Securing the Digital World

Multi-Factor Authentication for Your VPN: 3 Keys to Getting It Right

Jul 03, 2018 | by Tim Norris |

Chances are you've got so many people who need access to your virtual private network (VPN) today, you're probably wondering why they're even called "private" networks anymore. While the user population will always include the traditional full-time employee using a company-issued device at the office, that population now includes a growing remote workforce (expected to make up 72 percent of all U.S. workers by 2020), as well as users who are external to the company, such as key trusted contractors. They may be using the VPN to access applications and other resources that live both in the cloud and on-premises, and they may be using a variety of devices—including their own personal mobile devices—to do it.

That's fine as far as giving people the tools they need to work for or with your organization, but it also increases identity risk. How can you be sure the person who's trying to access resources through a personal mobile device is really the employee who owns the device? Or that the contractor you've entrusted with access isn't sharing that access inappropriately with others in their organization? A simple username/password combination doesn't provide a high level of assurance that someone who wants to connect to the VPN is who they say they are and is entitled to the access they seek.

Tackling these challenges requires a fundamental transformation of secure access beyond passwords. Multi-factor authentication addresses today's VPN access challenges, but it must be the right solution to provide the identity assurance you need and the simple, convenient access users want—no matter where they are, or what devices they're using. It helps to keep in mind these three key criteria when selecting a multi-factor authentication solution.

  1. Risk Analytics to Power Accurate Access Decisions
    Look for a multi-factor authentication solution that can discern when access risk is high and when it's not, and respond accordingly. That requires a solution with capabilities for user-behavior analytics and machine learning, along with the ability to understand the context for access requests and to take into account relevant threat intelligence. Having this type of information makes it possible to step up authentication only when access risk is high enough to warrant it, rather than inconveniencing low-risk users with requests for additional authentication.
  2. Multiple Authentication Options for a Variety of Users
    All those employees, remote workers, contractors and others who are working at the office, at home, in coffee shops and on airplanes need to have an easy way to securely access resources through the VPN. However, having them all do it the same way isn't the answer. Depending on who they are, where they are and what they're doing, users will find some authentication options preferable to others. Look for a multi-factor authentication solution that offers a variety of secure choices: mobile push-to-approve, one-time passcodes, biometrics, and hardware and software tokens. Having a variety of options is one of the keys to enabling convenient access to the VPN without compromising security.
  3. One Multi-Factor Authentication Solution for Different Types of Access
    Spare yourself the grief of having different multi-factor authentication solutions for VPN access and other types of access—access to third-party applications in the cloud, for example. If you're adopting multi-factor authentication for the first time, look for a solution that can be extended beyond VPN access to other access scenarios, so that users can enjoy a single, seamless access experience and you only have a single solution to manage. If you're already using multi-factor authentication for secure VPN access, find out if the solution you have can be used for other types of access. If not, consider a change to one that can.

A password-based solution to secure access to the VPN simply can't give you the identity assurance you need to be confident that users are who they say they are. For that, you need an approach that transforms secure access—by going beyond passwords to encompass multi-factor authentication, and by making multi-factor authentication both secure and convenient.

This is the fifth in a series of posts about transforming secure access to address today's changing access landscape. To learn more about transforming secure access for the VPN and in other key areas, sign up for the RSA webinar series Access Transformation in Action.