In today’s digital landscape, Multi-Factor Authentication (MFA) is becoming a standard security measure across various platforms, from Microsoft 365 to online applications and server access. But should we extend MFA to laptop and workstation logins? The answer isn’t straightforward, as it depends on a thorough risk analysis. Let’s break down the key considerations.
1. Identifying the Assets
Laptops and workstations are undoubtedly valuable assets, but the loss of hardware alone is often not the primary concern. The real risk lies in the potential exposure of sensitive data stored on these devices – confidential business information, Personally Identifiable Information (PII), medical records, or proprietary code. Each organization must assess what data might be stored on their devices. Additionally, a stolen laptop can serve as a gateway for attackers to access the company’s network, making the operating system itself a critical asset.
2. Identifying the Risks
The primary risk is unauthorized access to sensitive data. This can lead to severe consequences, including the misuse of confidential information, loss of intellectual property, unauthorized network access, and legal or regulatory penalties if the data is subject to privacy laws like GDPR or HIPAA.
3. Analyzing the Risk
- Likelihood: Suppose encryption with TPM (with or without pre-boot PIN) and remote wiping is in place, but login still relies solely on a username and password. If the laptop is lost or stolen, these controls might suffice. However, if someone is determined to access the data, could they easily obtain the user’s password through social engineering, CCTV, or shoulder surfing? Can we fully rely on our awareness training? Generally, the more valuable the data, the higher the likelihood of such an attack.
- Impact: The impact ranges from minimal, if users don’t store significant data locally, to catastrophic, if highly classified information is involved. For example, in 2022, 281 laptops owned by the UK Ministry of Defence were stolen. The MoD claims that lost devices are remotely deactivated and wiped, but this only works when the laptop is online.
Using a risk matrix, we can assess the overall risk. If a laptop is lost or stolen, the attacker somehow gains the password, prevents remote locking/wiping, and accesses sensitive data, the likelihood is possible. The impact, especially with highly classified data, could be severe.
Given these factors, the overall risk could be High or Medium-High, which may exceed the organization’s risk appetite. Implementing MFA can reduce the likelihood to Unlikely or even Rare, lowering the risk to Medium or Medium-High, making MFA a valuable control.
Implementing MFA for Computers: Key Considerations
In my experience, I’ve implemented 2FA on computers using two solutions:
A popular cloud-based solution with several authentication methods:
- Duo Push (Duo Mobile)
- Duo Mobile Passcodes
- SMS Passcodes
- Hardware Token OTP (including Yubikey OTP)
- Phone Call
- Bypass Codes
While Duo generally works well, the offline login setup can be confusing, as it creates separate passcodes for online and offline use.
My preferred solution. This on-premises system requires server installation but offers extensive features and support. It provides numerous authentication methods, including:
- On-Demand Password (via SMS, email, or call)
- One-Time Password (hardware token & software app)
- Out-of-Band Authentication (mobile push)
- Security Questions
- FIDO USB Key
- Grid Card, Access Card, Smart Card
- Keystroke Dynamics
- Biometrics (Fingerprint, Face, Voice Recognition)
Unlike Duo, DualShield’s sign-in process is straightforward, with no difference between online and offline logins.
Best Practices for MFA Implementation
- Safe Mode Vulnerability: Safe Mode can disable MFA, making it ineffective. Malicious actors with standard user credentials might bypass system protections, including MFA, by booting into Safe Mode. To mitigate this, restrict Safe Mode access to administrators only using the following registry entry:
Registry Entry: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System SafeModeBlockNonAdmins: REG_DWORD 0x00000001 (1)
- Fail Close Configuration: Ensure that the MFA software is configured with a Fail Close setting. For example, older versions of Duo defaulted to disabling MFA if the Duo cloud was unavailable. Make sure this option is set correctly to maintain security.
Choosing the Right Authenticator
I’ve experimented with various authentication methods, and here are my thoughts on each:
- Mobile Push / App One-Time Password:
I consider these the best options. Since they are linked to a mobile device, which users are likely to keep with them at all times, they offer both reliability and security. The push notifications and one-time passwords generated by apps are effective and secure. - Email, SMS Passcode, Call:
These methods are generally less secure due to several vulnerabilities, such as SIM swapping, social engineering, SS7 attacks, and a lack of encryption. While convenient, they may not be the best choice for high-security environments. - Hardware Tokens (OTP, Yubikey, FIDO USB, Smart Card, Access Card):
These tokens are secure but come with a significant drawback: it’s easy to develop a habit of leaving them in a laptop bag. If a laptop is stolen, the attacker might also gain access to the token, compromising security. - Biometrics (Fingerprint, Face Recognition, Voice Recognition):
Personally, I’m not a fan of biometric authentication due to its reliability issues. Fingers can get dirty, faces might not be recognized correctly, and the effectiveness of these methods depends heavily on the settings for False Accept Rate (FAR) and False Reject Rate (FRR). Striking a balance between recognizing the correct user and avoiding false rejections can be challenging, which is why I’ve been hesitant to rely on these methods. - Keystroke Dynamics:
This method is quite interesting. According to Deepnet, Keystroke Dynamics technology captures distinctive characteristics in how a person types – such as the duration keys are held and the time between successive keystrokes – creating a statistically unique signature. Scientific research has shown that Keystroke Dynamics is both reliable and accurate, with a National Bureau of Standards (NBS) study finding it to have at least 98% accuracy. Personally, I found this method quite effective and appreciated it as an authentication factor. - Security Questions, Grid Card:
These methods are best suited for specific scenarios. However, I haven’t found a need to use them in my implementations.
Conclusion
MFA is a highly effective control that can protect laptops not only when they are lost or stolen but also against other vulnerabilities like RDP access or password sharing. Implementing it correctly can significantly reduce risk.
I’d love to hear your thoughts on this article or other MFA-related topics. Feel free to share your experiences!