For those who have been using VMware Identity Manager for quite some time, we are familiar with VMware Verify, which was built on the Twilio/Authy API to deliver MFA. We also saw my article recently on the Duo integration, which is another spin on leveraging MFA. VMware recently released Workspace ONE Hub MFA, which advances Verify to synergistically become part of the Hub powered by Hub Services. Let’s walk through configuring Hub MFA and a demo of the user experience both on the desktop app you access and granting access via mobile.
Setting up Hub MFA in Workspace ONE Access
It’s impressive how simple the Hub MFA setup actually is. First, you go into Auth Methods and configure “Verify (Intelligent Hub)” which is super simple. As you can see below, these are the settings I recommend especially “Enhanced Verification on Managed Devices” which requires biometric/passcode auth before you can approve access.
Next, you will go into your identity provider and enable the Verify (Intelligent Hub) auth method so you can use it in your policy.
Once that is done, you just need to add that authentication method to your application’s policy. That is relatively simple as you can see it below. Some may choose to only enforce Hub MFA for external IP addresses, but that will be entirely up to you. It’s pretty easy to achieve either way, depending on what your needs are:
Demo of the User Experience
First, we will take a look at a demo of what happens when you try to access an application using Hub MFA in its policy:
Next, we will look at what the approval workflow looks like on your mobile device:
Thoughts on Workspace ONE Hub MFA
I know this is a short article overall, but I think it’s important to understand how MFA should work.
I’ve been a major proponent of building user experience in layers and making all zero trust capabilities transparent. I talked about this on a recent podcast actually:
I’ve been saying for years that stuff like Mobile Threat Defense and MFA cannot be another app you throw on someone’s device. We’re only successful by integrating it into the every day lives of our users. Hub MFA does an excellent job there!
My only hope is they will do something similar with Carbon Black directly integrating into the WS1 Hub which would be absolutely amazing.
In closing, the only real gap that Hub MFA has is it’s not something you can tie in via Radius APIs in other locations. We use it as part of our IDP flow and I think that’s okay. We should aspire to making products more pliable without old timey requirements. Let’s do better and build better experiences that don’t compromise our user experience.