I think that it’s gross overkill but alas the company I work at is already in the process of implementing Cyber Essentials. I hate it from the bottom of my heart TBH and I think that all such policies are written by moronic dim-wits who have probably never seen a computer in their entire miserable life.
Take a look at Beyond Identity. I would highly recommend them since they do not require a mobile phone for MFA and the endpoint itself becomes and authenticator.
For Remote Desktop it would need to be Remote App enable so that the auth could happen to the website itself.
Interesting - is this in the UK or are you elsewhere?
Yeah of course any remote access requires 2FA and policies checking users and equipment. I would never accept any form of remote access to the internal file system or remote desktop onto the RDS server via PC or laptop without it.
My concern right now is that without any form of 2FA to login to the laptops, in theory someone could get their password, login and get access to their emails (another battle I’m having is to get people to delete emails, some store every single email they send/receive in a folder in their inbox) which could hold confidential and personal information.
That’s what I want to mitigate
I was so surprised when I started off as a helpdesk analyst…seeing the amount of sticky notes with passwords, documents on desktops with lists of passwords. Nothing surprises me anymore with end users lol.
I head up our phishing simulations and I always get a kick out of the users who fall for the phishing emails. I mean, who DOESN’T want free pizza!?
We can’t have an always on VPN for mobile users - we do have a RD gateways with policies already but its the data on the laptop which is the concern, not the access to the network as I feel I have that sufficiently covered.
Windows Hello is MFA and a way to login to a laptop with MFA as it puts a MFA grant on your login Token if you login with it so if you access something that requires Azure MFA after logging in with it you won’t be prompted for MFA as you already satisfied that with the Windows hello Login. However if you lock and unlock with a username/password the MFA grant is removed and anything you access with prompt from MFA again.
Agree with this, MFA to log into a laptop is insane.
Especially considering if you have the laptop physically in your possession you probably have the MFA token/phone too.
If security is too heavy it creates a huge divide between users and IT.
These are domain joined Dell laptops which automatically triggers bitlocker encryption when joining the domain but doesn’t ask for any sort of pin on start-up.
I tested this exact scenario today and it works fine - I disabled wireless on the laptop then restarted, checked there was no wireless connection and logged in.
It popped up asking for a OTP on the laptop which I then got from the app on my phone.
I’m assuming that there is some sort of cache or similar of potential OTP’s embedded with the app on the laptop.
Certainly worked but yes it did worry me initially too.
Eset Secure Authentication
I’ve been thinking about this overnight and you’re right. Once its routine, its no issue.
I have to feel confident that I’ve done my best to secure devices and data as you can guarantee that I’d get it in the neck if any confidential data got compromised.
Eset is a phone app that requires approval or provides a OTP.
Currently all laptops just require username and password to login.
For remote access we use RDP via an RDP gateway with connection and resource policies so that only verified equipment and users can get past the gateway.
After entering in a password successfully 2FA is also prompted at the gateway
If Martha drops the phone in the toilet, then no working from home until work sorts out a new one :).
I do get what you are saying - there has to be a balance between usability and security. Still leaning towards adding it at login though… I mean it really isn’t that difficult, just a bit of a pain.
What does SSO have to do with MFA?
Thanks - I think this is what I’m going to do (using Eset).
US here.
The insurance industry is throwing together hot topics into questionnaires and calling it an assessment.
But if you can do it, they want you to.
I mean, if they got their password and the laptop, they could well have gotten the phone as I would guess they were mugged or something. Like, how do you imagine this happening outside of men in black taking you off the street for a discussion with a pipe.
Sensible or not, humans gonna human.
This. All those idiots in IT security keep getting surprised over and over again when their unrealistic, fascist policies are sidestepped by the good ol’ “sticky paper method”…
Bitlocker, onedrive, don’t let them store locally (outside of onedrive).
Why do you need a VPN for mobile users? Or do you mean people working off of hotspot?