWebo supports all these methods, i.e., a Radius connector, a SAML 2.0 connector, and an LDAP proxy enforcing step-up authentication. They allow different types of controls on the authentication process. If you’re unsure about which one best fits your needs, just ask us. On the user side, the connectors are compatible both with inWebo App-based and browser-based authenticators, while the LDAP proxy enforces App-based step-up authentication.
Over the years, our partners and our customers have implemented inWebo MFA with most VPN (reverse proxies, firewalls, and access gateways as well), IPSec and SSL, including Cisco ASA and AnyConnect, Juniper (now Pulse Secure), Meraki (now Cisco), Palo Alto Networks, F5 Big-IP, OpenVPN, CheckPoint, Barracuda Networks, SonicWall, Fortinet, and probably others we’re not even aware of, since our connectors and proxy work out-of-the-box. Connection modes and authentication options vary since they depend on the VPN gateway capabilities, but there’s never been a configuration that we didn’t support at all.
To implement inWebo MFA for your VPN or remote access, you’ll simply need to create an inWebo account for your organization and to configure both this account and your VPN gateway using one of the aforementioned methods. A generic step-by-step implementation documentation is available here. Our pre-sales and support engineers are here to help if you face any difficulty.
Why choose inWebo MFA?
Here are some reasons to prefer inWebo:
- Vendor lock: inWebo MFA is not tied to any application vendor, it is universal and supports a lot of applications. Not only SaaS applications (including Office 365 and G Suite), but also privileged access management (PAM), SSO, CMS, Windows Logon. Moreover, with inWebo, users only need one authenticator.
- Convenience: inWebo MFA supports smartphones as authenticators, but also computers, tablets, and browsers, thus making the whole process frictionless including for users who don’t have a smartphone or don’t want to install IT applications on their personal phone.