AbleToTrain von Willing & Able

VPN without two-factor authentication is a less secure solution

Given the enormous number of people working from home at this time, remote access VPN (Virtual Private Network) usage skyrocketed in March.

A VPN is widely used by companies that provide employees with remote access to business resources, as it establishes a secure connection between the user and the resources.

Despite the fact that the VPN is a secure platform, it is vulnerable to phishing assaults.

For example, one of your workers may get an email that appears to be authentic and leads him to believe it was sent by a hacker. Your employee gets duped into downloading a keylogger (a virus that captures keystrokes) as a result of that email, and the attacker just needs to wait till that employee uses his credentials to access the company’s resources.

The attacker will then gain access to that user’s VPN shared resources.

 

For VPN authentication to be fully safe, it requires an additional layer of security, which two-factor authentication provides (2FA).

 

What is two-factor authentication (2FA)?

Two-factor authentication secures the authentication process because it includes two factors:

  • What you know-information that the user knows, such as a password or a pin

  • What do you have-a device that the user owns, such as a token, a mobile, a smartphone application to approve authentication requests?

 

2FA Concept

One of the concepts behind 2FA is that logging in without having physical access to the second factor-what you have-is impossible or extremely difficult. It’s also far more difficult to replicate that token because it’s continually renewed.

Even if an attacker manages to obtain an employee’s credentials, he will be unable to access the company’s resources because he lacks the authentication token.

 

Recommendation

We recommend that every organization utilize two-factor authentication since, as you can see from the examples above, even if you use a VPN, your data is not protected by a simple password, no matter how complicated it is.