BeyondTrust Privileged Remote Access has introduced a new per-session multi-factor authentication (MFA) capability to extend identity-based security beyond the initial login step to every request for access to your technology resources. Leveraging MFA to validate identities and secure your most critical technology assets is a cornerstone of modern cybersecurity. Per-session MFA enables your organization to achieve this best-in-class security without hindering end user productivity.

This blog explores how you can make per-session MFA an essential part of your defense against modern identity threats, and how it will benefit your organization.

What is Per-Session MFA?

Per-Session MFA is an access policy enhancement that requires users to validate their identity at the beginning of each session, rather than just during initial login. This ensures that every session—whether access is being granted to applications, systems, or data—is initiated only by a properly authorized user. By implementing per-session MFA, organizations can significantly reduce the risk of session hijackingcredential theft, and other cyberthreats, providing an additional layer of protection beyond just MFA at login.

Why Per-Session MFA is Crucial for Secure Access Control

Implementing MFA has become a critical component of security strategies worldwide as identity-based attacks on systems continue to grow. According to the Microsoft 2023 Identity Security Trends and Solutions report, Microsoft’s systems are subjected to over 1,000 password attacks every second, and more than 99.9% of compromised accounts do not have MFA enabled. Requiring MFA means that password sprays and brute force password attacks can’t succeed on their own, which can massively reduce the risk of compromised accounts in an organization. Even if an attacker obtains a user’s password, they will still need the second factor—such as a code sent to the user’s phone, a fingerprint scan, or a security token—regardless of where they are in the world.

A survey conducted by Okta and reported in the Secure Sign-in Trends Report reveals that, as of January 2023, 64% of general users and 90% of administrators employ MFA, and the LastPass Global Password Security Report shows a 12% increase in MFA adoption from the previous year, with 57% of 47,000 global organizations having implemented MFA. This trend reflects a growing recognition of MFA’s effectiveness in securing user accounts and as a critical cybersecurity hygiene practice overall.

However, limiting authentication to just the initial login doesn’t offer sufficient protection against advanced identity threats, or in instances where the identity was compromised while the user was already authenticated. Employing per-session MFA elevates your security posture from upfront authorization into continuous authorization by requiring successful completion of MFA each time a user attempts to gain access.

This approach combines with our other existing access policy options that incorporate contextual data, like what working schedule a user has or what IP address their device is accessing from, in addition to human-in-the-loop access request review workflows. Achieving a continuous authorization security posture using per-session MFA alongside our other access policies empowers organizations with identity security at every access attempt.

How Per-Session MFA Enables Just-In-Time Security

While requiring MFA in addition to human review for every access request makes sense for securing your most critical assets and data, it could also be an impediment in emergency situations where action is required to resolve an outage or incident. During an outage, especially during off hours, you don’t want your engineers to wait for a human to review a request, but you also want to make sure the requested access is needed. What do you do?

Privileged Remote Access offers access policies that can integrate with ITSM tools, like ServiceNow. The access policies link to incident response tools that initiate workflows when an incident occurs, combining the requirement of a valid incident ticket to initiate an access request with per-session MFA. This ensures that engineers get just-in-time access to the critical asset they need, only when that access is absolutely required, while also validating the user’s identity through a continuous authorization posture—all without having to wait for human review. Maximum security, with zero impact on productivity.

Privileged Remote Access creates a zero-trust approach to secure access, only creating access for specific users precisely when they need it, and for only what they need.

Imagine your network as a large office building with many rooms. Without per-session MFA, any individual who gained access to the building would be able to access the server room. Alternatively, overly stringent processes would require employees to authenticate every time they entered a new room in the building—even the less sensitive spaces. This could interfere with an employee’s ability to work normally and dramatically slow down the workflow.

Per-session MFA requires those users entering highly secure areas (like the server room) to authenticate one more time before entering that room, while maintaining access as usual to other less-sensitive spaces. This ensures secure, just-in-time access to the critical asset or sensitive data without disrupting the employee’s usual workflow.

Combining the Privileged Remote Access approach to secure access with per-session MFA creates a granular security framework that meshes point-to-point access with identity-based continuous authorization.

How to Enable Privileged Remote Access Per-Session MFA

With Privileged Access Management, taking advantage of per-session MFA is easy. Admins simply need to:

Choose the jump policy in which they want to enable per-session MFA

Select “enable per-session MFA” as an option within the designated jump policy

Any jump item with those policies assigned will now require a user to complete an MFA challenge with their registered authenticator to start an access session. When a user attempts to access any endpoint, they will receive an authenticator prompt as the final step after having satisfied any other requirements of the assigned policy, like being within assigned working hours, accessing from a recognized IP, or having had a team manager or IT stakeholder manually review and approve the request.

When Should You Use Per-Session MFA?

Per-session MFA can be used as part of any access policy within your organization, but it is especially valuable when it is used to ensure secure access to your most sensitive and mission-critical technology resources. Any of your production servers, clusters, or databases should be protected with access policies leveraging per-session MFA in addition to our other contextual validation options. Ensuring secure access to your critical infrastructure and business technology without disrupting the ability of your organization to deliver results is the gold standard, and Privileged Remote Access extends this across any system and user.

Experience Per-Session MFA with Privileged Remote Access for Your Organization

Ready to enhance your organization’s security with per-session MFA? Curious to see what else Privileged Remote Access has to offer?

Explore BeyondTrust’s free trial today and take the first step towards identity-secure, productive operations.

 

 

___

If this information is helpful to you read our blog for more interesting and useful content, tips, and guidelines on similar topics. Contact the team of COMPUTER 2000 Bulgaria now if you have a specific question. Our specialists will be assisting you with your query. 

Content curated by the team of COMPUTER 2000 on the basis of news in reputable media and marketing materials provided by our partners, companies, and other vendors.

Follow us to learn more

CONTACT US

Let’s walk through the journey of digital transformation together.

By clicking on the SEND button you agree to the processing of personal data. In accordance with our Privacy Policy

7 + 9 =