bitlocker encryption when joining the domain but doesn’t ask for any sort of pin on start-up.
This is the worst possible combination ever. Not only the decryption key can be dumped from the memory by freezing the RAM with some canned air, once the TPM goes bad one can usually say goodbye to all the data on the laptop too. That’s how they did it in the corporation I used to work at and I hate Bitlocker from the bottom of my heart ever since.
Thanks. Personally, I’d enable it for both VPN and for the endpoints
Precisely. Recently rolled out Duo to 100 people, only a little bit of pushback the first 2 weeks. After that, not a peep.
I login/RDP to a server that needs MFA, RSA, and uses a rotating password. I put in the password/passcode 3 times to login. Then the screen locks after 5 mins of no activity and I have to repeat. I try not to use it, so dont be so secure that users find other ways to do things.
Security has to push security for the business, who else will.
My suggestion is to do a trial of some non-IT users and see how it goes.
It doesn’t, this is a case of knowing what OP needs vs what OP wants. Let’s go back to the text:
I’m considering rolling out 2FA to login to company laptops when outside of the office network and then again if the user wishes to VPN / Remote Desktop into the network.
What I read here is that there’s a question behind “is it acceptable for my users to authenticate multiple times?”. In general that problem is addressed by SSO - authenticate once (say, during login with MFA), and become authorized everywhere (domain, email, instant messaging, VPN, etc).
UK here. Same also re: cyber insurance. MFA required on or off LAN.
So to quickly confirm, most, if not all, Cyber Insurance in the US mandates that users need 2FA to login to their laptops?
If its happening there it’ll happen here.
You’d be surprised.
Go to an airport and watch how many people leave their laptops sitting on a seat or a table and then go to the bathroom or the bar for a drink.
Even if they lock the screen, consider how easy it is to shoulder surf someone in that environment.
Haha yeah I know what you’re saying.
However, say one is left at an office where there are some negations on “business” taking place.
The user leaves their password on a sticky note attached to the screen (I’ve seen it, truly). Its not a huge stretch for someone there to login and look at emails or OneDrive files/folders. Or even if someone just wanted to be malicious.
Or someone at home, leaves the password around and the kids think it might be fun to login and have a look.
I feel I need to mitigate it if I can.
For most a VPN is not required, remote desktop with 2FA via an RD gateway is adequate but there are some more senior management guys that prefer VPN.
VPN/Remote Desktop always requires 2FA.
The main business apps are not cloud based, they are traditional applications running off SQL server.
MFA is being mandated for any resources accessed externally as well as any elevated privileges.
Personally, I think it’s only a matter of time before MFA is required for all access, and we’re moving towards that direction.
It varies by insurance company, but most are wanting MFA on VPNs / 365 / External Access
MOST, but not all are wanting MFA on servers / desktops for ADMIN logins (if NOT local /domain admin then no MFA req)
SOME are even going so far as requiring MFA on switches / other misc. network gear
Sorry it was a really busy day today so my answer was pretty unhelpful. The other two guys that responded to you explained it in better detail and I concur.
2FA is being mandated on VPNs, servers, and all critical devices.
Ok, well, that’s … a management issue here if someone just leaves the password on a sticky note on the screen(if we find out about it). Wow.
Well the idea behind always on VPN is that the user doesn’t need to authenticate since it is certificate based, and their local computer that otherwise would not be off the network can function normally at startup and login.
SOME are even going so far as requiring MFA on switches / other misc. network gear
Wow, that’s literally taking IT security idiocy to a whole new level…
It also solves users sharing passwords for “efficiency”. 2FA solves that problem neatly.
I’d disagree, securing the change points is more important than securing the end points
Yea, and this is in environments where you’re lucky to have a managed switch AT ALL, let alone one that would support RADIUS or TACACS(+) that would support MFA.