Passwords and 2FA at a small business
from to on 21 Apr 2024 02:22

It seems there are two options when it comes to passwords: 1) SSO 2) DIY with a password manager and 2FA ideally with a security key.

SSO is too pricey ($1500 base @ Okta) at the moment and SAAS prices are ever increasing so that leaves us with option 2. Using an authenticator app means using personal phones, which is tricky, and if someone were to lose their phone the replacement cost would be high. So a security key seems better in that regard despite their upfront cost. Plus security keys like yubikey offer the ability to store TOTPs, which is necessary since not all the apps we use provide security keys as a 2FA option.

Did I arrive at the right conclusion on 2FA with security keys or did I miss something?

The other consideration is deployment. Without interrupting workflow, I figured the best way would be to set up all the keys (backup key as well for each employee) on a Friday after work and then 2-day ship them to our remote staff so they’re ready for use when they return to work on Monday. It’s possible we could also do it while they’re on a week-long vacation to save on shipping costs.


threaded - newest on 21 Apr 2024 02:35 next collapse

The replacement cost for user devices isn’t high, for you it’s zero. At most it’s your time helping them reprovision the token. Or to the cost of a temporary other token, which you could keep stocked.

I set up MFA some years ago with yubikeys and authlite to protect AD, it wasn’t that expensive. We also did 365 auth to the Microsoft app on personal phones. We didn’t have any complaints there, but if we did we would have issued a token or something. on 21 Apr 2024 03:12 next collapse

Assuming they replace their own phone you mean? There’s also productivity loss that we’d like to avoid. Temporary token stocked in what way?

I’m not familiar with AD so I’ll have to do some more research into it. on 21 Apr 2024 03:27 collapse

It depends on what you’re protecting and how. The token might be a yubikey or RSA token, for example. Whatever is supported by your MFA product. It could even be an old loaner cell phone with no cell service if the only method is an app. on 21 Apr 2024 06:18 collapse

Assuming employees don’t leave or expense use of personal devices. I have expensed my burner phone due to 2factor overuse by an employer. on 21 Apr 2024 02:46 next collapse

If you have M365 licenses (forget which level), Entra ID supports OIDC and SAML and you can use its MFA functions. Something to keep in mind if you don’t want to spend money on Okta on 21 Apr 2024 02:48 next collapse

Didn’t know that. I’ll look into it if we do. on 21 Apr 2024 06:36 collapse

You can also do SAML with Google Workspace as an Identity Provider on 21 Apr 2024 03:03 collapse

I also recommend this. EntraID is pretty handy and it was a fairly painless experience to get everyone using the Microsoft authenticator app on their phone for MFA. SSO via a registered app in Azure is just an added bonus.

Our typical user reaction is something like “Oh, like my banking app?” when we enroll them in MFA

[deleted] on 21 Apr 2024 03:13 next collapse

. on 21 Apr 2024 03:34 collapse

Aren’t USB sticks too unreliable for something important like 2FA codes?

[deleted] on 21 Apr 2024 06:35 collapse

. on 21 Apr 2024 03:54 next collapse

Another option could be password less. Basically use Microsoft authenticator app to insert a code that popped up in the screen. Need both devices in order to sign in. If all users already have work phones and work laptops it’s pretty reasonable setup in a Microsoft shop. on 21 Apr 2024 04:49 next collapse

The right solution for you will depend a lot on your existing infrastructure.

Are you a Microsoft/Azure/O365 shop? Google Workspace? Do you have graphics people working on Apple devices? OT? Do you have self-hosted infra? All cloud? Hybrid? How complex is the environment you need to protect? Are you trying to allow remote users to access your company environment, or is everyone logging in to on-prem workstations?

Depending on the answers, you might be better off working on whitelisting the applications you need to run (with Applocker or Airlock) and setting up good protection for your high value data rather than trying to get an integrated 2FA solution in place. on 21 Apr 2024 05:59 collapse

Google Workspace but all Windows laptops. No Apple devices, OT, or self-hosted infra. Hybrid, I guess.

