NinjaRMM Makes Two-Factor Authentication Mandatory

‘We were weighing the pros and cons between forcing it and saying, ‘You have no choice’ and having a backlash from particular MSPs that are upset that we’re forcing them to do that, and forcing them to manage services in a certain way,’ says Rachel Spatz, vice president of marketing with NinjaRMM.

ARTICLE TITLE HERE

NinjaRMM is throwing down the gauntlet to its MSP partners who refuse to use multifactor authentication by mandating it across its system after a partner’s network was hit last month due to poor security hygiene.

“We had a couple of customers whose organizations were breached. They did not have 2FA [multifactor authentication] enabled for their tools, including Ninja,” said Rachel Spatz, vice president of marketing with NinjaRMM. “Obviously, RMMs are a target for hackers because bad actors can access all sorts of devices through there. We are going to be making 2FA mandatory for anyone who uses Ninja.”

Spatz said the San Francisco-based company has sent out emails and community announcements, trying in as many ways as possible to communicate the threat to partners. NinjaRMM timed the announcements after well-publicized breaches but still has not managed to get everyone on board. So despite the company’s warnings, a partner was hit and that partner’s NinjaRMM was used to lock up end-user machines, which has caused chaos for the business and landed Ninja in the headlines.

id
unit-1659132512259
type
Sponsored post

“We were weighing the pros and cons between forcing it and saying, ‘You have no choice’ and having a backlash from particular MSPs that are upset that we’re forcing them to do that, and forcing them to manage services in a certain way,” Spatz said.

Richard Delaney, owner of Delaney Computer Services, a New York City-based MSP that has used NinjaRMM in its business, praised the company for putting a stake in the ground on this critical topic.

“This was a no-brainer and I commend them for getting on board with current cybersecurity best practices,” he told CRN.

Since last October when U.S. Homeland Security issued warnings to the technology community that MSPs and MSP platform tools were targets of foreign cybercriminals due to their reach into thousands of endpoints, there have been multiple attacks.

In February, hackers exploited a ConnectWise integration with Kaseya and used an MSP to seed endpoints with ransomware. In March, massive solution provider Wipro was hacked, and again a ConnectWise tool was used to seed ransomware. Then weeks later Kaseya and Webroot partners were attacked in a breach that targeted multiple solution providers. Continuum and NinjaRMM partners were targeted in July, and the conversation around multifactor authentication has only grown louder.

Despite the headlines, Spatz said some longtime customers are digging in their heels and refusing to adopt multifactor authentication. For them, Ninja has a process that involves a security consultation with the company’s chief information security officer.

“If partners say, ‘I absolutely don’t want 2FA,’ They have to meet with our CISO, they have to discuss all of the risks that they’re agreeing to take on by not having 2FA,” she said.

Spatz said the mandatory rollout will be completed in 30 days. The company has already made multifactor authentication mandatory if the MSP is running scripts through NinjaRMM.

“Even if you just logged in and you have 2FA and you just used it, iIf you then go to upload and run script on other computers, it’s going to ask you again,” she said.