IS Decisions logo

IS Decisions Blog

Why implement multi-factor or two-factor authentication for Active Directory credentials

The impact of poor login security is significant. Learn how multi-factor authentication (MFA) combines two or more factors to create a layered defense protecting the vulnerability of corporate passwords.

Published September 13, 2019
Why implement multi-factor or two-factor authentication for Active Directory credentials

The threat from poor login security is one of the most potentially dangerous to a business.

Verizon's annual Data Breach Investigations Report routinely finds that about half of hacking-related breaches leverage stolen passwords, and with breaches we mean more than (just) stealing data. Often an attacker will destroy data, change program or services, or use servers to transmit propaganda, spam, or malicious code.

It doesn’t matter how good your network perimeter defenses, firewalls, antivirus software and threat-detection software are; if your employees fall for phishing scams, share passwords or still have access to company files even after they have left, you are wide open to attack.

The sobering reality is that if multi-factor authentication is not in place, these other security measures can be bypassed.

Mobile laptop desktop MFA

How multi-factor authentication helps secure access

Multi-factor authentication is one of the most effective controls an organization can implement to prevent an unauthorized adversary from gaining access to a device or network and accessing sensitive information. Also known as MFA, multifactor authentication combines two or more factors to create a layered defense.

Adding a second factor (two-factor authentication) typically means either requiring “something that you have” or “something that you are” in addition to a password, “something that you know.” If one factor is compromised or broken, an unauthorized user still has at least one more barrier to breach before successfully breaking into a target system.

This makes multi-factor authentication significantly more secure as a user has to prove they have physical access to a second factor that they either have (a smartphone) or are (a fingerprint).

The use of at least one element from each category is required for a system to be considered three-factor authentication and due to the obvious impediment to users, rare outside of high security government or military systems.

Two-factor authentication

Two-factor authentication for corporate networks

Two-factor authentication, also known as 2FA, is available to help address the vulnerabilities of corporate passwords for businesses of all sizes.

For example when logging onto a corporate network, users need to first enter their Active Directory credentials, followed by a Time-based or HMAC-based one-time password (OTP). This OTP ( a numeric code) is sought from something a user “has," such as a specialized smartphone app called an authenticator or a programmable hardware token.

Using a smartphone as a "secure token" frees the users from carrying a dedicated token device, which are costly and can be easily lost. This makes life far easier for both users and the IT department, and far cheaper to set up.

Alternatively, an external device can be simply plugged into a USB port and will automatically type in the OTP key for you. The user just has to tap their device, making the user experience even more frictionless.

Authentication with a OTP is also deemed more secure than other options such as SMS text based authentication. SMS has proven extremely vulnerable to security breaches and has been at the center of a lot of two-factor hacks. The technology is readily susceptible to SIM Swap attacks and SMS messages can be easily intercepted.

Using two-factor authentication with a OTP is thought as the best balance of security, usability and cost available today.

Take a multi-layered approach to MFA

Multi-factor authentication has its strengths, but like any security approach, it becomes more powerful in conjunction with others.

That's what sets UserLock apart. Not only does it integrate perfectly with Active Directory and offer granular MFA policies, but it also levels up security with contextual access restrictions.

The context of the user’s authentication attempt can also be used to authorize, deny or limit user access. It offers evidence that they are the authorized person with the given right of access. In fact, some experts see this context as an additional (third) factor of authentication.

Instead of allowing everyone to log onto whatever they want, contextual access management uses policy-based restrictions to define who can logon, how (e.g., RDP, local), from where, how often and when.

Don’t want anyone logging on with admin rights after hours? Contextual access management can address that. Limit access to your Domain Controllers to only in-house machines on a certain subnet? That too. Stop certain users from having simultaneous connections? No problem.

With contextual restrictions in place, administrators can then be confident of customizing MFA controls that avoid prompting the user each time they log in. Transparent to the end user, they create a significant barrier to an attacker but don’t impede on their productivity.

Do not consider a new technology such as MFA as a "replacement" to what’s existing. You can assure greater security with each additional layer of security you add.

Try UserLock for free

3400+ organizations like yours choose UserLock to secure access for Active Directory identities and meet compliance requirements.

Download a free trial