As a startup it’s a very simple business operation and there’s no security protocol to speak of at the moment. We just use a dozen sass apps and I don’t think we’re ready for any full-on enterprise level security services. on 21 Apr 2024 08:15 collapse

OK, Workspace (web-hosted) business environment on Windows systems. You should probably use Google’s built-in 2FA enforcement for access to your business stuff. It will be the easiest to implement and manage (and I think it should be free? it should just be a setting that you turn on). Also consider implementing Chrome Enterprise as a requirement for accessing your business apps, it will give you more control and if you’re using Workspace then the integration should be smooth. If your business needs expand beyond Google services, you might look at Island.

Are the laptops on Windows Enterprise? or Professional? Do you have any domain management for them? Or are they off-the-shelf with Home/OEM installs?

In any case, Applocker is built-in and free. With this you can restrict the laptops to only executing the applications that your business needs - if everything is accessed through Chrome, then it’s really simple, nothing else needs to run and if an employee has a specific extra need (Photoshop or CAD or QuickBooks or w/e) you can handle that on a case-by-case basis. If you have domain management then it’s easy to enforce Applocker on all the laptops, if not you’ll have to do each one manually, but it’s worth it because it will prevent a lot of nonsense. If your business expands and you outgrow the functionality of Applocker, consider Airlock Digital. Otherwise you can mostly leave the OS security to Windows Defender, and maybe pay for the business service or look at Crowdstrike if you need EDR features or something like that.

A big question is, where is your data? Is all of it in Workspace? Or do individual employees have pieces of it sitting on their hard drives? What happens if one of those hard drives crashes and you lose the employee’s work? Are those laptops going home with them? Are they on home/shared/public networks? What if a laptop gets stolen, or lost in airport luggage? Can you remotely lock that device out of your environment? Is the data on it encrypted? As a startup, your business is your information, whatever form that takes. You need to get tracking on where your most sensitive bits of information are (customer lists, proprietary design/code/concept/etc, high-value assets, licenses/certifications/contracts, financial records, employee PII, anything that could end your business if you lost it), how they’re stored and how they’re used, and that is much more important than 2FA login. If possible, implement Bitlocker on the laptops. Maybe learn to use filesystemwatcher if you have sensitive files living on the Windows laptops. And start figuring out a backup plan (even if everything important is done in Workspace, keeping all of your data in Workspace doesn’t count as a backup plan).

I would highly recommend that you develop a security plan based on something like the NIST Cybersecurity Framework (this is a quickstart guide aimed at small businesses with little to no existing security planning). Don’t buy any fancy security products yet. Sit down and plan your security in a systematic way, and that will help expose your actual needs and blind spots. Plan to have a plan. Business continuity is the goal.

Finally, some useful information sources:

  • SANS Stormcast - 10-minute daily podcast with alerts about current threats
  • - weekly cybersecurity news podcast and interviews with industry professionals
  • Security Now - weekly cybersecurity news with deep dives into security topics on 21 Apr 2024 14:12 collapse

Thanks for the thorough reply! I’ll look through all the links especially the NIST doc. on 21 Apr 2024 06:18 next collapse

If you are a business that uses 2factor you should expect to have your employees expense their phone bills as you are using a private resource. You may need to provide the phone as well. If you are willing to pay this it’s probably the most secure form of account security.

Otherwise go with an oath service. If you have less than 6 users it will be significantly cheaper. on 21 Apr 2024 06:47 collapse

Will it be cheaper? If Okta is an oauth service they have $1500 as their base price. Unless they’re the exception on 21 Apr 2024 06:26 next collapse

You can get yubikeys fairly cheap. They are great on 21 Apr 2024 07:15 collapse

SSO can be afforded by more than just cloud services. Look into OpenLDAP.