When you are thinking of enforcing MFA on your critical SaaS and on-premise resources, do not forget about logins to your employee laptops and desktops.
An employee’s work laptop is a treasure trove for any malicious actor who can get access to it.
It may contain –
Apps accessible with cached credentials: Think about it. Many of the apps you use on your regular laptop don’t ask you for credentials, especially if your organization doesn’t have strong MFA policies. Your password may be cached in your browser for many of these apps. If your organization uses Certificate-based authentication or iWA as a practice for convenience, most of the apps would be directly accessible from a trusted device, without any authentication challenge. Considering that even a mid-sized company may use 100+ SaaS apps, imagine the extent of damage one can do with access to even a few of these applications.
Sensitive files: Even if the world is moving towards cloud storage, most of us like to keep a local copy of most of the important files on One Drive / Box / Dropbox. Employees who are constantly on the move, such as sales folks, like to keep critical information locally, as they may not always get access to cloud. Such files may contain sales leads, financial information, partners information, code, trade secrets, and so on. In worst case, a careless employee may have stored his passwords in a spreadsheet!
Personal Information: An average laptop may contain several files with personal information of the owner, such as his address, phone number, email, SSN, bank account, and credit card details. In the worst case, such information can be used for identity theft compromising these vital financial services.
Emails: An email client, such as Outlook, may usually be in “always open” state. Email address can often be used to reset passwords of many services of an employee. Also, emails themselves often contain sensitive information about the employer. Moreover, email of one employee can be used to procure sensitive information from some other employee, using social engineering.
In short, it could be disastrous if even one of your employees loses his laptop, and his password happens to be a weak one. Weak passwords are quite common, and it’s natural considering users need so many and want to easily remember them.
There is also an attack vector of a rogue insider looking to steal valuable information from a colleague or senior executive. Insider threats are particularly dangerous as they can go undetected for weeks or even months, and they are very common, representing the primary vector of about 60% of data breaches.
So, it’s absolutely essential that work (or even personal) laptops are protected with strong multi-factor authentication on the boot screen and lock screen. Not doing so would leave a dangerous loophole in digital security of your organization.
To address this pain point, Idaptive’s cloud agents support strong multi-factor authentication for boot screen and lock screen of Windows and macOS devices, with features such as –
- Risk-based adaptive MFA that leverages Idaptive UEBA platform
- Support for MFA on RDP/RDS access to your Windows servers
- Self-service password reset based on authentication challenges to reduce your IT helpdesk costs without compromising on security
- Multi-factor authentication even if a device is offline, to take care of theft scenarios
- Several choices for authentication factors such as OTP, SMS, Email, mobile push, FIDO2 keys (such as Yubikey) etc. depending on your organization’s needs
Idaptive also supports ability to lock and wipe Windows and macOS devices in case they get stolen, and the user happens to realize it quickly.
To summarize, when you are thinking of enforcing MFA on your critical SaaS and on-premise resources, do not forget about logins to your employee laptops and desktops!
Here are more details on these Idaptive solutions –
*** This is a Security Bloggers Network syndicated blog from Articles authored by Sumedh Inamdar. Read the original post at: https://www.idaptive.com/blog/desktop-mfa-essential-endpoint-security/