IS Decisions logo

IS Decisions Blog

Why your VPN connections need two-factor authentication (2FA)

VPNs are are vulnerable to security threats. Add two-factor authentication (2FA) for VPN connections for more security against unauthorized access.

Published August 7, 2022
Why your VPN connections need two-factor authentication (2FA)

Virtual private networks (VPNs) are a popular way to give employees remote access to their organization’s private servers. By creating secure connections between remote machines and your servers, VPNs solve some very important problems. For one, they prevent hackers from finding and entering your servers, while allowing your employees to securely access corporate files and applications from anywhere. Here's why it's a good idea to apply 2FA on VPN connections.

Why add 2FA to VPN connections?

While VPNs do secure remote access to an extent, they are vulnerable. For example, VPNs are common targets of specific security threats, such as phishing and spear phishing attacks. For example, an attacker sends a legitimate-looking email to one of your employees, and invites them to log into their account. Via a link in the email, you invite the employee to update their information, pay a bill, consult their messages, etc. The hacker only has to wait for the unsuspecting employee to enter their username and password to get access to the network.

Once in possession of valid credentials, the attacker can connect to your VPN as a legitimate user, gain full access to your network, and steal information or cause other types of damage.

How two-factor authentication secures VPN connections

2FA prevents hackers from accessing your network using compromised credentials. 2FA requires users to validate their identity by presenting a second security factor in addition to their password. When connecting to a corporate network, users must first enter their Active Directory credentials, followed by a time-based one-time password (OTP) or HMAC. This OTP (a digital code) is displayed on something that a user “owns”, such as a specialized smartphone application called an authenticator or a programmable hardware token such as Token2 or YubiKey.

One of the key ideas behind 2FA is that it is extremely difficult to impersonate a user without having access to this second factor. This means that even if hackers manage to steal all of your employees’ usernames and passwords, they still won’t be able to access your VPN because they don’t have the 2FA code.

This is an additional layer of security against unauthorized access to your systems.

How UserLock makes 2FA easier and more secure for your VPN sessions

One of the main criticisms about 2FA is that it's complex to manage and slows down users. But it doesn’t have to be that way.

UserLock's 2FA solution is both secure and easy to use. Since UserLock is designed for Active Directory (AD), integration is seamless. This makes it really simple to apply 2FA, also known as multi-factor authentication, across your organization and across connection types, including MFA for VPN connections using RADIUS Challenge or RRAS.

If you need to apply 2FA on a Windows VPN connection, UserLock also offers a tool to subscribers called UserLock Connect, which allows users to connect to Windows VPN and complete 2FA in one intuitive interface.

UserLock also supports 2FA via push notifications, authenticator applications, or programmable hardware tokens such as YubiKey and Token2.

Best of all, with UserLock you get control over setting granular policies to strike the perfect balance of security and usability for your team.

Video thumbnail

Try UserLock for free

3400+ organizations like yours choose UserLock to secure access for Active Directory identities and meet compliance requirements.

Download a free trial