There’s More than One Way to Skin… Workspace ONE MFA

A year ago, I wrote about a new offering that VMware has called “Workspace ONE Hub MFA“, which is truly a major departure from VMware Verify and all of its nonsense. Recently, VMware has released a more modern approach to the program with “Authenticator App” following the vein of many SaaS platforms conforming to how users work. Let’s talk more about Authenticator and how its truly a new way to skin a cat for the digital workspace.

What Problems Does Hub MFA Have Today?

We cannot talk about Authenticator without talking about some of the challenges that Hub MFA has currently. Some of these issues are:

  • Requires the user to enroll in Workspace ONE
  • Has had some issue with the following:
    • Notifications causing app crashes
    • Notifications never come on some platforms (happened with Android)
    • Only supports OTP push

Overall, OTP push is really becoming an industry standard aka One Time Password. We have become far removed from the old RSA days where you put in your pin, grab a code, and enter it. Now, people expect a notification on their phone like major players Okta, Duo, and to some degree Ping.

Hub MFA is a really good product so do not get me wrong, but I think what you run into now within the enterprise is “another product I have to bring to architecture review” and something that is deemed to be “not an accepted pattern.” That is on top of the whole too many apps debate in general. I originally was not a huge fan of another authenticator inside of WS1 Access, but I continue to see fringe use cases that are just too good to pass up.

One thing I ran into recently was some competitor product deficiencies that made me reconsider using this as a great partner with VMware Horizon to deliver a holistic VDI solution for unmanaged devices and securing edge effectively. So, let’s discuss how you set things up.

Configuring the Authenticator Auth Method in WS1 Access

The best part about the authenticator auth method is just how simple it is to setup. You can check out this short video below. I definitely strongly consider investing the time in building strong user messages registration and recovery. These little nuances really help build a strong user experience.

As you saw, it is super simple to make this happen. It’s just as easy as setting up Hub MFA and it just “works”, which we can really appreciate. Now, we will move into the registration process for a user.

Registering the Authenticator App on your Phone

Simplicity is so crucial today. I really love how easy the registration process is, which mimics many of its competitors. After your standard authentication, it checks to see if you have a registered device. If not, you get a quick and easy way to register in your personal authenticator app of choice. Why is this so helpful?

The top reason is that many people are using Microsoft Authenticator for MFA in Enterprises, which means you don’t need to get this solution blessed to the high heavens like I have seen with Workspace ONE Hub MFA. You literally just QR code/grab the code and add it! Automagically, we are there. We can’t hate the simplicity. Check out the demo below! After this, we will talk about management of the registrations:

Managing MFA Registrations in WS1 Access

One of the things that I really love about leveraging MFA inside of WS1 Access is that as mobility people we can ACTUALLY do SOMETHING! You just need to drill to any user inside of Workspace ONE Access, and you can see all of their identities, such as FIDO2 registered security keys, authenticator app registrations, and even reset Hub Verify. This is truly simplicity at its best!

Additionally, you can even audit many of these great events easily.

You can see that I have events for the deletion of an authenticator device:

Authentication of the device:

I would love to see registrations, but realistically I have what I need completely. I’m not too sad about it and besides I HAVE ACCESS TO ACCESS! A little wordplay for a late night article is a must. Let’s close things out with the user experience.

The User Login Experience for Authenticator

As you will see below, the user login experience is top notch. It is smooth and clean as you would expect. Users have no idea that they are using anything fancy. They just know they can go into their Google Authenticator or whatever their authenticator of choice is to make the magic happen.

The only thing that I don’t love is you cannot self-manage your own registrations. Part of me would love that capability, but my security hat says that is not a great idea anyways. This article was short and sweet just like the simplicity of authenticator!

Final Thoughts

The NEW Authenticator app is a really cool prospect. I think this is a nice opportunity to make yourself relevant from a security perspective while leveraging security patterns that are already blessed (fairly likely at least!). I’m a major proponent of anything that enables my fellow UEM engineers to get a bit of credibility and notoriety in their enterprises. That is NOT an easy thing. Let’s face it, we don’t do Kubernetes. At the end of the day, let’s celebrate some small wins that grow into large successes.

Leave a Reply

Scroll to Top
%d bloggers like this: