Best security practice for SME - Can 2FA replace VPN?

I have question about something out of scope for usual privacy oriented users. In my company (SME) we have internal file server that can be accessed from out-of-office only via VPN, which is set by our IT support on all business laptops. This is, as I know, best practice when it comes to security. But what if we decide to move to hosted cloud instead (e.g. Nextcloud with trusted provider)? Would 2FA be enough to secure the access?

Our main threat is unauthorized access, mainly by competitors. And in my opinion, if users are careful enough, with 2FA, this should be quite secure solution. The only problem is how to prevent users using it on insecure private PCs, but let’s skip that issue for a moment. Does this make any sense to you?

1 Like

Never used Nextcloud but i guess there is option too to let some IPs only access or if you hosting it on local server then maybe there is an app doing this thing to let only some IPs to access (i’m not sure about nextcloud but im sure someone did app do that thing on server itself so yeah) but if you have no option then yes 2fa will be good (Yes my answer is not good but im trying to help/guessing with ya)

Yes, Nextcloud has an option (app) to whitelist IPs. However, that still requires VPN, since users who are out of office will be connected to various networks. If there were possibility to whitelist MAC addresses, that would be good, but I’m not sure if that is possible at all

What it comes down to is, an attacker must hack authentication of your VPN server vs. an attacker must hack authentication of a single application server.

So 2FA doesn’t really replace the VPN tunnel in this case.

Furthermore, the VPN tunnel adds an additional layer of protection for data in transit between your clients and the VPN server of your company (e.g., additionally to TLS). If you use a public file server on the internet, then there is (most likely) only TLS.

2 Likes

i remember i watched DIY vpn (on linus tech tips i assume) they used AWS (ik amazon is bad) but if your company could make it and make IPs static it will be perfect :ok_hand: