By Ben Weeks
Multi-factor authentication (MFA) is a method of authentication that requires users to provide more than one verification method. This adds a second layer of security to user sign-ins over and above regular usernames and passwords. It works by requiring any two or more of the following verification methods:
A randomly generated pass code
A phone call
A smart card (virtual or physical)
A bio-metric device
Attacks on any level can be catastrophic to a business, and we at Cielo Costa have a duty of care to our clients to ensure that we recommend that access to their environments and is secure as possible.
Office 365 uses Azure multi-factor authentication (MFA) which is free as part of an Office 365 for business subscription.
After configuring, users also need to provide additional authentication using a text message or Microsoft Authenticator (available from the Apple Store and Google Play). That’s not to say it’s not infallible (there is always someone cleverer than you who can manipulate a hack vector), but would require spoofing of mobile phones or other means to gain entry over and above a regular username and password.
However, you need to be aware that some services cannot be secured with MFA, such as Exchange Web Services (EWS). For example, some apps such as iOS/Android e-mail clients for example need users create App Passwords (as of iOS 11 this has been addressed I believe).
The process for users to create and use these is confusing (users are just asked for a username and password and unclear why they can’t login). Additionally, App Passwords are fixed length, no special characters (therefore easier to brute force), tend to be written down and not removed when no longer in use, and therefore less secure than single factor authentication with a good password policy.
So, when planning for MFA, consider if your users will need to use App Passwords (by planning, I mean plan not to use them!). Multi-factor authentication should be part of any business policy to help secure your business, but it’s not the whole solution. Security needs to also include elements such as (but not limited to):
A joiners/leavers processes
Threat detection (such as usual behaviour detection)
Cielo Costa advocates a secure online environment and can help any business understand and develop their own secure environment using Microsoft technologies as part of a Office 365 subscription.