Happy Friday to all,
As per the title, I’m considering rolling out 2FA to login to company laptops when outside of the office network and then again if the user wishes to VPN / Remote Desktop into the network.
I want to go with this but sometimes wonder if I’m being over the top?
Any thoughts?
*** Thank you all for your replies and guidance. Weight of opinion seems to suggest that its not too OTT so I’m going to prepare a plan to put forward to management. Cheers all. ***
Regardless, we’re seeing every cyber insurance carrier mandate it. So it’s coming either way.
Personally, I’m not sold on endpoint 2FA logins as accomplishing much. That’s where disk encryption is probably more important if you’re worried about physical access. VPN definitely needs 2FA. Any remote access over the Internet should have 2FA at this point IMO.
Perfectly sensible, the amount of times I’ve seen a remote worker laptop with VPN or RDP credentials in a text document sitting on the desktop is insane.
Take the extra security steps, especially when it comes to a remote device.
I’ll give my experience. I work in IT for a company that cares about security a lot. We use bitlocker for encryption and user has to enter a pin. Then they sign in with password to log in under their profile. To use VPN, yes, we use an additional 2FA method. To use remote desktop, you have to be on VPN whether you’re onsite or offsite.
This is or should be a ground rule imo.
I think it’s overkill myself.
VPN ideally should be Always-On, and the MFA covers you getting into the system.
An MFA enabled RD Gateway helped us practically eliminate software VPN from our network.
tbh I’ve never worked anywhere that used 2FA for laptops. Bitlocker to encrypt the drive is usually enough.
Access to anything else like email, Teams, Onedrive, VPN and so on should all have MFA on them though.
MFA for laptops sounds like an absolute nightmare. How do you unlock it when the device is offline?
Bitlocker the machine, have sane screen lock policies. MFA is not required and is going to drive your users insane.
I’m not in IT but as someone who cares about security this sounds perfectly acceptable to me.
DUO is excellent for this.
And yes, MFA for all logins (laptop & RDP) is reasonable. Consider a SASE vs traditional VPN as it authenticates the device and the user. Can also validate the endpoint (AV status, patch status, etc).
What are you using for MFA?
There is no drawback. Tell them it’s required security policy, deal with complaints for about a month and then move on. Once it’s part of the end users daily ritual, it’s not a big deal. 5 more seconds.
What does Eset use to send the code to the user?
Meaning text message, email, or phone app with approval button, etc?
For sure I would setup for VPN/Remote Desktop. You are extending you internal network at this point.
Why the laptop? If the above is an email how do they get it?
They use their phone you say. Why dont you MFA their phone? You probably have Email, Teams Files, O365 or similar on there. Not trying to be a jerk, just going through some steps. And maybe you have some MDM functions for that.
This may also depend on how savvy your users are and how much support you can give them.
Sure its more secure, but what happens when Martha drops her phone in the toilet 
What secondary options are there?
From security standpoint yes.
From a usability standpoint maybe not the laptop.
Teaching/Instructing users general security is always a plus too. Dont click that spam message! You’re not in accounting why did you open that invoice!
From my experience in IT, we have to be able to view the whole scope not just our facet of it. Security is important but needs balance.
Your problem is one of SSO, not one of “when should authentication require MFA?”.
For VPN that should be a requirement IMO. For laptop, depends on the nature of the business or employee if I would consider it definite requirement but 2FA is always a good idea.
I’ve deployed AAD with WHfB and a Yubikey for a client. Takes care of 2FA and makes it easier for them to login.
MFA for VPN is a must. We only MFA workstation logins for sensitive computers (Servers, IT workstations and Finance) as drives are BitLockered.
We require this with Hello for Business and MFA over VPN.
We require Duo at laptop login (and lock) and certificate for VPN in addition to credentials