Multi-factor authentication (MFA) is a must-have in the world of Business. Whether for Microsoft or any login, we know how vital it is to be secure. For many businesses, there will be plenty of websites, portals and hubs to which employees will require access. The critical thing to note is that if employees can get access, so can cyber criminals unless there is some security procedure. That’s why multi-factor authentication for Microsoft 365 and other tools is so important. Is it you attempting to log in? The process may always feel time-consuming, but it is extremely necessary. Here’s how you can set up multi-factor authentication for Microsoft 365 only!
What is Multi-Factor Authentication?
Single Factor Authentication is typified by username and password. A username/password can be easily shared or stolen; it is becoming increasingly important to provide additional information to confirm that only the legitimate owner of credentials is using them. We refer to using multiple different authentication methods in the same logon as Multi-Factor Authentication.
MFA requires you to authenticate using two or more different methods to validate your identity more thoroughly. The most common forms of MFA involved you a) Knowing Something (your username and password) and b) Having Something (for example, a hardware token, soft token from a phone app or similar). This way, if an attacker manages to acquire your username and password unless they also have your physical token, they will be unable to successfully logon. The token presents usually presents itself as a code.
As noted, the most common implementation of MFA involves using an Authenticator App on a mobile phone. This is a device that is usually accessible/available and further protected by screen PIN, etc. The MFA code is either a time-limited numeric code or a Challenge/Response within the App itself that you must accept or reject (referred to as Push notification, as the Challenge/Response is “pushed” to the App by the MFA provider when required as part of the login process). Other methods for MFA using a mobile phone include having a code sent by SMS message.
As an example, when you have MFA enabled for your email and you sign in, you will have to enter your email address and password (Factor #1) and then provide a Time-limited PIN code when prompted or respond to an Approve/Deny request in the Authenticator App on your mobile phone (Factor #2).
Why should you consider MFA?
Using a password alone is no longer a reliable method, regardless of its length or complexity. Cyber criminals now have the means to use software which tests billions of password combinations per-second, based on words in the dictionary.
If your password is only 6 lower case characters, then it can be cracked through this method almost instantly, but even a complicated password can still leave you vulnerable. The concept behind MFA is complex, layered security – a hacker may be able to find out a password that you know, but they then also need to acquire something you own and something you are. Without all three (or more) factors, the account cannot be accessed.
MFA offers enhanced security and a simplified login process. Single Sign-On (SSO) authenticates the user through MFA during the initial login process. This allows universal access to all of the software that uses SSO, without the need for repeated entry of credentials.
If you are using Microsoft 365 for Business
As a company, you have likely chosen Microsoft M365 as your collaboration platform. There are multiple ways to help keep this secure. However, some of this responsibility is to the end user, your employee. They need to understand the importance of their role by securing their account. We have some articles that go into more detail.
The administrator of your M365 environment can mandate certain security standards, including the enforced use of MFA. Users will then be required to complete the MFA enrolment before they can continue to use the M365 platform. This should only take a minute or two but can help save you a lot of time, money and reputational damage by making it hard for attackers to compromise your M365 system.
Once set up, it provides an extra layer of security to your Microsoft 365 account at sign-in. In addition to helping secure email, This is the recommended way to go if you communicate through Microsoft Teams or share files through OneDrive. In fact, we would go as far as to recommend it for anything, both at work and personally, where sensitive or private data can be held. Even Social Media accounts are the targets of hackers nowadays, your online identity is valuable, and you should use all the tools at your disposal to help protect it.
How to set up Multi-Factor Authentication on Microsoft 365
Sign in as you usually would to set up your Microsoft 365 account. Enter your username and enter your password. However, once you have signed in, you’ll be prompted to share more information. This is perfectly normal and is just Microsoft helping you to make your account more secure.
Once you’ve pressed Next, you will be asked to choose an authentication method. The default (and free!) option would be to use the Microsoft Authenticator app. It’s pretty easy to install on your mobile device, and Microsoft walks you through the steps of setting it all up. Even better, if you don’t have the free app installed, you can follow the link provided by Microsoft to install it. There is no excuse not to make your account more secure; there is a minimum amount of hassle! Read our step-by-step guide for downloading and setting up MFA.
Alternative authentication methods
Due to the ever-evolving threat landscape, the advice here changes from time to time to reflect what cyber attackers are doing. Microsoft supports several different methods with its MFA solution; some are “better” than others, noting that whilst some options are “more secure” than others, this minimises the chance of your account being compromised.
The 4 main methods are:
- Push Authentication
- Time-limited One Time Password (TOTP)
- Code via SMS Message
- Telephone call validation
Push Authentication sends a notification to the Authenticator App on your phone and requires you to approve or deny the login request. This is seen as an option with good technical security as it’s linked to your mobile phone through a cryptographically secure process. However, we have seen that end users become so accustomed to clicking Approve (for fear of being locked out of something) that they are not always as objective or suspicious as they should be. Attackers have recognised this as a potential chink in the armour and are developing multi-stage attacks to try and take advantage of this end-user behaviour. For example, an attacker will attempt to get a username/password combo from a phishing attack, brute force, data breach etc. Once they have this as a confirmed pairing, they will inundate the end user with Push Authentication requests. The attacker is in their mailbox if the end user clicks approve on any of them. In summary, push authentication is strong and easy to use but can be thwarted if an end user is not diligent in screening the prompts they receive.
TOTP also uses an Authenticator app and so is equivalent in its physical security to Push. Unlike Push, the end user has to open the App and type in the code, which is part of the login process. As a result, the Challenge/Response of this is much stronger than Push Authentication – you can see how easy it would be to click Approve on a Push notification for fear of being locked out of Teams (for example), but using a TOTP is a much more deliberate workflow (login, prompted for code, open the App, type in the code). The code recycles every 30 seconds and can only be used once, so it has limited exposure. In summary, TOTP creates a little more work in the login process but, unlike Push, can’t easily be submitted accidentally.
Not all your employees will be tech savvy and may feel more at ease using SMS messages to provide the code. The process here works a little like TOTP, except that the message comes via SMS. However, for this to work, you will need a phone signal or service. It’s also worth noting that due to the nature of SMS, it can be more easily hijacked/diverted to an attacker than the Push and TOTP methods. Following several high-profile compromises to large well-known organisations that were the result of redirected SMS messages sending MFA to attackers, the general advice is to avoid it. However, using 2FA with SMS is better than not using MFA at all – it makes it harder for an attacker to access an account, so it can be considered for that alone. It is often used in environments where users refuse to install the Authenticator App on their personal phones.
The final default option is a phone call. This is an automated service where a nominated phone is called by MS, and by answering the call, you validate the authentication method. It’s not used very often as it’s susceptible to the same risk of diversion as SMS; it’s potentially less flexible as the user needs to be by the telephone when logging on, and experience shows it’s the least reliable method in operation.
How secure is Multi-Factor Authentication?
Unless someone has managed to gain access to multiple devices, then MFA is very secure. Businesses opt for various options, depending on how secure you think your network is (tip: you can never be too secure).
As a business, we recommend you set it up so that you need a verification method for every single login attempt. Although this feels like overkill, it makes it secure if someone loses their device. It provides peace of mind and only takes 30 seconds per login, if that! At Neuways, we do believe in efficiency and password manager tools and other pieces of software help with that. However, we would always suggest security over speed. Thirty seconds a day keeps a cyber criminal away. Well, it certainly helps!
