MSPs: Should Two Factor Authentication (2FA) Be Mandatory?

Is it time for MSPs (managed IT services providers) to mandate the use of two-factor authentication (2FA) across their internal systems as well as customer systems?

ChannelE2E poses the question amid this stark reality: Hackers continue to target and enter MSP software platforms — particularly RMM (remote monitoring and management) and remote control applications. Many of the attacks have involved ransomware spreading across CSPs (cloud service provider), MSPs and end-customer systems. The ransomware epidemic threatens to seriously harm the MSP industry’s credibility, ChannelE2E believes.

LinkedIn: Ryan Weeks, CISO, Datto

Sometimes, the breaches involve software vulnerabilities. But in many cases, the hacks involve compromised user credentials — industry jargon for user names and passwords.

In response, some software vendors have occasionally mandated or recommended 2FA or multi-factor authentication (MFA) to strengthen security against such attacks. Among those advocating 2FA: Datto, which will soon require 2FA for all Datto RMM user accounts, according to an August 1 blog from:

  • Ryan Weeks – Chief Information Security Officer for Datto
  • Ian van Reenen – VP of Engineering – Endpoint Products for Datto
  • Michael Bienvenue – Product Marketing Manager for Datto RMM

Have I Been Breached?

Amid those market realities, I recently received a warning shot across my own system. The polite warning came from Kaseya CEO Fred Voccola and ID Agent CEO Kevin Lancaster. (Kaseya acquired ID Agent, a dark web monitoring platform provider, earlier this year.)

LinkedIn: Kevin Lancaster, CEO, ID Agent

LinkedIn: Fred Voccola, CEO, Kaseya

During a sit-down at the Kaseya Connect IT Global 2019 conference in  May, Voccola and Lancaster gave me some sobering news: My consumer email credentials were openly available on the dark web — which essentially meant hackers could potentially enter my consumer email account, scour the information within, and potentially move onto additional accounts based on whatever they found in my consumer email. My business account, perhaps through pure luck, didn’t suffer from compromised credentials.

LinkedIn: Dave Sobel, senior director, MSP Enablement, SolarWinds MSP

It was a humbling moment for me. For several days after the conference, I compiled a list of my business and consumer accounts — everything from social media accounts to email to cloud services and plenty more. My list grew to about 40 different online accounts, plus their user names and passwords. That’s when I realized several of my accounts leveraged my compromised password… Ouch.

As my security concerns escalated, I spoke with a few friends in the MSP industry. Folks like Dave Sobel, senior director of MSP Evangelism at SolarWinds MSP, offered me some thoughts as I hardened many of my consumer accounts. Based on that conversation, I activated a consumer password management platform for all of my family-oriented accounts. But that was just the start.

My Own Move to 2FA: Smart or Not So Smart?

I also activated two-factor authentication (2FA) wherever possible for all of my various online accounts, particularly business or finance accounts.

Still, I’m worried. I don’t feel safe — especially as so-called SIM card swap attacks undermine 2FA security. So in addition to my security steps, we’ve deployed multi-cloud backup and restore (BDR) to safeguard our email and various cloud services — just in case hackers find open doors and windows that we’ve somehow overlooked.

As the cyber wars continue to escalate, I wonder if I’ve done enough to lock down my own systems. And I wonder if 2FA should be a basic next step for all MSPs, their platform providers, and end customers. Would such a move be a wise step for the overall MSP ecosystem — or is it an impractical or unnecessary requirement, especially as SIM card swap attacks potentially escalate?

I’m all ears. Educate me.

Related Content



Return Home



    MJ Shoer:


    I absolutely believe it should be mandatory. I have it enabled everywhere that I can. Like you, I also use a password management tool so no two credentials are alike and each is highly complex. It’s the least we should be doing for ourselves personally and every MSP should be doing to protect their infrastructure as we’ve seen what can happen if they do not. I agree with your position and your concern. Hope to see you this week at ChannelCon. MJ

    Joe Panettieri:

    Hey MJ: Thanks for weighing in. 2FA seems like such a no-brainer but I am curious to see if anyone raises any yellow flags/concerns about a potential mandatory approach in the MSP industry.

