We don’t need MFA on VPN, our devices are secure

Posted by Due-Awareness9392@reddit | sysadmin | View on Reddit | 10 comments

User: Why do we need MFA? My laptop is company-managed. Management: VPN+device cert should be enough. On paper, it sounded reasonable managed devices, secure access, minimal friction. Then we started seeing login attempts from locations our users definitely weren’t in. Nothing got through, but it was enough to question the assumption that VPN alone is “secure enough.” Rolled out MFA for VPN after that. Users complained (as expected), but at least now stolen credentials aren’t a straight path in. Curious are you enforcing MFA on VPN even for managed devices?

Reply to Post

10 Comments

[-]

Ok_Wasabi8793@reddit

Yes but because we use PIN via Windows Hello no one really notices.

[-]

ReputationNo8889@reddit

Was my thinking, a device cert is MFA. If one can get in with stolen credentials then their config is just wrong.

[-]

systonia_@reddit

There is no way an attacker can dialup your VPN with credentials only, if you require device certs for dialup. Something is missing here. Certificates are a perfectly valid second factor, btw. Also, saml saml with windows hello is also MFA, and doesn't require the user to do anything at all do dial up, as the device is already authenticated

[-]

mbhmirc@reddit

Yes this, op feels like ai slop. With an attested cert to tpm then this is really hard to pull off unless the device is compromised.

[-]

SPMrFantastic@reddit

I'm partially with you. I think that's where ZTNA and posture checks come into play. If the device is enrolled and at a designated safe location or meets XYZ requirements you're good to connect no problemo. If you're not I'm gonna need you to jump through a few hoops.

[-]

Sylogz@reddit

We have mfa+vpn and mfa on laptops. I hate the double mfa. Isnt it enough with host checker in VPN to see that the laptop belongs to the company, right AV/patches installed?

[-]

MarcusAurelius993@reddit

We are using MFS + Cert (CN=username) + password from username. If device gets stolen, then MFA can protect against Remote access, if Password gets stolen and they can bypass MFS, you have protection via Cert. Do you need MFA everywhere ? No, it is a good practice? 100 %! You will always get complaints, but what matters at the end is security, then comes the "comfort"

[-]

disclosure5@reddit

I suspect a few people will reply "yes MFA everywhere always" without noting that a managed device is itself "something you have". If you've truly locked your VPN to managed devices, that would sound like SSO with Intune Device compliance policies - this is a pretty good strategy. If you're claiming to suddenly see malicious logons when allowing this, there's clearly something else wrong. To answer your question though - with Intune and well managed cloud services most VPN use is obsolete in our networks.

[-]

jpnd123@reddit

I agree with this point. If it's truly company managed + VPN, that should be enough. If they were getting logons from other locations, than your Endpoint Management price is not managing the devices in the correct fashion.

[-]

shikkonin@reddit

> are you enforcing MFA on VPN even for managed devices? Of course, what the hell?