I’m working on a resource-constraint product and asked to enable support for MFA/2FA for all maintenance services. Given that MFA/2FA is about using two elements out of three(something you have, know, are). Our maintenance application is a desktop windows-forms application running over HTTPS protocol to interact with the product.
I’m just thinking about a model of using two-factor authentication to be pushed to the maintainer’s laptop/desktop as the product is resource constraint(no display/usb/ssh etc). As the product is to be installed in an enterprise setup, It is possible to enforce 2FA/MFA easily for the laptops/desktops to log into the enterprise network by using a combination of password and certificate. Also, the Organisation may enforce LDAP and/or 802.1x(PNAC) for authentication or AAA(AuthN, AuthZ, and Audit) service.
By doing this, I will be able to retain the existing product’s software as is which only performs single-factor authentication using the password. Also, the product is not internet-facing.
Is this the right approach or does it expose any security risk? Please suggest to me.