Requiring 2FA daily/on network change

I’ve been a happy a happy user of Tailscale for my home network since the early days, and I’m currently trying to understand whether it meets the security needs for the small but rapidly growing startup I’m working at.

Tailscale is head and shoulders above every VPN client I’ve tried for personal use, but the always-on, intermittent reauthentication model with deferral to an SSO provider leaves me concerned about certain attack vectors that I think were mitigated by the previous solutions I encountered during my time in Big Tech.

In the past, corporate access always required 2FA daily & effectively on every network change (either due to a VPN setup that required reconnecting when the source IP changed or due to a 2FA policy at an edge proxy that required re-auth when an access pattern seemed unusual in any way).

With Tailscale, it seems like in the scenario that an employee’s laptop was snatched from a coffee shop table (and either due to an unusually weak client password or a failure to lock the screen), the thief managed to maintain access to the system, they’d now have unfettered access to our corporate assets until the theft was reported to us and we were able to revoke the user’s Tailscale cert. With either a classic VPN or BeyondCorp-style protection, the theft of an individual machine and even that machine’s credentials would still require 2FA when connecting from a new network (or even reconnecting after a couple days offline from a machine left at home on vacation).

I’m curious if I’m overlooking something here and open to feedback on this part of my threat model here.

If by BeyondCorp you mean what Google implemented, I don’t think changing the network triggers a reauth (unless it included a transition into one of the various restricted countries, which would also have other side effects), it was pretty much just time-based (usually ~20h for the user session, and ~6mo for the machine’s key). A key component of that threat model was relying on the OS to thwart most physical attacks for the short term – i.e. if you’re at the coffee shop, lock the screen when not actively using it. It’ll demand a password that the thief doesn’t have unless they put the employee under duress (which is a whole other class of problem that software can not solve). Relying on the OS only makes sense for managed devices (typically requiring FDE with keys in a TPM and weak login methods disabled), so that may or may not apply well to your situation.

Regarding other VPN client software: most of the time, the fact that other VPN software requires a reauth when switching networks is considered a nuisance rather than an advantage!

Anyway, to address the concerns you have, I think the current best way to enforce frequent 2FA is to change the key lifetime from the default of many months to 1-2 days. That option is not currently available in the admin panel but can be configured if you e-mail support@tailscale.com. Currently, a lifetime of less than a day is not recommended because it causes the client software to generate many notifications about imminent key expiry, which is something that needs to be addressed. Updating the device’s key (to extend expiration) requires a SSO login, which can include 2FA if that’s part of your SSO provider’s policy.