Why your VPN connections need two-factor authentication (2FA)

Virtual private networks (VPNs) are a popular way to give employees remote access to their organization’s private servers. By creating secure connections between remote machines and your servers, VPNs solve some very important problems. They prevent hackers from finding and entering your servers, while allowing your employees to securely access corporate files and applications from anywhere.

Why add 2FA to VPN connections?

However, VPNs are not a perfect solution. For one, VPNs are common targets of specific security threats, such as phishing and spear phishing attacks. For example, an attacker sends a legitimate-looking email to one of your employees, and invites them to log into their account. Via a link in the email, you invite the employee to update their information, pay a bill, consult their messages, etc. The hacker only has to wait for the unsuspecting employee to enter their username and password to get access to the network.

Once in possession of valid credentials, the attacker can connect to your VPN as a legitimate user, gain full access to your network, and steal information or cause other types of damage.

How two-factor authentication secures your VPN network

Two-factor authentication (2FA) prevents hackers from accessing your network using compromised credentials. 2FA requires users to validate their identity by presenting a second security factor in addition to their password. When connecting to a corporate network, users must first enter their Active Directory credentials, followed by a time-based one-time password (OTP) or HMAC. This OTP (a digital code) is displayed on something that a user “owns”, such as a specialized smartphone application called an authenticator or a programmable hardware token such as Token2 or YubiKey.

One of the key ideas behind 2FA is that it is extremely difficult to impersonate a user without having access to this second factor. This means that even if hackers manage to steal all of your employees’ usernames and passwords, they still won’t be able to access your VPN because they don’t have the 2FA code.

This is an additional layer of security against unauthorized access to your systems.

How UserLock makes 2FA easier and more secure for your VPN sessions

One of the main criticisms about 2FA is the fact that it is complex and that it forces users to take additional measures – something that users don’t like. But it doesn’t have to be that way.

UserLock presents a 2FA solution that is both secure and easy to use. UserLock integrates seamlessly with Active Directory to facilitate the implementation of multi-factor authentication across your organization, and across connection types, including easy, secure MFA for VPN connections using RADIUS Challenge or RRAS. Learn how to apply 2FA for VPN.

If you need to apply 2FA on a Windows VPN connection, UserLock also offers a tool, UserLock Connect, to subscribers to allow better user experience for authenticating to VPN sessions with MFA.

UserLock supports MFA via authentication applications that include Google Authenticator, Microsoft Authenticator and LastPass Authenticator, or programmable hardware tokens such as YubiKey and Token2.

While there is no absolute security, it’s fair to say that with UserLock, you get the perfect balance of security and usability.

To view the video, please accept all cookies.


So if you are looking to better protect your VPN connections,
download now the fully functional free trial of UserLock.

Share this post :


Chris Bunn is the Directeur Général Adjoint of IS Decisions, a global cybersecurity software company, specializing in access management and multi-factor authentication for Microsoft Active Directory environments and the cloud.