Always On VPN and Multifactor Authentication

Using Multifactor authentication (MFA) to ensure strong user authentication is critical to the security of organizations of all sizes. Traditional authentication methods such as usernames and passwords are entirely inadequate given today’s threat landscape. Various techniques, including phishing, keylogging, and password sharing, easily compromise usernames and passwords.

MFA and Remote Access

Requiring MFA for remote access is arguably one of the most critical workloads for enforcing MFA. Exposing private corporate network resources to an untrusted network like the Internet without MFA places the organization at significant risk. However, MFA is not without drawbacks. For example, MFA solutions add cost and complexity, which can be inconvenient for users leading to productivity loss. In addition, some forms of MFA, such as SMS, email, and even some push notifications, can be compromised, leaving the user and organization with a false sense of security.

More Information: Drawbacks of Multifactor Authentication (MFA)

Azure MFA

Always On VPN administrators commonly enable MFA for user tunnel connections using Microsoft Azure MFA. Azure MFA can be integrated on-premises using the NPS Extension for Azure MFA. After installing the NPS extension, all authentication requests on the NPS server will require Azure MFA. Some organizations may need to deploy separate, dedicated NPS servers to support Always On VPN and Azure MFA.

Alternatively, administrators can enable MFA using Azure Active Directory Conditional Access, controlled by Azure Conditional Access policies. An advantage to using Azure AD MFA is that administrators can create conditional access policies that only challenge users for additional forms of authentication when risk factors dictate, thereby reducing MFA fatigue.

MFA and Always On VPN

Integrating MFA with Always On VPN presents some unique challenges. Always On VPN connections are seamless and transparent to the user. No user intervention is required when establishing a VPN connection. When using traditional MFA, it inadvertently enforces poor security practices. Specifically, administrators are asking users to accept an MFA prompt for an action they did not take explicitly.


An excellent alternative to traditional MFA solutions is certificates. Many organizations have an existing Public Key Infrastructure (PKI), typically Microsoft Active Directory Certificate Services (AD CS). Using enterprise PKI-issued certificates for user authentication solves some of the challenges MFA presents when integrating with Always On VPN.


A Trusted Module Platform (TPM) is a specialized, embedded hardware device that securely stores cryptography keys and performs cryptographic operations. TPMs store private keys in a secure environment, typically referred to as a secure enclave, which is isolated from the rest of the system. Private keys are never exposed outside of the TPM. This isolation safeguards private keys and protects them from potential attacks. TPM 2.0 features anti-hammering capabilities to mitigate brute-force attacks and is tamper resistant.

Certificates with private keys stored on a TPM are highly resistant to compromise. Users with full administrative access to the local device cannot export private keys from a TPM.


When using certificates with private keys stored on a Trusted Platform Module (TPM) on the user’s device, the endpoint effectively becomes a smart card providing strong, phishing-resistant multifactor authentication. The “something you know” is the password to log on to the device, and the “something you have” is the device with a hardware-embedded (TPM-backed) user authentication certificate. In this scenario, strong, multifactor authentication is enforced seamlessly without requiring user intervention.

Learn More

Are you interested in learning more about leveraging certificates for strong, multifactor authentication for Always On VPN in your organization? Fill out the form below, and I’ll respond with more information.

%d bloggers like this: