Now more than ever, companies have become more open to the idea of employees working remotely. For some it could be temporary but many are adopting it as a permanent option going forward. The benefits of remote work are almost endless for both employees and employers. It allows for a better work-life balance which ultimately affects productivity. Companies can widen their talent pool as well as save on having to spend on expensive office space. But is remote access safe? Unfortunately while remote work is convenient it’s far from secure.
While there are many options available for employees to sign in to business applications and services using mobile device-based authenticator apps there are a couple of factors to consider. With safety and security in mind, we’ve prepared this list of the top 10 things to look for when evaluating which remote access authenticator to go with for your organization.
Multi-factor authentication (MFA) and passwordless login are the two main uses for remote access authenticator apps. MFA requires a password and then uses the app to complete the authentication process. Passwordless is an evolution of MFA to eliminate the hassle and security risks associated with passwords. By using a mobile device as one factor then another authenticator such as a fingerprint scan, the user is validated using two separate factors, also known as 2-factor authentication (2FA). We strongly recommend solutions that support passwordless as it is the most secure authentication method.
The authenticator app needs to support the operating systems, platforms, and services commonly used in enterprise environments including Windows, Macs, virtual desktops, VPNs, cloud services, and on-premises web applications.
The remote access authenticator app should support a wide range of common authentication techniques for the user. At a minimum it should support push notifications to the mobile device (both alerted and silent), biometric authenticators like fingerprint and facial recognition, mobile-app initiated, QR codes, soft tokens, and one-time challenge-response codes.
For situations where either the mobile or the target system is offline, such as on an airplane or if the mobile doesn’t have service, the authenticator must still operate and do it securely. Some solutions use a stored set of PIN codes shared by both devices. These can be susceptible to hacking, can be depleted if you log in offline too many times, and must be synchronized with all the systems that need to be accessed. To get around this you need a solution that uses public key cryptography and rolling keys, which don’t store any shared secrets, enabling you to sign into any system you’re allowed to for as many times as you need.
An authenticator app is great but what if you don’t have the mobile device or if it malfunctions? Modern Windows and Mac devices offer built-in biometrics such as fingerprint and facial recognition that don’t need the mobile app to authenticate. This is becoming increasingly common and any solution you choose should support it and offer users a choice of which device to authenticate with.
In situations where the mobile device isn’t permitted or can’t be used, FIDO2 compliant solutions support the use of USB or Bluetooth hardware-based security keys such as Google Titan or YubiKey. If this is a need for your organization, you must ensure the solution supports FIDO2 to the workstation in both online and offline modes.
The concepts of zero-trust and Gartner’s CARTA framework are being more broadly adopted by enterprise organizations. Using real-time risk detection, automated policies can be employed to increase or decrease friction based on the user and device trust level. Solutions lacking real-time trust management will quickly become outdated.
A remote access authenticator can be provided by the vendor as a standalone app you can download from the iOS App Store or Google Play, or as an SDK you can integrate into an existing corporate application you may already have. An SDK allows you to customize the authenticator app to meet your specific requirements.
A mobile app with biometrics is a great authentication method, but there are scenarios where it can’t be used such as when a remote user needs to onboard a replacement for a lost or stolen device. Features like centralized voice biometrics and OTP over SMS are needed for these special situations.
Combined with the authenticator app, the mobile device becomes a highly sensitive security element that holds private cryptographic keys for the user. The keys stored on the device must be rolled automatically on a periodic basis to prevent them from being stolen. This is a mandatory requirement for most enterprise organizations.