I'm facing a challenge at work after our IT department got consolidated, leaving me to manage a bunch of IT headaches. Our organization bought a mobile application without confirming it supports multi-factor authentication (MFA). Since we have compliance requirements mandating MFA before accessing certain content, I previously suggested restricting access to our internal AWS network, but that wasn't well-received. I'm looking for an alternative solution: is there software that can act like a digital lockbox on smartphones, triggering MFA before users can access a specific app? If such a solution exists, what is it called? I've heard of Box.com's zerotrust option, but I'm unsure if it protects particular apps. Intune has app management with various controls but doesn't specifically mention MFA—it does reference zero trust solutions that often include MFA tools but lacks clarity on its capabilities regarding this issue. I realize using MFA on a locked app may seem redundant, but the auditors weren't receptive to my logic about using the phone as something they possess and the app's password being something they know.
1 Answer
Have you checked if there's single sign-on support? That way, you might be able to leverage the identity provider's MFA. I don't know much about AWS, but with Azure, you can specifically limit access to company-owned devices, which might satisfy your auditors.
Thanks for the tip! I'll definitely bring that up with the project managers. We use DUO for MFA, which has pros and cons. Honestly, this software project has been in the works for a decade, and it might just push me to the brink of testing how durable a Cat6 cable really is.