It seems there are two options when it comes to passwords: 1) SSO 2) DIY with a password manager and 2FA ideally with a security key.
SSO is too pricey ($1500 base @ Okta) at the moment and SAAS prices are ever increasing so that leaves us with option 2. Using an authenticator app means using personal phones, which is tricky, and if someone were to lose their phone the replacement cost would be high. So a security key seems better in that regard despite their upfront cost. Plus security keys like yubikey offer the ability to store TOTPs, which is necessary since not all the apps we use provide security keys as a 2FA option.
Did I arrive at the right conclusion on 2FA with security keys or did I miss something?
The other consideration is deployment. Without interrupting workflow, I figured the best way would be to set up all the keys (backup key as well for each employee) on a Friday after work and then 2-day ship them to our remote staff so they're ready for use when they return to work on Monday. It's possible we could also do it while they're on a week-long vacation to save on shipping costs.
The right solution for you will depend a lot on your existing infrastructure.
Are you a Microsoft/Azure/O365 shop? Google Workspace? Do you have graphics people working on Apple devices? OT? Do you have self-hosted infra? All cloud? Hybrid? How complex is the environment you need to protect? Are you trying to allow remote users to access your company environment, or is everyone logging in to on-prem workstations?
Depending on the answers, you might be better off working on whitelisting the applications you need to run (with Applocker or Airlock) and setting up good protection for your high value data rather than trying to get an integrated 2FA solution in place.
Google Workspace but all Windows laptops. No Apple devices, OT, or self-hosted infra. Hybrid, I guess.
As a startup it's a very simple business operation and there's no security protocol to speak of at the moment. We just use a dozen sass apps and I don't think we're ready for any full-on enterprise level security services.
OK, Workspace (web-hosted) business environment on Windows systems. You should probably use Google's built-in 2FA enforcement for access to your business stuff. It will be the easiest to implement and manage (and I think it should be free? it should just be a setting that you turn on). Also consider implementing Chrome Enterprise as a requirement for accessing your business apps, it will give you more control and if you're using Workspace then the integration should be smooth. If your business needs expand beyond Google services, you might look at Island.
Are the laptops on Windows Enterprise? or Professional? Do you have any domain management for them? Or are they off-the-shelf with Home/OEM installs?
In any case, Applocker is built-in and free. With this you can restrict the laptops to only executing the applications that your business needs - if everything is accessed through Chrome, then it's really simple, nothing else needs to run and if an employee has a specific extra need (Photoshop or CAD or QuickBooks or w/e) you can handle that on a case-by-case basis. If you have domain management then it's easy to enforce Applocker on all the laptops, if not you'll have to do each one manually, but it's worth it because it will prevent a lot of nonsense. If your business expands and you outgrow the functionality of Applocker, consider Airlock Digital. Otherwise you can mostly leave the OS security to Windows Defender, and maybe pay for the business service or look at Crowdstrike if you need EDR features or something like that.
A big question is, where is your data? Is all of it in Workspace? Or do individual employees have pieces of it sitting on their hard drives? What happens if one of those hard drives crashes and you lose the employee's work? Are those laptops going home with them? Are they on home/shared/public networks? What if a laptop gets stolen, or lost in airport luggage? Can you remotely lock that device out of your environment? Is the data on it encrypted? As a startup, your business is your information, whatever form that takes. You need to get tracking on where your most sensitive bits of information are (customer lists, proprietary design/code/concept/etc, high-value assets, licenses/certifications/contracts, financial records, employee PII, anything that could end your business if you lost it), how they're stored and how they're used, and that is much more important than 2FA login. If possible, implement Bitlocker on the laptops. Maybe learn to use filesystemwatcher if you have sensitive files living on the Windows laptops. And start figuring out a backup plan (even if everything important is done in Workspace, keeping all of your data in Workspace doesn't count as a backup plan).
I would highly recommend that you develop a security plan based on something like the NIST Cybersecurity Framework (this is a quickstart guide aimed at small businesses with little to no existing security planning). Don't buy any fancy security products yet. Sit down and plan your security in a systematic way, and that will help expose your actual needs and blind spots. Plan to have a plan. Business continuity is the goal.
Finally, some useful information sources:
Thanks for the thorough reply! I'll look through all the links especially the NIST doc.