Started working for a new company and they’re using Forticlient as a VPN for remote users and WFH users. It’s doesn’t have MFA set up when you sign in? Is this normal or a security breach?
Is it a good, or even acceptable idea? No.
Is it normal? Yes.
Will people reply telling you how good their company is and how they are better than normal. Also yes.
Probably uses client certificates, right? That actually does count as MFA (something you know = your password, something you have = your certificate)
Very common. You should mention this to your management. You’ll either get side eye or they will throw you a parade for being security conscious.
Everything that’s publicly accessible should have MFA. Some thing that aren’t publicly accessible should have MFA.
Is it normal? Yes that’s how ransomware crews get most targets.
Is it how it should be? No, it’s a sign of significant neglect.
FortiNet have two ways now of MFA; either with the FortiToken app or you can use an the NPS extension for Azure to connect your radius server with Azure MFA
Seeing as every goddamn compliance framework on earth now says MFA is required for VPN and many other types of access…there really is no excuse for not having it now-a-days. Do companies ignore this? Absolutely…which leads to all of the compromised shit that is used as a jumping off point to break into other systems or networks.
Not nearly enough information here. There are different flavors of MFA, and not just get a text and enter a code.
But, based on your post, it doesn’t seem like you’re in IT, or certainly not responsible for the VPN, so what’s the point here?
My old employer implemented MFA after getting hit with ransomware, it was an insurance requirement if i recall correctly. We were using it without MFA for years .
We use a user certificate issued by our CA and the user’s AD password with Forticlient. That is not technically MFA, but it means you need to be signed in on exactly that one device to be able to connect. Is your setup similar? (Is it even possible with Forticlient to use nothing but a username and static password?)
I’m genuinely confused by your question. It sounds like you believe that MFA is a required integral part of a VPN. It isn’t.
Iv seen different setups of fortigates with some using duo as MFA and others with nothing. Personally having MFA is a godsent as users have the worst passwords ever.
Thanks for the info, appreciate it.
Actually do work in IT, just started a new job, was on a help desk and got a new role as an IT admin and going to start working on more IT infrastructure and hopefully more networking tasks. My previous companies all had MFA, cisco anyconnect and DUO. I was just under the impression that MFA was a must have when connecting to a VPN and wanted to clarify.
That is not technically MFA,
Isn’t it, though?
One could argue that you’re using multiple factors to authenticate: 1) password, 2) installed certificate.
It also fits the most important use case of MFA: if the password is stolen (e.g. user re-uses a password for other, less secure systems) then someone with just the password doesn’t gain access.
From what Ive tested so far I can sign into any laptop via Forticlient using my AD credentials.
Yeah maybe I assumed it was as all previous employers seemed to have it. Good to know it’s not an integral part of VPN.
It is. No idea what you are on about.
Where do Foreign-AD-* usernames come from? I see th everywhere. Are you part of a news distribution network?
I was just under the impression that MFA was a must have when connecting to a VPN and wanted to clarify.
The problem is, that you don’t seem to actually know if they’re utilizing MFA or not. You’re assuming they aren’t because you’re not entering a code. That’s not necessarily the case.