For the last 25 years, this nonprofit has provided transitional, low-income and affordable/supportive housing, along with accompanying social services to New Yorkers experiencing homelessness. Today, it operates eleven facilties across the city with 350 employees, and continues to grow.
The Challenge
Implement remote and offline MFA across the entire organization without making it a chore for users
Historically, the nonprofit has operated a hybrid environment with a roaming profile base, which brings some inherent risks. So when mandates required it to implement MFA, the IT team knew they had to secure the entire 350-person workforce, across twelve offices and facilities.
The chosen system needed to offer a wide range of features which made finding a solution a challenge. Priorities included that it be able to secure Windows laptops even when they were offline, in order to meet the standards of best practice.
MFA also had to be as simple as possible so authentication didn’t become a chore for users. With an ambitious timeline for rollout, it had to be simple to implement as well as affordable.
A particular sticking point was that Microsoft tools could not easily authenticate users when they were offline. This meant that users could bypass MFA by disconnecting from the network, and this was a clear risk should a device fall into the wrong hands.
The chosen MFA solution also had to be able to secure all connection scenarios in an organization where enabling remote work had become a priority.
There was a possibility of using Microsoft 365’s on-premise authentication but it didn’t have the right balance of features and wasn’t the right product.
Nonprofit’s IT specialist, who was responsible for the project.
The Solution
A smooth MFA implementation across online, offline, and remote working scenarios
The nonprofit adopted push authentication as the simplest MFA solution. This required users to install UserLock Push on a company or personal smartphone. A key concern here was whether users would be willing to do this.
The IT department was keen to complete the rollout without any delays or when using an unfamiliar type of authentication. However, push notifications sent via UserLock Push made authentication swift and hassle-free.
IT needs to be simple. It’s already going to bother people that they have to install an application on their phone or authenticate every time. UserLock is simple because with push notification it means that the users don’t have any hassle. The app asks them to tap ‘approved,’ and as a bonus, I’ve got offline protection.
Importantly, in remote working scenarios where a laptop has no Internet connection, UserLock still prompts users for MFA following their Windows login. UserLock push app users can enter a time-based one-time password (TOTP).
The Benefits
The entire organization now authenticates using UserLock Push, even when they are offline, supporting regulatory compliance
The nonprofit was able to implement MFA across its organization for the first time using push notification, an authentication method that keeps life simple for users unfamiliar with the technology. UserLock’s offline capability was a big advantage over rival systems, agrees its IT specialist.
And even when the computer is offline and push is unavailable, it still allows MFA to complete with a six-digit TOTP. Having that level of offline protection is important for us.
The IT Specialist also emphasizes that being able to protect laptops in this scenario is a huge gain. It would not have been possible to have implemented MFA for 350 employees without this feature as doing so would have opened dangerous security gaps.
UserLock has also been simpler to set up and configure than using Microsoft’s native implementation. The nonprofit also tested Duo but it lacked the flexibility of UserLock’s offline push notification MFA and was expensive, says the IT Specialist.
Most of all, by covering every base, UserLock is the simplest solution to the challenge of MFA in an organization rolling it out for the first time.
IT needs to help but it also has to be simple.