Multi Factor Authentication (MFA), also known as 2 Factor Authentication (2FA), is a means of authenticating a login to a service with an additional piece of information (i.e. something more than username + password). You may find these on public services like websites or on internal services like a POS system. If you are a Microsoft Office 365 user, you should activate your MFA option today to immediately boost your security.
Confused? You shouldn’t be. Chances are you are already using MFA without realising it.
Do not overthink MFA; you have been using it for years when it comes to online banking, where you must first provide your username or account number, then a password, then a randomly created code from a different computer. This device used to be a plastic card reader issued by your bank, but in recent years, it is often a code created from inside the banking app on your mobile device. Any login process which uses more elements than just username/email + password is utilising some form of multi factor authentication.
This is more secure because someone attempting to access your account will need your password, and your 2nd factor device (such as your phone), which is close to impossible (although we would also recommend protecting your mobile device to be extra secure).
How does Microsoft 365’s MFA system work?
When we talk about Microsoft Office 365 MFA, we usually mean the Microsoft Authenticator App, which you can get for free on your phone or tablet. However, here is a list of some other popular methods:
- A phone call to confirm. (we do not recommend this)
- An SMS message with a code sent to your phone. (we do not recommend this)
- A physical USB dongle.
- A notification from an app.
Why do you not recommend using an SMS or phone call for 2FA?
Calls and SMS are not secure methods of authentication in our opinion because of “SIM swap” attacks. This is where a hacker will call your phone provider and request a service swap to a new SIM card, which if effective, will allow them to receive all your calls and SMS messages.
There have also been stories on the internet of insiders employed at mobile providers conducting SIM swaps for hackers, obviating the need for social engineering. There are also some phishing email templates circulating online, posing as your provider with a “billing problem,” and steps to follow in order to remedy it, which, if followed, will lead to you providing a hacker with the answers to your hidden questions, thus allowing them to bypass protection and swap your SIM when they call your mobile provider.
Will I have to provide an MFA code every time I log in?
No, you will not. You normally will only have to enter your MFA code when…
- You are configuring a new device, or you are reconfiguring an existing device.
- When accessing any Microsoft Office 365 platform through the web since web logins are considered to be from an untrusted system by default.
Ok, I am convinced, but what about my staff? How can I make sure they use, and keep using, MFA?
Microsoft Azure (the platform that underpins Microsoft Office 365) now has default security options that require your team to have their MFA options active. This is only true as far as browser-based logins, so it is not a good way to ensure everybody has set up their Microsoft Authenticator.
Setting “Conditional Access” policies in Azure, which includes a single Azure Premium licence for your tenant, is the best way to accomplish maximum MFA compliance. You will be able to add policies to force MFA across your Office apps. Once it is activated, it cannot be disabled by individual users.
This all sounds very complicated. We have staff joining and leaving regularly. Won’t this all take up a lot of time?
You can add “Trusted IPs” to Microsoft Azure to circumvent the MFA requirement, and if your office has a static IP, it can be added here as well. While this does theoretically expose you to the risk of IP spoofing, where anyone may impersonate you by spoofing your IP address, they would also need to know your Microsoft Office 365 password to gain access. However, while this will save you time and make things smoother, we strongly advise against using this approach unless it is truly necessary.
If you add a trusted IP address, some of your users will never be prompted to use MFA unless they login from outside the trusted region. As a result, we suggest adding a conditional access policy that only allows MFA registration from the same IP as your trusted location; otherwise, if your password is leaked, the individual with the password will be prompted to initialise MFA, which they will do on their own computer, and then gain full access.
Once our suggested conditional access policy is in place, users would need to go to the dedicated page to register their computer once this policy is in place, since they will never be asked to do so within the trusted location.
What are the risks if I do not enable MFA?
- Hackers with stolen passwords and logins could gain access to your Microsoft Azure cloud resources, including emails, files, and other sensitive documents.
- Man in the middle attacks on your email system will occur when someone gains access to your account and pretends to be you, modifying and resending emails that are in your sent items, such as changing bank account information on invoices to their own and then removing the original message. This can trick customers to sending their fund to the attacker’s account and not yours.
- Accessible files can be posted on the dark web, with a ransom demanded in exchange for removing the files. A data breach like this can result in a heavy regulatory fine.
MFA is now preferred by Microsoft over routine password updates. This is due to the restricted nature of the changes that most users make, such as placing a 1 at the end of the password. These changes are predictable and therefore not secure.
I do not trust my workers with the code because I’m afraid they’ll misplace it, or they’ll refuse to use their personal devices for work purposes.
This is something we hear a lot. And if this happens, there is a straightforward solution. Anyone dealing with this problem should buy a central device just for MFA use. For example, a simple Android tablet. Keep the device securely in your office under management supervision. A basic tablet can be purchased for less than £100.
When it comes to deploying methods like MFA, do not take shortcuts. You can use Microsoft’s free MFA inside Microsoft 365, or you can opt for a more comprehensive third-party solution like Duo which lets you encrypt everything in your organization (not just Windows).