Passwordless MFA Everywhere


Published June 27, 2022 by Zachary Bauman

The inherent appeal of MFA everywhere has created an interesting dynamic many in security may not know about–security teams building DIY MFA.

As we’ve noted in a previous post, the appeal of MFA everywhere – following in the example of major nation states – NSA, Mossad, and more – is too strong to resist. In fact, during our meetings with some prospects at RSA, we found several teams have attempted DIY MFA. Nonetheless, they found themselves interested in our MFA everywhere solution. Why?

Challenge #1

The primary risk of any DIY solution is a lack of dedicated staff to develop and update features. Much like the old days when building your own PC was relatively easy, yet new feature addition was not simple, so go other DIY solutions. For example, some basic capabilities such as:

  • Dealing with diverse operating systems – different versions of Windows, Mac, Linux, and so on
  • Different browser support
  • SIEM connectivity
  • High availability
  • CPU impact

How do we address these issues?

At Zero Networks, our team is dedicated to creating, updating, and improving these capabilities. Today, Access Orchestrator is built to support all of the above features. For example, the portal is built on top of a REST API. This API can be used to ingest Audit events into a SIEM product through an HTTP connector.

Challenge #2

The second set of issues are workflow related and range from mundane to urgent. For example:

  • How do I add a new IP address to protect in real time?
  • How do I manage performance impact?
  • What are the “break glass” procedures in the event of something urgent?
  • How do you know what part of the organization to protect with MFA without impacting the business? If you make a mistake, how do you quickly make a fix?
  • How do you respond to issues using normal corporate workflow?

How do we address these issues?

These are some very advanced scenarios that a DIY solution needs to handle. Think about what is needed when an endpoint moves to a new IP Address - a new subnet on the corporate network or a user connecting from home via VPN. That means the DIY solution needs to go update every rule that involves this endpoint with its new IP Address. We have already built this feature and update endpoint IP address rules across all host based firewalls in real-time. There is nothing for you do; we make it easy.

Challenge #3

And finally, most DIY solutions contain the a-word: agent. Managing agents is a known headache with performance hits and upgrade incompatibility. This is likely the most common reason why security teams reach out to us - since we are agentless.