“Authentication” is the process of proving that you are who you say you are. Traditionally that’s been done with a username and a password. Unfortunately, authenticating with a username/password alone is simply not good enough in today’s world. Usernames are often easy to discover; sometimes they’re just your email address. Since passwords can be hard to remember, people tend to pick simple ones, or use the same password at many different sites. Credentials compromised by attackers in breaches of public websites are then used against corporate accounts to try to gain access. Considering that up to 73 percent of passwords are duplicates, this has been a successful strategy for many attackers and it’s easy to do. According to Microsoft research, there are over 300 million fraudulent sign-in attempts to their services every day, and over 80% of breaches are caused by credential theft.
Enter MFA. By providing an extra barrier and layer of security that makes it incredibly difficult for attackers to get past, MFA can block over 99.9 percent of account compromise attacks. With MFA, knowing or cracking a password won’t be enough to gain access.
What is MFA (Multi-Factor Authentication)?
Multi-Factor Authentication – the process of using multiple different methods to prove you are who you say you are. These factors are generally described as:
- Something you know – Like a password, or a memorized PIN.
- Something you have – Like a phone number, smartphone app, or secure USB key.
- Something you are – Like a fingerprint, or facial recognition.
A password satisfies one factor (something you know), but as we’ve seen above, this single-factor is no longer sufficient to confirm your identity. Requiring a password plus another factor to authenticate helps to ensure that even if your password falls into the wrong hands, your account remains secure.
MFA + Microsoft 365 Methods
The most secure method, and the one that is simplest for users, is to use the Microsoft Authenticator app installed on a smartphone. This lightweight app can be installed for free from the Google Play (Android)/Apple AppStore (iPhone). Once configured, the user will receive a pop-up notification on their phone after logging in with a valid password. The user simply taps the Approve button in the notification, and they are granted access to their account.
App Code (TOTP)
This method also uses an app which is installed on a smartphone or PC. The app displays a 6-digit code which changes every 30 seconds. When logging into Microsoft services, the user will be prompted for this code after entering their password. The user then opens the app, and enters the current code displayed, allowing them access to their Microsoft account.
After logging in with a valid password, the user will be prompted for a 6-digit code, which will be sent via text message to the mobile number registered on their account. They’ll need to enter this code to be granted access to their account.
After entering their password, the user will receive an automated voice call to a phone number registered on their account. During the call, they’ll be asked to press a specific key on their phone’s number pad, at which point they’ll be granted access. Both text and voice phone-based methods are less secure than using an app, as cell phones are vulnerable to spoofing and text messages can be intercepted, but any MFA method is better than no MFA at all.
This method requires the organization to purchase an additional hardware “key” for anyone who needs to use this method. A FIDO2 key is a small USB device, similar to a flash drive. After logging in with their password, the user will be prompted to insert their FIDO2 key into a USB port on their computer. Once inserted, the user touches a small button on the key, to confirm they are physically present, and are then granted access.
Self Service Password Reset
In addition to providing increased security, enabling MFA on your Microsoft account also provides you the ability to perform Self-Service Password Reset (SSPR) if allowed by your organization. Once enabled, in the event you have forgotten your password, you can use your registered MFA methods to restore access to your account immediately without requiring assistance from an administrator. We recommend that you take advantage of this if your organization’s policies allow it.
Risks of not enabling MFA
Passwords (especially passwords used across multiple online services) can become compromised, leading to your account easily being accessed by parties other than you. With access to your Microsoft account, a bad actor has access to your email, calendar, contacts, Microsoft Teams chats and teams, files stored on OneDrive, files accessible to you on SharePoint, and a myriad of other services provided to you by Microsoft. With this access, bad actors could do collateral damage to your company files, access confidential or proprietary data, and could gain access to other things that use your email access as a verification, such as banks.
Potential Challenges and Annoyances
Multifactor authentication requires that another device be present with you to affirm that you are authenticating to gain access to the account. The requirements are different for each method (described above in the MFA methods for Microsoft 365 section), but still require that this device be accessible when you are authenticating from a new device or location. Depending on the policies set by your organization, you may be prompted every time you log in, or only upon first login on a new device.
Let SpireTech help!
Unfortunately, user passwords and authentication management have been too often ignored. Some organizations may view stronger authentication mechanisms as a hindrance because users shouldn’t be bothered to effectively maintain a second factor. If you are currently using only passwords to secure your accounts, you are opening up a massive attack vector – one that could and should be easily prevented. These trends need to be broken. As we’ve explained, MFA is the single most important tool available to prevent unauthorized access to your data and should be used with any service where it is offered. SpireTech is fully versed in industry-standard ways to enable MFA with minimum hassle, and is more than happy to work with your users to get this set up and ensure all accounts are protected with MFA.