Passwords are important, but they are not as reliable as they once were because of one key factor: human error. Typical passwords pose a substantial security vulnerability because the majority of people — including your employees — don’t have strong password habits. Our recent OpenVPN survey found that employees reuse the same passwords across multiple accounts, neglect changing their passwords, leave the default password, or use weak passwords (e.g: “password”). Cybercriminals know that the average person takes shortcuts with their passwords, and so they target businesses from that angle.
Every business leader should be aware that no matter what they do or say, their employees’ password habits won’t be up to the task. To combat this, leaders need to turn their attention to strengthening their endpoint authentication. Endpoint authentication is essentially how you secure your network and devices to ensure only authorized people access organizational resources. A password is one form of endpoint authentication, but understanding that passwords alone are not very secure, other options need to be considered. One of the most recommended options for endpoint authorization is multi-factor authentication or two-factor authentication.
Two-factor authentication is an extra layer of security used to verify that the individual requesting access to a particular device or resource is authorized to access it. Two-factor authentication could look like your employee using a password, and then receiving an additional code via text or email they enter into the appropriate field to complete the login. Multi-factor authentication works the same way as two-factor authentication, but there are more than two different methods for authenticating users.
Two-factor authentication or multi-factor authentication is vital to keeping your business protected from cybercriminals — and using a reputable VPN can provide you with the ability to set these more secure forms of authentication.
A VPN like OpenVPN Access Server works by providing secure remote access to the internal network that houses all of the tools and applications employees need to get their jobs done. No matter if employees are in an office, working from home, or in the field, they can access those features safely and securely. Access Server includes integration with Google Authenticator, which can enforce two-factor authentication.
By utilizing OpenVPN Access Server with the Google Authenticator app, your employees will be covered with strong two-factor authentication. Employee accounts will be protected with something they know (their password) and something they have (their phone). Authenticator generates a six-to eight-digit password which users must enter in addition to their usual login details. Codes are uniquely crafted for each account as needed, and each code can only be used once.
There are also other options such as Amazon Web Services Multi-Factor Authentication (AWS MFA) which also adds an extra layer of protection on top of an employee’s username and password. When a user signs in to an AWS website, they will be prompted for their username and password as well as an authentication response from their AWS MFA device. AWS MFA security is top notch, and an excellent choice for businesses looking to improve their endpoint authorization procedures.
Consider a telecommunication company that provides Internet access to rural communities using fixed-wireless technology.
The telecommunication company has a crew of about ten installers. These installers are trained to install the fixed wireless antenna on the customer’s roof and run the cable to the indoor Wi-Fi router. They receive work orders and reserve the equipment needed for installation on the fly by using an application on their rugged laptops with cellular connectivity. But it is essential to have high-security protections in place. Otherwise, if the laptops fall into the wrong hands, or if a hacker figures out a password, criminals could disrupt the entire communication service.
The company wants to set limits so that only authorized laptops and users have access to the corporate network, and need network level authentication. They can enforce this with multi-factor authentication. They want it set up so that the installer needs to enter a code received on their company cell phone before gaining access to any network resources.
The company utilized OpenVPN Access Server to limit access to the devices that have their MAC address registered. The MAC address is a unique identifier that a network interface has, and in this case, can be used to identify the installer’s device. The Google Authenticator app was installed on the installer’s phone, with OpenVPN Connect Client installed on their laptops.
With these security precautions in place, unauthorized devices cannot connect to the corporate network in spite of using the same VPN connection profile and credentials. The installers are authenticated using a Google Authenticator app code on their company smartphone in addition to a username and password while connecting to the network. These measures allowed the installers access to the fixed-wireless critical management systems while they are out and about installing equipment — while providing strong network level authentication.
Access Server supports the Google Authenticator multi-factor authentication system, but it is not enabled by default. It can be enabled via the Admin UI under “Client Settings” or via the command line with the command line examples given here. It is also possible to enable or disable the requirement for a Google Authenticator per user or per group. This can be important if, for example, a client device making a VPN connection is unable to provide the Google Authenticator key by itself.
To use the Google Authenticator app you need an application or device that can accept a Google Authenticator type shared secret, and with that generate 6-8 digit codes that change every 30 seconds. An Android, iPhone, or BlackBerry smartphone can all do this with the Google Authenticator app. There are also plugins for browsers and applications for tablets and desktop computers, as well as separate credit card sized (or smaller) devices that can be provided with the unique key and can generate keys for years off the built-in battery.
AWS offers the following steps to get started with AWS MFA, and ensure your MFA security is top notch:
For more detailed instructions, you can check out the AWS Enabling MFA Devices Resource.
Note: AWS will soon end support for SMS multi-factor authentication (MFA). They are not allowing new customers to preview this feature. They recommend that existing customers switch to one of the following alternative methods of MFA: virtual (software-based) MFA device, U2F security key, or hardware MFA device.
For instructions on setting up a virtual MFA device with AWS, see Enabling a Virtual Multi-factor Authentication (MFA) Device (Console).
For instructions on setting up a U2F security key with AWS, see Enabling a U2F Security Key (Console).
For instructions on setting up a hardware MFA device with AWS, see Enabling a Hardware MFA Device (Console).