Multi-factor authentication (MFA) is a security system that requires users to verify their identity using two or more distinct factors. These factors are divided into: something you know (like a password), something you have (such as a smartphone or hardware token), and something you are (such as a fingerprint or facial recognition).
The lack of MFA solutions exposes systems to higher risks of compromise, making accounts vulnerable to phishing attacks, brute force, and credential theft. Relying solely on a single authentication factor, such as a password, which can be easily bypassed if weak or reused, can lead to data breaches, theft of sensitive information, financial losses, and reputational damage for businesses and users. Additionally, without MFA, the effectiveness of other security measures is significantly reduced, leaving major vulnerabilities in the protection perimeter.
Credential Compromise: A Widespread Issue
According to recent studies, 76% of organizations have experienced multiple credential compromise incidents in the last 12 months. This data confirms that cyber breaches frequently occur due to lost or stolen credentials. Cybercriminals, in fact, do not infiltrate systems with sophisticated techniques but instead exploit weak or compromised credentials to access company resources.
Despite being recognized as one of the most effective solutions for protecting digital identities, multi-factor authentication (MFA) is still not widely adopted. Currently, only 62% of organizations make MFA mandatory for the entire workforce. The reasons for this lack of implementation are various:
Budget limitations for smaller companies.
Lack of technical expertise in configuring and managing a secure authentication system.
Concerns about productivity and usability for end users.
Under Article 21 of the NIS2 Directive, multi-factor authentication (MFA) becomes a mandatory requirement for important and essential entities to mitigate the risks associated with unauthorized access and ensure a high level of cybersecurity. MFA is not just an opportunity but a necessity imposed by the regulation, emphasizing the importance of adopting advanced security measures to protect against growing cybersecurity threats.
In a rapidly evolving digital world, increasingly exposed to sophisticated threats, implementing MFA is a strategic choice to protect sensitive data and strengthen the trust of customers and stakeholders.
The proactive adoption of this solution significantly reduces the risk of unauthorized access, while ensuring operational continuity and compliance with the highest security standards.
In addition to being a technical measure, MFA provides a competitive advantage for organizations that integrate it in a structured way within their operational practices. This approach allows for the protection of business systems without compromising the user experience, playing a crucial role in the path toward secure digitalization and compliance with current regulations.
For a leading client in the energy sector, and therefore an essential NIS2 entity, with a complex network infrastructure that includes thousands of devices, an advanced multi-factor authentication (MFA) solution was identified and demonstrated. The main objective was to ensure security and centralized access management. This solution integrates with the client's AAA server to first verify credentials and manage privileges, then requiring a second authentication factor for access via CLI (SSH) and GUI (HTTP/HTTPS) to the network devices.
A crucial aspect of the solution is intelligent session management, which eliminates the need to repeat the second factor for a configurable time, even when accessing different devices. This approach not only ensures continuous security but also optimizes operational efficiency and productivity, especially for operational teams needing simultaneous access. Particularly in troubleshooting contexts, where timely fault resolution is critical, the ability to perform multiple parallel logins without re-entering the second factor allows for quicker interventions, minimizing downtime and ensuring the operational continuity of critical infrastructure.
Moreover, the solution is designed to operate without IP or telephone connectivity, ensuring continuous authentication even in isolated environments or with unstable connections.
The main challenge was to identify a market-leading vendor capable of fully meeting the client's security and operational requirements, with a specific focus on managing the persistence of RADIUS/TACACS+ authentication sessions for SSH access. This aspect is particularly critical because, by definition, each authentication performed through these protocols is treated as independent, making it difficult to implement caching mechanisms or session tokens without compromising security.
Many solutions currently available do not properly handle session storage in these cases, forcing users to repeatedly enter the second authentication factor too frequently, thereby compromising the user experience. In fact, most products on the market implement authentication state storage mechanisms for HTTPS access using cookies, session tokens, and Single Sign-On (SSO) methodologies based on protocols such as SAML or OAuth2.
In enterprise environments, Single Sign-On (SSO) based on protocols like SAML or OAuth2 is used to simplify access to corporate resources without requiring repeated credential input.
For example, an employee logging into the corporate VPN with their business account can automatically gain access to instant messaging, webmail, and SharePoint without needing to authenticate again. This is possible because the central authentication system issues a token valid for multiple federated applications, enhancing security and operational efficiency while reducing the number of authentication requests for the user. However, these approaches are not directly applicable to SSH access authenticated via RADIUS or TACACS+, where each request is treated as independent and stateless. For this reason, our research focused on advanced technologies that, in addition to ensuring security and compliance in data protection, optimize session storage for methods beyond HTTPS.
After a thorough scouting process, we identified the ideal vendor, whose solution stands out for its robustness, security, scalability, and full integration with the client’s infrastructure. It allows for a reduction in repeated authentication requests within a defined time window without compromising access security.
The adoption of multi-factor authentication (MFA) offers numerous benefits for clients, improving the security and reliability of systems. Here are some of the key advantages:
MFA adds multiple layers of verification, making it more difficult for an attacker to bypass security systems. Even if a malicious actor obtains a password, without the second factor (such as a code sent to the user's phone), they will not be able to access the account.
Even if a user is tricked into revealing their password through phishing, MFA prevents unauthorized access by requiring a second authentication factor, such as a code sent to the phone or biometric verification.
MFA helps organizations meet various regulatory requirements and industry standards, demonstrating their commitment to data protection.
When customers know that an organization uses strong security measures like MFA, their trust in the security of their personal and financial data increases.
MFA helps organizations avoid substantial costs associated with incident response, legal fees, regulatory fines, and reputational damage.
Thanks to its laboratory, Net Reply was able to simulate the client's critical infrastructure, ensuring the effectiveness and robustness of the identified solution. This approach allowed us to validate the solution without requiring investments for a proof-of-concept (POC) directly within the client's network, optimizing both time and resources.
During this phase, we tested the compatibility between different components, authentication flows, and the solution's behavior in complex scenarios, including edge cases such as connectivity loss. The adopted strategy enabled us to identify and resolve any issues, ensuring that the system fully met the required security, usability, and efficiency standards.
The tests confirmed the system's ability to integrate seamlessly with the existing infrastructure, guaranteeing a reliable and smooth authentication process for end-users. Finally, the results were presented to the client, highlighting the solution's potential.
Net Reply played a key role as an agnostic System Integrator, providing specialized consulting and technical support throughout every phase of the project. As an expert advisor in Network Security, it conducted an in-depth analysis of the customer's security posture, identifying strengths and areas for improvement to ensure compliance with the NIS2 directive.
Based on this assessment, Net Reply designed and implemented a tailored MFA solution, integrating technologies from multiple vendors to create a hybrid, flexible architecture aligned with the highest security standards. The entire configuration was tested and validated in Net Reply’s laboratories, minimizing operational risks and optimizing integration with existing systems.
This successful use case demonstrates Net Reply’s effective approach to delivering advanced security solutions. As an agnostic consulting firm, it goes beyond offering standard solutions by thoroughly analyzing each client’s existing infrastructure to develop a customized architecture. The goal is to ensure seamless integration with current technologies while precisely addressing operational and security needs.