I've been thinking about whether most VPNs can be considered as inherently having multi-factor authentication (MFA). They require a configuration profile to be set up on the device, which has a lock policy, and a VPN connection requires a username and password. But what happens if the username and password are stored, or if the VPN is deployed through a mobile device management (MDM) system that doesn't require a login? Additionally, with services like M365, users aren't prompted daily for MFA. So, can we really say that VPNs provide true MFA?
5 Answers
To put it simply: no, it is not true MFA!
Exactly! A VPN operates like a transport layer technology, similar to TLS between servers. While there’s some form of authentication happening, it doesn’t qualify as multi-factor authentication since it lacks universal endpoint verification for the user or device.
I had a similar argument years ago, and the conclusion back then was still no. Even if you use certificates, they’re the same for every login, so it's not like you're being given something unique for each session.
Not really! What you're describing doesn't meet the criteria for true multi-factor authentication. True MFA combines something you know (like a password) with something you have (like a code sent to your phone or an authentication app). Just having a password and a device lock doesn’t cut it.
Definitely not. The setup you mentioned - with a configuration profile - isn’t necessary for most VPNs. You often just need the DNS name along with your username and password. Even more concerning, anyone can install a VPN client and try to connect without other checks on trusted devices.
Related Questions
Can't Load PhpMyadmin On After Server Update
Redirect www to non-www in Apache Conf
How To Check If Your SSL Cert Is SHA 1
Windows TrackPad Gestures