Integrated MFA Intelligent Hub - Workspace ONE Access

VMware Verify EOL

This is something that has been announced last year October 2021, VMware Verify is EOL:

https://kb.vmware.com/s/article/88424

Very unfortunate because it is/was a very decent solution to deliver Multi Factor Authentication integrated with Workspace ONE Access. In this blog post i want to share my thoughts on it and what the VMware alternatives are that we are able to deliver and how you should approach it:



VMware Verify

First i want to dive in the different features that VMware Verify currently provides:
  • SMS authentication:
This is still (to) commonly used in organisations to provide a MFA solution to users without a Smart Phone or device laying around. As the above KB article explains is that SMS authentication is not something that is considered best practice at least from a security perspective.

  •  Time Based One Time Passcode (TOTP):
What is still an option is to use the TOTP code that sits in your VMware Verify application and type that over in you console. Not the most user friendly approach, but it doesn't necessarily require a VMware Verify app and can be integrated with any Authenticator app (more on that below)

  • Push notification
This is probably the most commonly used as it is the most user friendly and probably also the most secure way of authentication. VMware Verify will deliver a push notification to the device and pressing the ok button in the app will authenticate the user, very intuitive.


Workpace ONE Access alternatives

Now as of today what can we do with Workspace ONE Access considering the above categories?

  • SMS Authentication
As of today SMS or Text message authentication is not supported in without VMware Verify and VMware advices to move away for it, for the following reasons:
  • Recent exploits in SMS authentication via spoofing/phishing, SIM swapping, lack of SMS encryption, and SMS rerouting has made it clear that the ease of registration does not justify the lack of security.
  • SMS authentication has relatively low usage as an authentication mechanism globally.
  • NIST Digital Authentication Guidelines ban SMS for two-factor authentication.

That said, some use cases still require SMS authentication. 


Time Based One Time Passcode (TOTP) or Authenticator App:






With the release of Authenticator App Authentication Method in Workspace ONE Access, this is now possible. This means that a TOTP based authentication is integrated in Access and no longer requires a third party integration just like with VMware Verify. Also with the releases of the latest Intelligent Hubs for Android and iOS, its also integrated in the Intelligent Hub:



This means the users won't require an extra Authenticator app on their phone anymore and Intelligent Hub app is probably managed on the device. If the user uses the Intelligent Hub as a BYOD to navigate to Catalog items etc, this is also possible with Authenticator TOTP.  

This is how it looks from an end user perspective:



After the QR qode from Access is scanned, the TOTP code is visible in the Intelligent Hub:






Push Notification Hub Verify

Last but not least is Push Notification authentication with Hub Verify:










If your device is managed (or registered) in Workspace ONE UEM, Intelligent Hub verify can be used as Authentication method (secondary only)

This has the best user experience and is also integrated in the Intelligent Hub. Again if you are a Workspace ONE customer, you users would probably also have the Intelligent Hub installed on their phone. Best thing is if the device is managed by Workspace ONE, but BYOD is also an option.
Downside is that the device has to be managed in the same Workspace ONE UEM environment as Workspace ONE Access is connected to, else it won't work.
Compared to VMware Verify where the management of the device doesn't really matter.

After authentication in Workspace ONE a Push will be send to the device that is managed in Workspace ONE UEM:



Doesn't have to be a phone, i use a iPad:

A push notification will be visible on the iPad:



Opening the Intelligent Hub will allow you to approve the authentication:









Summary

Moving away from VMware Verify has a lot of benefits; more integrated in to the Workspace ONE product suite, Authentication methods integrated in the Intelligent Hub and no longer a requirement for a 3rd party integrated solution with Twillio.
In this article you can see that Workspace ONE Access has most of the MFA options available that VMware Verify had, but not every use case is covered. BYOD is covered with the Authenticator App, but the user experience is not that nice as a push notification.

What also would be nice is if we can use Intelligent Hub Verify in the future for passwordless authentication and not only as a secondary option. Who knows! 












Comments