Multi-factor authentication (MFA) (aka 2-step verification) can help protect Office 365 end users should your organization be targeted by cyber criminals. But there is a caveat that IT admins should be aware of.
Currently Microsoft has about 160 million commercial customers on Office 365 with over a billion end users. Talk about a target rich environment. Every Office 365 end-user account doesn’t just let a user access one solution, but ALL solutions within the Office 365 platform that are attached to that user. That account login information is the key to accessing all of those solutions such as email, OneDrive, corporate SharePoint Online and more. The majority (90%) of all attacks on an organization come through email in the form of impersonation attacks, ransomware, spear phishing and so on. One form of attack are phishing attacks that contain “urgent” or “action required” use a combination of social engineering and spoofed Office 365 login screens to trick the end-user into entering his/her login credentials which are then stolen for nefarious (love that word) purposes.
For many years we’ve instructed end-users to create solid passwords. In modern times we have so many accounts to log into and so we have users with multiple passwords. Often the IT admin will specify a set number of days, typically 90, for password change. This pushes users to use a logic change – meaning they just alter their password slightly, and may or may not allow for password complexity. Users may use password tracking software to keep track of all of these different passwords or, more old school, rely on sticky notes under their keyboard.
With MFA, many are giving up the single factor approach and going with a multi (meaning 2 or more) verification approach with cloud-based security. With MFA you must PROVE the login credentials using more than a username and password. You must authenticate through a personal device (phone), token or biometric measure. Office 365 uses a phone for the second authentication. So ultimately the “bad guys” would need to steal both your username/password AND your phone, which probably/hopefully has some kind of pin to enter it or a thumb print reader.
Multi-factor Authentication and Office 365
When MFA is enabled for Office 365 the first time you log in as an end-user you’ll be asked to choose the alternate contact option and there are 3 in total. Either through an authenticated phone (cell), through an office phone, or through a mobile app. With your mobile or office phone you can choose if you want a code sent by text message or a call. Keep in mind you’re going to have the contact occur every time you want to log in. With the mobile authentication app you can choose to receive notifications or a verification code.
The end result is that MFA makes it much more difficult for hackers to access user accounts. Accounts that are most at risk are those with privileged access (admin accounts) or executive user accounts. But all accounts would benefit from MFA. One way Microsoft encourages MFA for everyone is to boost your Secure Score. You get 50 points (10%) added to your score (500 is the max) if you require MFA for Azure AD privileged roles. You get an additional 30 points if you require MFA for all users.
Office 365 has outages from time to time and the most recent ones have affected MFA either directly (where MFA is out) or indirectly (where Azure AD is out and this affects MFA). When MFA is not functioning properly, no matter the cause, folks wont be able to renew their access tokens when these expire. It’s not an automatic loss of connectivity but it will affect those users who need to renew that access token and can prevent login or resource access until the problem is resolved.
How do you mitigate this? Well, you can wait for Microsoft to fix the problem or you can disable MFA. The secondary caveat being that if you use MFA on your admin accounts (those with privileged access) than you might not be able to sign in, access settings and make the change. With this being a concern, many recommend you create a “break-glass account” for emergency purposes. This account doesn’t use MFA and is used only in the event of a genuine emergency.
MFA is easy to enable as an admin and easy for end-users to work with, thereby improving the protection your organization. It’s not a silver bullet. It won’t stop URL-based attacks, ransomware, impersonation attacks and so on. But it will provide an additional layer of login credential security. However, MFA has gone down due to direct/indirect outages within Office 365 or Azure and so it’s essential to plan ahead for these kinds of unforeseen occurances.