Microsoft will soon introduce multi-factor authentication, and these are the most important considerations before you use it. […]
Microsoft will soon have the multi-factor authentication mandate [engl.] (MFA) with changes to the Microsoft 365 default settings. Microsoft points out: “If we look at hacked accounts, more than 99.9% do not have MFA, which makes them vulnerable to password spray, phishing and password reuse. “Based on usage patterns, we will begin to introduce MFA to organizations that are suitable for security requirements. In particular, we will start with customers who do not use conditional access, have never used security presets, and do not actively use older authentication clients.“
Microsoft will notify the global administrators of the eligible companies by email. “After the security presets are activated, all users in the respective company are prompted to register for MFA. There is again a deadline of 14 days for registration. Users are prompted to register through the Microsoft Authenticator app, and global administrators are additionally asked for a phone number.“ If you haven’t started implementing MFA yet, now is the right time to do it. Phishing attacks are used by hackers to access unprotected accounts, and MFA is an important method of protecting user access.
Can you still disable multi-factor authentication if you want to take the risk? Yes, but this means that your business will be an easy target for phishing campaigns. User accounts and logins are the new entry point for a variety of attacks on a network.
Determine the method of multi-factor authentication
The introduction of MFA means that you need to determine which authentication procedure you will support. Researchers often claim that SMS messages are not secure. Years ago, attackers were able to bypass SMS-based MFA using a reverse proxy component. In reality, however, it is sufficient if the procedure works at all.
As with many security decisions, you need to do a risk analysis to determine who needs the best possible, appropriate, or necessary security. If you think that some of your users will be using targeted MFA applications, you can use devices like Yubikeys. Users and consultants might point out that MFA is not bulletproof. It can be attacked and falsified. The basic idea here, however, is that your security just has to be a little better than the next domain or cloud application.
Use conditional access rules
When you add an Azure Active Directory P1 license (already included in the premium subscriptions of Microsoft 365 Business), you can add conditional access rules that allow you to create whitelists for sites. This allows you to set up MFA only for remote users to protect remote email access. These conditional access rules can be more granular to allow users to use resources while balancing the requirements for MFA.
- MFA required for users with administrative roles
- Require MFA for Azure management tasks
- Blocking logins for users trying to use older authentication protocols
- Require trusted locations for Azure AD MFA Enrollment
- Block or grant access from specific locations
- Blocking risky login behaviors
- Require enterprise-managed devices for specific applications
Assessment of users’ hardware requirements
When introducing MFA, think about the hardware you need. You may need to provide mobile phones to your employees so that they can use an MFA application. If you do not provide them with a mobile phone and prescribe MFA so that they have to use their personal smartphones, you may have to reimburse them for the costs of making proper use of their personal resources. You can also use tokens such as Yubikey, which supports authentication with Azure AD.
Consider backup and conversion needs
If you decide to use a device or token, you will also need to schedule backups and re-implementation. For example, it is recommended to have at least two yubikeys per user so that the person has a backup. Some solutions support more than two such tokens for one user account. If you are using the Microsoft Authenticator app, you may need to schedule a local Microsoft account as a backup if you are using an iPhone.
Also, the migration between iPhone and Android is not a direct backup and restore process. Your backup is stored in iCloud for iOS and in Microsoft’s cloud storage provider for Android. This means that your backup will no longer be available when you switch between Android and iOS devices. When you make the switch, you will have to manually recreate your accounts in the Microsoft Authenticator app. Be sure to let your MFA users know about these deployment issues in advance so that they know about the issues and can plan accordingly.
Microsoft is raising the bar for user authentication protection. Make it a priority this year to ensure that users are protected from such attacks. A simple username and password is no longer enough these days.