MSPs: Should Two Factor Authentication (2FA) Be Mandatory?
Is it time for MSPs (managed IT services providers) to mandate the use of two-factor authentication (2FA) across their internal systems as well as customer systems?
ChannelE2E poses the question amid this stark reality: Hackers continue to target and enter MSP software platforms — particularly RMM (remote monitoring and management) and remote control applications. Many of the attacks have involved ransomware spreading across CSPs (cloud service provider), MSPs and end-customer systems. The ransomware epidemic threatens to seriously harm the MSP industry’s credibility, ChannelE2E believes.
Sometimes, the breaches involve software vulnerabilities. But in many cases, the hacks involve compromised user credentials — industry jargon for user names and passwords.
In response, some software vendors have occasionally mandated or recommended 2FA or multi-factor authentication (MFA) to strengthen security against such attacks. Among those advocating 2FA: Datto, which will soon require 2FA for all Datto RMM user accounts, according to an August 1 blog from:
- Ryan Weeks – Chief Information Security Officer for Datto
- Ian van Reenen – VP of Engineering – Endpoint Products for Datto
- Michael Bienvenue – Product Marketing Manager for Datto RMM
Have I Been Breached?
Amid those market realities, I recently received a warning shot across my own system. The polite warning came from Kaseya CEO Fred Voccola and ID Agent CEO Kevin Lancaster. (Kaseya acquired ID Agent, a dark web monitoring platform provider, earlier this year.)
During a sit-down at the Kaseya Connect IT Global 2019 conference in May, Voccola and Lancaster gave me some sobering news: My consumer email credentials were openly available on the dark web — which essentially meant hackers could potentially enter my consumer email account, scour the information within, and potentially move onto additional accounts based on whatever they found in my consumer email. My business account, perhaps through pure luck, didn’t suffer from compromised credentials.
It was a humbling moment for me. For several days after the conference, I compiled a list of my business and consumer accounts — everything from social media accounts to email to cloud services and plenty more. My list grew to about 40 different online accounts, plus their user names and passwords. That’s when I realized several of my accounts leveraged my compromised password… Ouch.
As my security concerns escalated, I spoke with a few friends in the MSP industry. Folks like Dave Sobel, senior director of MSP Evangelism at SolarWinds MSP, offered me some thoughts as I hardened many of my consumer accounts. Based on that conversation, I activated a consumer password management platform for all of my family-oriented accounts. But that was just the start.
My Own Move to 2FA: Smart or Not So Smart?
I also activated two-factor authentication (2FA) wherever possible for all of my various online accounts, particularly business or finance accounts.
Still, I’m worried. I don’t feel safe — especially as so-called SIM card swap attacks undermine 2FA security. So in addition to my security steps, we’ve deployed multi-cloud backup and restore (BDR) to safeguard our email and various cloud services — just in case hackers find open doors and windows that we’ve somehow overlooked.
As the cyber wars continue to escalate, I wonder if I’ve done enough to lock down my own systems. And I wonder if 2FA should be a basic next step for all MSPs, their platform providers, and end customers. Would such a move be a wise step for the overall MSP ecosystem — or is it an impractical or unnecessary requirement, especially as SIM card swap attacks potentially escalate?
I’m all ears. Educate me.