New SecureAuth Endpoint provides MFA to better protect login into your Windows, macOS, and Linux PC
Login into Windows OS or macOS with a username and password is a day-to-day routine for hundreds of millions of users. But why is MFA not part of the process to login into your workplace laptop or desktop? We use MFA for thousands of business SaaS apps such as ServiceNow or Microsoft 365, and lately even for retail banking like with First Citizens Bank. So why not MFA for endpoints? It was extremely difficult, that’s why. Until now.
For the first time ever, organizations can require employees use MFA as part of a login to their Windows, macOS and Linux PCs and servers. The new SecureAuth Endpoint is the product that makes this possible, and it is a client app that integrates into the authentication framework of three dominant operating systems.
Compromised laptops drive the urgency of passwordless OS login with MFA
When you login into any computer (think about your Dell laptop or MacBook or even a Linux server), the IT department in your organization relies on a combo of a username and a strong password for security. But we’re now in 2021, so even with password complexity and the dreaded password updates every 60 days, that’s hardly adequate.
The attack vector can start with a compromised machine. A hacker who successfully compromises a laptop can continue to use additional hacking tools to escalate privileges. Planting tracking software or changing configuration on the computer can allow the hacker to start observing user patterns and glean information on how to continue the attack without being discovered. The results of one compromised device can potentially be disastrous for an enterprise business.
That’s why the security of the OS login is ever so critical. Compromising the computer is the first step toward a successful hack. Imagine you require an MFA step as part of the OS login experience. Instead of validating just the username and password against the user data stored in Active Directory, you also require the user to confirm the login from their smartphone – for example by accepting a push notification on their SecureAuth Authenticate mobile app.
What does this MFA step achieve? You must pass two checkpoints – at the first checkpoint you show your password or PIN (something you know) and at the second checkpoint you accept a push notification (something you have). But more importantly, you made it significantly more difficult to allow unauthorized access to that computer and potentially opening the door for further security exploitation.
Windows logon – Why Windows Hello is not a true MFA solution
The ability to enforce MFA for a Windows logon is a long-standing pain point for almost all Microsoft Azure deployments. What does Microsoft have to say about this? Use Windows Hello for Business is the official answer from the Azure team in Redmond. So why are customers not happy with this answer?
First, somewhat temporary, Windows Hello for Business works only on Windows 10. Over time, this will become less of an issue but in 2021 it is a real concern.
Second, Windows Hello for Business places a device-specific digital certificate onto the Windows PC, and this certificate is used for authentication instead of the password. Access to this certificate is “unlocked” only after the user puts a finger on the fingerprint reader – Microsoft chooses to call this biometric authentication and that’s largely accurate.
Where the IT security professionals raise the flag is when this approach is called MFA. The security dilemma stems from the fact that the digital certificate serves as factor 1. The fingerprint unlock of factor 1 is not a second factor, it’s merely a method of making factor 1 available to Windows logon. This is why you hear: “Windows Hello for Business is not a true MFA solution.” In reality, it’s much better than the previous password-based logon but it does not meet the purist definition of MFA.
Controversy around Windows 10 logon with MFA in a Hybrid Azure AD environment
Hybrid Azure AD Join is an incredibly common setup in pure Microsoft shops. In this environment, computing devices are joined to on-premises Active Directory and are also registered with Azure Active Directory to use Azure-only features like conditional access, single sign-on (SSO), etc.
With the MFA hesitations around Windows Hello, Microsoft Azure customers are left calling on Microsoft to add MFA support to secure the Windows 10 logon. In a perfect world, they would like to see the Microsoft Authenticator app provide MFA at Windows logon to Hybrid Azure AD-joined Windows 10 workstations.
It’s not happening, at least not yet. Customers are left in a difficult position and looking for ways to address this problem.
When SecureAuth was researching the problem, we identified these difficulties not only with pure Windows shops, but everywhere. For enterprises with a single MacBook or AWS Linux server in the mix, the problem escalates quickly.
SecureAuth Endpoint – Your Windows, macOS and Linux login with MFA
The basic premise for the new SecureAuth Endpoint is to integrate OS logon with an adaptive MFA policy. SecureAuth Endpoint is a client that attaches to an authentication framework of an operating system. Once in place, the desktop client communicates with SecureAuth IDaaS and enforces strong and adaptive MFA for OS logon.
For Microsoft shops, SecureAuth Endpoint directly addresses the basic ask: How do I get Azure MFA for Windows logon and ideally also for password reset?
SecureAuth Endpoint client for Windows includes the self-service password reset (SSPR) functionality. The password reset link is placed right below the Windows login dialog and—just like the MFA-powered login—it is linked to SecureAuth IDaaS. This powerful combination of login and SSPR gives identity and access management admins extreme control over where and how password reset is performed.
Since the password reset flow is integrated into the adaptive authentication engine (with the Threat Intelligence Integration Layer ingesting additional risk signals from your existing UEBA and IGA systems), SecureAuth Endpoint client can decide not to allow a password reset when the conditions and context are evaluated as too risky. Similarly, it can dynamically assemble a context-dependent sequence of password reset steps based on which signals pose an elevated risk.
How did we build SecureAuth Endpoint for Windows? In Windows OS we are using the Windows Credential Provider API, in turn SecureAuth Endpoint becomes a Credential Provider. This allows us to modify the login screen with some limitations.
For macOS we have two versions of SecureAuth Endpoint – one of which is called Authorization Plug-in designed to secure the Mac login window, and another which is called a Pluggable Authentication Module (PAM) used as a second factor for SSH.
The Linux version of SecureAuth Endpoint is a PAM module that can be used along with other modules available in the OS. Analogous to Mac, this Linux PAM module can be used to secure SSH connections and privilege escalation like
MFA options parity across all operating systems
SecureAuth Endpoint client offers MFA parity between all three of the supported operating systems – Windows, macOS and Linux. All the popular MFA methods such as push-based OTP with SecureAuth Authenticate, HOTP, YubiKey, SMS, phone calls, or magic link are included and ready to go, the only exception being FIDO2 WebAuthn.
I want to protect any OS logon with MFA. Is it doable? Absolutely.
The new SecureAuth Endpoint client provides immediate MFA protection for Window, Linux and macOS system logon. At a minimum, the OS login screen will ask the user for an additional factor, but where SecureAuth Endpoint will really shine is where the OS login transitions to a fully passwordless OS logon with smart MFA. This ensures the best level of security and optimal user experience for any modern enterprise.