I'm looking for guidance on how to properly implement Multi-Factor Authentication (MFA) for all local accounts, particularly on our network devices such as routers. Our cybersecurity auditors are insisting that we enable MFA on every single local account. While that sounds good in theory, I'm concerned about potential access issues if a problem arises, such as a WAN connection failure. For instance, what if I need to log into a router after a misconfigured firewall rule prevents WAN access? As of now, we have a Palo Alto router, and the options for local account MFA are limited to third-party providers like Okta or Duo. There's also the option of expensive on-premises solutions like RSA SecurID. I'm hoping to find out if there are any alternative strategies to ensure I can still access our equipment when things go wrong, while also satisfying the auditors' requirements for MFA on all accounts.
5 Answers
Make sure to communicate to management that having a local break-glass account without MFA is a must if the current device doesn't support internal MFA. We experienced situations where the firewall became isolated, and we couldn’t log in due to MFA dependence. Always prepare for network failures because things can get tricky.
I would recommend looking into devices that offer native on-device 2FA options. While they may not have all the bells and whistles, it can help you avoid the dependencies of an MFA provider. Checking alternative hardware that supports internal MFA could save you a lot of future headaches.
If you're seriously locked down with your current gear, it could be time to explore the market for replacements that seamlessly integrate MFA support. It might be a bigger initial investment, but reducing future complications could be worth it.
Many providers have offline MFA options you can utilize, which can help you avoid lockout situations during outages. Creating a break-glass account without MFA for emergency situations could also be a solution, just make sure it’s well monitored so you know if it’s ever accessed.
It’s crucial to have layered security. If your WAN fails and you can’t access the device remotely, a break-glass account could help you log in locally. One approach I had success with involved keeping a secure password stored in a place accessible only to select personnel. This way, only a few trusted individuals have access to both the password and physical hardware.
Related Questions
Can't Load PhpMyadmin On After Server Update
Redirect www to non-www in Apache Conf
How To Check If Your SSL Cert Is SHA 1
Windows TrackPad Gestures