Protect Legacy Apps with Multi-Factor Authentication

Organizations sometimes use legacy apps, systems and services. These legacy apps have been in place for a long time, perform a required job, and may be difficult to replace. Common examples are:

  • ssh (secure shell)
  • remote desktop servers (RDP, Citrix, Windows Remote Desktop Services)
  • databases servers, such as Microsoft SQL Server, MySQL, Oracle and PostgreSQL
  • file sharing servers
  • web apps on web servers

Due to their age, legacy apps often don’t support security features that are standard today, such as two-factor or multi-factor authentication (MFA). They may also not integrate with single sign-on (SSO) systems, meaning a separate app-specific account has to provisioned and deprovisioned when a user requires or no longer requires access to them. Both of these issues represent security exposures that are easy to remedy with Twingate.

Twingate allows you to layer on MFA to any legacy app by applying a Security Policy. You'll also get the added benefit of requiring users to authenticate with your identity provider, so that when an employee leaves the organization, you can disable their access to all legacy apps by simply disabling their SSO account. Previously, you would need to remember to disable each account on each legacy app.

How does this work? Twingate monitors a device’s outbound requests at the network level. If the request is for an app secured by Twingate, Twingate holds that request while checking and enforcing the associated Security Policy. For example, if Twingate determines the user is authorized to access the app and the applicable Security Policy requires MFA, Twingate will prompt the user for their 2FA code. If authentication succeeds, Twingate will allow the request through to the requested app.

If a user doesn’t have authorization to access an app, the request never leaves the device, rendering the requested app completely inaccessible.

Importantly, because Twingate works at the network level, nothing about the legacy app needs to be changed or reconfigured to allow this to work.

Did this page help you?