Struggling to choose an MFA solution? It’s not always easy to see past all the product marketing jargon. And if you have an on-premise or hybrid Active Directory (AD), you need to quickly make sure that the MFA solution builds on your existing infrastructure.
These 15 questions will help you rapidly evaluate MFA solutions based on whether they:
- Deploy alongside Active Directory
- Protect specific connection types
- Work without connection to the internet or network
- Minimize disruption to users
- And more…
Content Summary
Table of Contents
- Content Summary
- Does the MFA Deploy Alongside Active Directory?
- Can You Apply the MFA to Remote Desktop Connections?
- Is the MFA Customizable on RD Gateway Connections?
- Can You Apply MFA on VPN and IIS Connections?
- Will Remote Workers Without Domain Access Be Prompted for MFA?
- Can You Extend MFA to Cloud Resources?
- Can You Choose Between Different MFA Authentication Methods?
- Can You Customize How You Ask for MFA?
- Can You Require MFA for All Users, Including the Most Privileged Accounts?
- Can You Rely on Secure, Always Available, On-Premise Hosting?
- Can You Help End-Users With One-Click Response?
- Can You Minimize MFA Disruption With Contextual Restrictions?
- Is the MFA Non-Disruptive Enough to Allow a Balance Between Security and Productivity?
- Can You Require MFA, Even Without Internet Access?
- Is the MFA Cost Effective?
Does the MFA Deploy Alongside Active Directory?
Can You Apply the MFA to Remote Desktop Connections?
Is the MFA Customizable on RD Gateway Connections?
Can You Apply MFA on VPN and IIS Connections?
Will Remote Workers Without Domain Access Be Prompted for MFA?
Can You Extend MFA to Cloud Resources?
Can You Choose Between Different MFA Authentication Methods?
Can You Customize How You Ask for MFA?
Can You Require MFA for All Users, Including the Most Privileged Accounts?
Can You Rely on Secure, Always Available, On-Premise Hosting?
Can You Help End-Users With One-Click Response?
Can You Minimize MFA Disruption With Contextual Restrictions?
Is the MFA Non-Disruptive Enough to Allow a Balance Between Security and Productivity?
Can You Require MFA, Even Without Internet Access?
Is the MFA Cost Effective?
Multi-factor authentication (MFA) provides any on-premise or hybrid Active Directory (AD) environment with secure employee access to corporate networks and cloud applications, no matter where they work. And when it’s the right solution, it gives you the best of both worlds: a secure network and productive employees.
Here are 15 questions to ask when evaluating MFA solutions.
Does the MFA Deploy Alongside Active Directory?
If it’s going to be simple to implement and manage, your MFA solutions should build on your existing investment in your Microsoft on-premise Active Directory infrastructure, without any modifications to your AD accounts, structure, or schema.
Can You Apply the MFA to Remote Desktop Connections?
You’ll want to have the ability to enable MFA on remote connections. End-users connecting to another machine (like a remote computer or virtual machine) within the network can still receive an MFA challenge.
And, if your MFA solution is granular enough, you should be able to choose to either apply MFA to RDP logons that originate from outside the corporate network, or to every RDP logon – both internal and external.
Is the MFA Customizable on RD Gateway Connections?
Remote Desktop Gateway (RDG or RD Gateway) enables network access for remote users via the internet. By utilizing the Remote Desktop and the HTTPS protocol, it creates a secure encrypted connection.
RDP connections that pass through a gateway are by default considered as coming from “inside” the network. Your MFA solution should also allow you to identify the real IP address of an RD Gateway connection and view these connections as “outside” the network.
You can then choose to enable MFA only for RDP logons that originate outside the network – and be sure to include all RD Gateway connections.
Can You Apply MFA on VPN and IIS Connections?
VPNs and IIS sessions are vulnerable to specific security threats, like phishing and spear phishing attacks. For optimal security, it’s best to apply MFA to those connections as well. Since MFA prevents hackers from accessing your network using compromised credentials, this adds an extra layer of security against unauthorized VPN and IIS access.
Will Remote Workers Without Domain Access Be Prompted for MFA?
Can you secure remote logons, even when your remote employees neither have a VPN nor a connection to the network? This common loophole is often a blind spot for MFA application. Make sure your MFA solution secures remote connections that aren’t connected to the domain, allowing administrators to continue to apply MFA, monitor user activity, and enforce security policies.
Can You Extend MFA to Cloud Resources?
Combine MFA with single sign-on (SSO) to ensure seamless, secure access to multiple cloud resources. Employees ideally can log in just once, with optional MFA, using their existing on-premises AD credentials to instantly access resources like Microsoft 365 and cloud applications, from wherever they work.
And if you can combine SSO with granular MFA, your administrators can have even more control over often to ask for MFA to balance security with employee productivity.
Can You Choose Between Different MFA Authentication Methods?
It’s often helpful to have the choice between two different MFA authentication methods, like authenticator applications or programmable hardware tokens.
Many organizations choose an authentication app to balance security, ease of use, and cost.
Programmable security tokens or security keys are also a secure, simple way to implement MFA, especially for end-users who don’t have access to a corporate smartphone.
In both TOTP and HOTP, the token (the OTP generator) generates a numeric code. The OTP’s security is based on the fact that the codes are constantly changing (because they’re single-use – hence the name!). HOTP works just like TOTP, except that an authentication counter is used instead of a timestamp.
Can You Customize How You Ask for MFA?
The more customizable your MFA is, the better the balance you’ll be able to achieve for your organization. For any user, user group, or OU, you’ll want to be able to specify when you want to prompt MFA. For example: by connection type, workstation or server connections, and frequency (every connection, every X days, at the first logon of the day, on every new machine).
Can You Require MFA for All Users, Including the Most Privileged Accounts?
Securing access from all users aligns with most organizations’ desire to protect any Active Directory account with access to critical data and resources.
It also improves IT admins’ ability to restrict and respond to the most privileged of accounts: Windows local administrator accounts, domain administrator accounts, and Active Directory service accounts.
Can You Rely on Secure, Always Available, On-Premise Hosting?
For maximum security, your MFA solution installs directly alongside your organization’s on-premise AD environment. Ideally, you’ll be able to manage it from any workstation remotely, so your whole IT team can get insights, alerts, and reports on all MFA activity across your organization.
Can You Help End-Users With One-Click Response?
Administrators will appreciate being able to easily interact with and respond to any session, as well as reset or bypass authentication settings for any specific user.
Can You Minimize MFA Disruption With Contextual Restrictions?
With contextual restrictions in place, administrators can confidently customize MFA controls to avoid prompting the user for a second authentication each time they log in.
Transparent to the end-user, these restrictions create a significant barrier to any attacker without impeding employee productivity. They also help administrators distinguish legitimate asks to bypass or reset MFA.
Is the MFA Non-Disruptive Enough to Allow a Balance Between Security and Productivity?
Like any security measure, MFA will be a greater success if it’s non-disruptive for both users and IT teams.
- For users: Verify that enrollment is intuitive and simple for users to do on their own. IT admins may also be able to choose to give users a set of recovery codes, so users can easily regain access in case they don’t have access to their usual authentication method (like a cell phone or security key). Alerts can also warn end-users when their credentials are used (successfully or not), empowering users to take responsibility for their own trusted access.
- For IT teams: Help requests that alert administrators in real-time allow them to immediately, easily respond with one-click actions, and allow users to get on with their job.
Can You Require MFA, Even Without Internet Access?
This is a fairly common loophole. To ensure comprehensive security, make sure your MFA solution works even without internet access. This means that secure authentication for your employees is possible from just about everywhere.
Is the MFA Cost Effective?
MFA doesn’t have to come at a high cost, but it does have to be effective. By choosing an MFA solution that builds on your existing investment in Active Directory, it’s possible to have both effective security and a cost-effective solution.
Alex Lim
Alex Lim is a certified IT Technical Support Architect with over 15 years of experience in designing, implementing, and troubleshooting complex IT systems and networks. He has worked for leading IT companies, such as Microsoft, IBM, and Cisco, providing technical support and solutions to clients across various industries and sectors. Alex has a bachelor’s degree in computer science from the National University of Singapore and a master’s degree in information security from the Massachusetts Institute of Technology. He is also the author of several best-selling books on IT technical support, such as The IT Technical Support Handbook and Troubleshooting IT Systems and Networks. Alex lives in Bandar, Johore, Malaysia with his wife and two chilrdren. You can reach him at [email protected] or follow him on Website | Twitter | Facebook
