Lock Every Door: How to Implement MFA Across SSH, RDP & Legacy Apps

implement MFA

Credential-based attacks remain one of the top cybersecurity threats—and Multi-Factor Authentication (MFA) is one of the most effective defenses. Yet many organizations only protect cloud apps, leaving SSH access, RDP sessions, and legacy systems exposed.

To truly secure your environment, MFA must be everywhere: for administrators, users, remote workers, and third-party vendors. This guide explores how to implement MFA across your entire infrastructure, including Unix-based systems, Windows servers, and legacy applications that don’t natively support modern authentication protocols.

Why MFA Everywhere?

MFA reduces the risk of:

  • Credential stuffing
  • Brute force attacks
  • Phishing
  • Stolen password reuse
  • Insider threats

It’s no longer enough to protect just your Office 365 or VPN. Attackers are targeting:

  • RDP ports open to the internet
  • Privileged accounts via SSH
  • Forgotten legacy applications running on internal servers

Core MFA Methods to Consider

  • TOTP (Time-based One-Time Passwords)
  • Push notifications (e.g., via authenticator apps)
  • Hardware tokens (e.g., YubiKey, smartcards)
  • Biometrics (e.g., fingerprint, facial recognition)
  • Certificate-based authentication

Choose based on:

  • User convenience
  • Integration support
  • Cost and scalability
  • Compliance requirements

MFA for SSH (Linux, Unix, macOS)

Option 1: PAM-Based MFA

Most Linux systems support Pluggable Authentication Modules (PAM). You can integrate Google Authenticator, Duo, or similar tools via PAM.

Basic Steps:

  1. Install MFA tool (e.g., libpam-google-authenticator)
  2. Enable it in /etc/pam.d/sshd and /etc/ssh/sshd_config
  3. Restart SSH and test login flow

This allows SSH logins only if the user provides both their password and a TOTP code.

Option 2: SSH Certificate Authorities with MFA

For enterprises, use an SSH CA to sign keys and enforce MFA during the authentication process using central tools like Duo Unix or identity brokers.

MFA for RDP (Windows Remote Desktop)

Option 1: Native Windows Hello for Business

Windows 10/11 and Server versions support Windows Hello for Business, which includes:

  • Biometric login
  • PIN tied to TPM
  • Certificate-backed credentials

Best used in Active Directory or hybrid Azure AD environments.

Option 2: Third-Party RDP MFA Agents

Install an MFA agent or broker (e.g., Duo, Rublon) on RDP hosts. These prompt for second-factor verification after successful password entry, before allowing desktop access.

Option 3: RADIUS with MFA Backend

Configure Network Policy Server (NPS) or similar RADIUS servers to perform MFA checks during RDP login attempts via remote authentication policies.

MFA for Legacy Applications

Many legacy apps:

  • Don’t support SAML or OIDC
  • Only rely on local password authentication
  • Run on outdated protocols or platforms

Solution 1: MFA Gateways

Place a reverse proxy or identity-aware gateway in front of the legacy app. Authenticate users through modern MFA before allowing backend access.

Examples:

  • VPN with MFA
  • Identity gateway that injects credentials on behalf of the user

Solution 2: MFA at the OS Level

If you can’t modify the app, secure the OS it runs on:

  • Enable MFA at login screen (Windows or Linux)
  • Restrict remote access ports
  • Use jump servers with enforced MFA

Solution 3: RDP + App Layer Isolation

Run the app in a Windows session and protect access to the session via RDP with MFA. Though not ideal, it’s a practical workaround.

MFA for Shared Accounts & Admin Tools

Admins often use:

  • Shared service accounts
  • Remote consoles (Hyper-V, vSphere, iLO, iDRAC)
  • Network devices (routers, switches)

Tips:

  • Use Privileged Access Management (PAM) to assign just-in-time access
  • Replace shared accounts with personal logins + elevation tools
  • Enforce RADIUS/TACACS+ MFA for network appliances
  • Require MFA for jump hosts or bastion servers

Best Practices for Universal MFA Deployment

  • Start with critical systems: Admin interfaces, domain controllers, VPNs
  • Standardize MFA method: Minimize user confusion
  • Create exception workflows for break-glass accounts or outages
  • Log and monitor MFA attempts and failures
  • Regularly audit access points for new apps or exposed ports
  • Train users on how MFA works and how to report issues

Common Pitfalls to Avoid

  • Applying MFA to only cloud apps
  • Relying solely on SMS-based codes (less secure)
  • Leaving legacy systems unprotected
  • Assuming VPN is sufficient
  • Allowing local logins that bypass MFA controls

Conclusion

If you want a secure environment, you need MFA across every authentication boundary—not just the obvious ones. SSH sessions, RDP access, and legacy software are some of the most common attack paths. With the right tools and integrations, you can implement MFA in all corners of your infrastructure, securing not only the cloud, but the core of your network.

By SuperTechman

Leave a Reply

Your email address will not be published. Required fields are marked *

Top Posts

Tech Tips

How to Use Tabs in File Explorer on Windows 11

Tech Tips

How to Use Focus Sessions in Windows 11 to Boost Productivity

Cyber Security Blog Tech Tips

How to Increase Security by Using Passkeys in Windows 11

Tech Tips

How to Customize the Quick Settings Panel in Windows 11