Multi-factor authentication for VPN: what is it and why is it needed
Content of the article
VPNs in one of their areas of use provide users with the ability to securely connect to company resources while away from the office, which ensures the work of remote employees. However, this path also opens the company’s network to new ones cyber threats.
When a VPN is integrated with a company's Active Directory (AD), users typically authenticate using only their domain username and password. This method is no longer considered safe. According to Verizon, 81% of data breaches involve compromised passwords. Leaking VPN credentials can put your entire network at risk of data leakage. Implementing additional layers of security using multi-factor authentication (MFA) is an effective way to prevent the serious consequences of credential compromise.
Principles of operation of MFA for VPN
To protect your VPN using multi-factor authentication (MFA), you can use Windows Network Policy Server (NPS) to configure RADIUS authentication and install the NPS extension from ADSelfService Plus. This extension acts as an intermediary between NPS and ADSelfService Plus, ensuring that MFA is enabled when connecting to a VPN. After completing these settings, the VPN login process looks like this:
- The user tries to connect to the VPN by entering his username and password.
- The VPN server sends the authentication request to NPS, where the NPS ADSelfService Plus extension is installed.
- If the username and password are correct, the NPS extension contacts the ADSelfService Plus server and requests a second factor of authentication.
- The user is authenticated using the method chosen by the administrator. The authentication result is passed back to the NPS extension.
- If authentication is successful, NPS reports this to the VPN server.
After this, the user gains access to the VPN, and an encrypted tunnel is created to the internal network.
Supported authentication methods for VPN:
- Push notifications;
- Google Authenticator;
- Biometric authentication
- TOTP authentication
- Microsoft Authenticator
- YubiKey Authenticator.
IT administrators can configure any of these methods for VPN MFA to suit their organization's needs. ADSelfService Plus makes it easy to set up and manage this feature thanks to:
- Granular configuration. Enable specific authentication methods for users belonging to specific domains, organizational units (OUs), and groups.
- Real-time reports. View detailed reports on VPN login attempts, indicating login times and authentication failures.
Advantages of using MFA for VPN using the example of ADSelfService Plus
The benefits of using MFA for VPN with ADSelfService Plus are:
- End device protection. Use MFA to protect not only VPN access, but also local and remote logins to Windows, macOS and Linux devices for complete endpoint security.
- Customizable configuration. Applying different authentication methods for different user groups depending on their privileges.
- Compliance with regulatory requirements. Meets NIST SP 800-63B, GDPR, HIPAA, NYCRR, FFIEC and PCI DSS standards.
- Prevent credential-based attacks. Prohibiting the use of weak passwords, which make the network vulnerable to cyber attacks.
Protecting access to VPN is a critical task for ensuring the security of a corporate network, especially in the face of a growing number of remote employees.
Private VPN server: active MFA user
Using MFA on private VPN servers is an effective way to increase the security and protection of personal data, which is being introduced into personal services more and more often. Although it may require additional setup effort, the benefits that multi-factor authentication provides far outweigh the time and resource costs.
You can find out detailed information, as well as buy a private VPN server on Private VPN server. On this resource, the FAQ section provides answers to frequently asked questions about private VPN servers, and VPN articles offer a wealth of product information this category in the modern Russian digital market.