    I will be sure to say hello during ChannelCon. We’re popping in while also covering the Black Hat USA 2019 cybersecurity conference. Teaser alert: Our coverage of both conferences remains ongoing…

    1. Live Blog: CompTIA ChannelCon 2019 via ChannelE2E.
    2. Live Blog: Black Hat USA 2019 via MSSP Alert.


    Denis Wilson:

    I’ve just started to employ MFA on all business and personal financial accounts. I am using a password management tool and started to move my passwords to more complex type than I was using. Have been using unique passwords on those accounts for some time.

    MSPs should make the decisions for themselves, but it has gotten to the point of high priority to establish a strict policy on passwords management for MSPs. It is a conversation that the MSPs should have with their management teams, determine the cost (because there is one) and timeline. Get your entire time bought into the process. And assign champions for the implementation from your employees.

    It is now a matter of fiduciary responsibility to your own company. Lawsuits will soon start being bandied about when a breach occurs at the MSP access point. It’s going to get expensive.

    Joe Panettieri:

    Denis: You’re right. Lawsuits are absolutely on the way.

    MJ Shoer:

    Completely agree Denis. MSPs have a responsibility, ethically and fiduciary. How can MSPs require it of their clients if they aren’t eating their own dog food, as the cliche goes. An MSP that does not have solid password management and security practices in place is not likely to remain an MSP for terribly long. It’s a long overdue area of focus for more MSPs than I would like.

    Jeremy Young:

    Hey Joe,
    Jeremy from Duo here. Here’s what we do for internal security from an application access perspective.
    1. Limit the number of passwords users have to remember to 3 – Primary Auth, Password Manager, local workstation
    2. Make those three passwords very long, at least 16 character, unique, passphrases and don’t rotate them frequently unless you see risky auth attempts or have reason to believe it’s been compromised.
    3. Generate and store ALL other passwords using a secure password manager and try to generate the most secure password the app will let you. Make sure the password manager supports MFA and data encryption at rest.
    4. Secure your password manager, and every other app possible, with MFA.
    5. Use the most secure form of MFA available: USB Security token, app-based Push notifications, and OTP app-based passcodes are much better than SMS, Phone Calls, emails, or account pins.
    6. Enable Single Sign-on as a part of the MFA process so you limit the number of passwords altogether and simplify user logins.
    7. Enable Access policies that require mobile device biometrics, enforce screen lock, and that restrict auth attempts based on user location, device health, and device trust so you can ensure that only the right users, on trusted devices that are healthy and up to date, are only accessing the applications that they’re properly entitled to.

    This is just the start of a healthy security practice, but this also makes the end-users lives easier by standardizing their application access. When you make MFA a part of a proper marriage with a password manager and SSO, it’s welcomed by the security team and end-users alike.
    Two-Factor should definitely be mandatory, but it should be done with a focus on empowering end-users to do their jobs, not getting in their way.
    I’m personally happy to help you get set up with Duo (free up to 10 users for everyone, free up to 50 users for MSPs) which does all of the above outside of password management.

    Adam Fadhli:

    MFA is the bare minimum defense today. That should be a given.
    We need to be looking beyond defense, and on to detection and mitigation. Things like EDR and SOAR backed by 24x7x365 real-time human monitoring and assessment.

    Here’s the nightmare scenario: Hackers breach your MSP network, giving them access to the keys to the kingdom (i.e.: your customers network credentials). They then infiltrate all of your customer’s networks (through you), and simultaneously encrypt all of your customers systems (including yours).

    Do any of us think any of those customers would continue to use us as their MSP provider after an event like that? Of course they wouldn’t. Would such an event end your business overnight? Of course it would.

    This is by far the biggest risk we as MSP’s face today. And this is what keeps me awake at night (even though we have MFA and a gauntlet of other protections on EVERYTHING).

    Joe Panettieri:

    Hey Jeremy: Thanks for the bullet list of potential next steps. I’m actually meeting with the Duo team at Black Hat this week and will likely kick the tires on the service while at the conference.

    Adam: You raise important points about EDR and SOAR. We continue to cover both topics closely, though most of our SOAR focus is on our sister site MSSP Alert. Still, I feel like SOAR is best leveraged by a certain class of MSSP and/or SOC provider. Whereas 2FA and basic backup are tools that all MSPs (and end-customers) should be consuming immediately — though so many folks out there have failed to do so.

Leave a Reply

Your email address will not be published.