Introducing MFA for Windows Logon, RDP or VPN with Specops Secure Access

We’re excited to introduce Specops Secure Access: Multi-Factor Authentication (MFA) for Windows logon, RDP, and VPN — a powerful new way to add an extra layer of protection to your organization’s authentication process. By implementing MFA at key access points, Specops Secure Access helps safeguard your business from unauthorized access and password-related threats in Windows environments. You now have the power to secure both the password and the authentication process, ensuring that even if a password is compromised, unauthorized access is completely blocked. 

“With most compromised accounts lacking MFA, we know password protections alone are not enough to secure network access,” stated Darren James, Senior Product Manager with Specops Software. “Today we are thrilled to share an offering that enhances the existing password protections we offer and something our customers have been asking for – MFA for Windows at logon, RDP and VPN, with Specops Secure Access.” 

Securing Active Directory passwords is critical, but not enough

We’ve long been advocates of securing the Active Directory password from attack. With Specops Password Policy, you can block the use of weak passwords and continuously check your Active Directory against our growing database of over 4 billion unique compromised passwords.

However, password protections alone are not enough. No single layer of protection is invulnerable. Continuously blocking the use of weak and known compromised passwords is important but no password protection offering can protect against a zero-day stolen password. Any single layer of your security approach can be vulnerable, which is why we see so many compliance standards calling for additional layers in the form of MFA:

• National Institute of Standards and Technology (NIST) requires MFA for AAL2/3 and access to any personal information in NIST SP 800-63B
• Payment Card Industry Data Security Standard (PCI DSS) increased MFA requirements with PCI DSS 4.0, requiring MFA for all access (not just admin) into the cardholder data environment.
• Cyber Essentials requires organizations to implement MFA, where available, for all user access in v3.1.

With the state of password attacks today, these regulatory requirements and recommendations make sense. Microsoft foundMicrosoft found that 1,287 password attacks occur every second (more than 111 million per day). Reusing a known breached password in an attack (a “password breach replay” attack as Microsoft refers to it) grew to 5.8 billion per month in 2022.

Password reuse and other poor password behavior drive zero-day compromised passwords

A lot of password risk is driven by user behavior that undermines an organization’s security efforts. Take password reuse as a prime example. An organization can enforce a password policy where end users have to create long, strong passwords. But if end users choose to reuse these passwords on personal devices, applications, and websites with weak security, then this strong password is at risk of being compromised. Hackers are capable of linking breached passwords to individuals and using these breached credentials as attack routes into corporate environments.

Of course, end users aren’t deliberately setting out to cause risk. They have more passwords to remember than ever thanks to the explosion of SaaS apps, so naturally they look for ways to make their jobs easier and faster. A 2023 Bitwarden survey found that 84% of end users with 10+ passwords admitted to reusing passwords. The same study found 26% of respondents had been reusing the same password for over a decade.

For organizations who have embraced a “never expire” approach for Active Directory passwords, the password reuse risk is even more increased. Most compromised password checks on the market, including Azure AD (Entra ID) Password Protection, rely on the password change or reset event. Without that event, the risk posed by user password reuse is unchecked.

How are organizations trying to solve risky password behavior? 

End users creating risk is nothing new. There are a few strategies organizations have used to stop the risk of password reuse and other risky behaviors, but they have significant security gaps when used alone:

• Train users on better password behavior: There’s always a place for security and awareness training,but it’s never going to be enough to overcome risky human behavior. A LastPass study found that of those who received cybersecurity education, only 31% stopped reusing passwords.
• Get rid of passwords: A tempting solution given the problems associated with passwords. But removing passwords entirely isn’t realistic for the average organization. And even if you are able to get passwordless technology working on all of your applications, the fallback for these technologies still tends to be the humble password.
• Checking for compromised passwords: This is an important step for finding known breached passwords within your Active Directory, but it still leaves opportunities for hackers. Even the strongest password protections do nothing in the face of a “zero-day password” compromise event (or poor user behavior like passwords on sticky notes near the device). And if organizations only scan for compromised passwords at password reset or change events, there’s even more room for error.
• Just add MFA to cloud apps: This can reduce a certain level of risk, but again leaves gaps. It ignores the risk of a stolen device or insider threat. For example, what can an attacker access if they opened an end user’s stolen laptop that didn’t have MFA? Access local files or their Outlook? Serious damage could be done from that starting point.

What to do instead? Protect the password and the logon process

The answer for what to do about the continuous threat of password reuse and other risky behavior is to protect the Active Directory password with layers. Firstly, continuously scan your Active Directory against a frequently updated compromised password database and secondly, add MFA wherever the Active Directory password is used. These layers both have merits when used individually, but are stronger when they complement each other. 

How MFA for Windows Logon, RDP, or VPN with Specops Secure Access Works

Some organizations feel that MFA causes too much friction for the end user. However, the state of password security today means having to prioritize increasing defenses against password attacks. Microsoft found the 99.9% of compromised accounts didn’t have MFA enabled, highlighting the fact that MFA should really be a non-negotiable.

Specops Secure Access offers MFA with simple, end-user friendly UI at the three key points where Active Directory passwords are used. With flexible MFA options that include an offline mode, Secure Access ensures that organizations can enable their users securely authenticate at logon, through RDP and/or VPN whether they are connected to the network or not.

MFA for Windows Logon

With the Specops Client installed and configured for Secure Access, users are forced to identify themselves with a second factor after having typed their Windows username and password on Windows login screen. Once that second authentication is completed, the end user will be logged in as usual.