Due to the ever-evolving threat landscape, the advice here changes from time to time to reflect what cyber attackers are doing. Microsoft supports several different methods with its MFA solution; some are “better” than others, noting that whilst some options are “more secure” than others, this minimises the chance of your account being compromised.
The 4 main methods are:
- Push Authentication
- Time-limited One Time Password (TOTP)
- Code via SMS Message
- Telephone call validation
Push Authentication sends a notification to the Authenticator App on your phone and requires you to approve or deny the login request. This is seen as an option with good technical security as it’s linked to your mobile phone through a cryptographically secure process. However, we have seen that end users become so accustomed to clicking Approve (for fear of being locked out of something) that they are not always as objective or suspicious as they should be. Attackers have recognised this as a potential chink in the armour and are developing multi-stage attacks to try and take advantage of this end-user behaviour. For example, an attacker will attempt to get a username/password combo from a phishing attack, brute force, data breach etc. Once they have this as a confirmed pairing, they will inundate the end user with Push Authentication requests. The attacker is in their mailbox if the end user clicks approve on any of them. In summary, push authentication is strong and easy to use but can be thwarted if an end user is not diligent in screening the prompts they receive.
TOTP also uses an Authenticator app and so is equivalent in its physical security to Push. Unlike Push, the end user has to open the App and type in the code, which is part of the login process. As a result, the Challenge/Response of this is much stronger than Push Authentication – you can see how easy it would be to click Approve on a Push notification for fear of being locked out of Teams (for example), but using a TOTP is a much more deliberate workflow (login, prompted for code, open the App, type in the code). The code recycles every 30 seconds and can only be used once, so it has limited exposure. In summary, TOTP creates a little more work in the login process but, unlike Push, can’t easily be submitted accidentally.
Not all your employees will be tech savvy and may feel more at ease using SMS messages to provide the code. The process here works a little like TOTP, except that the message comes via SMS. However, for this to work, you will need a phone signal or service. It’s also worth noting that due to the nature of SMS, it can be more easily hijacked/diverted to an attacker than the Push and TOTP methods. Following several high-profile compromises to large well-known organisations that were the result of redirected SMS messages sending MFA to attackers, the general advice is to avoid it. However, using 2FA with SMS is better than not using MFA at all – it makes it harder for an attacker to access an account, so it can be considered for that alone. It is often used in environments where users refuse to install the Authenticator App on their personal phones.
The final default option is a phone call. This is an automated service where a nominated phone is called by MS, and by answering the call, you validate the authentication method. It’s not used very often as it’s susceptible to the same risk of diversion as SMS; it’s potentially less flexible as the user needs to be by the telephone when logging on, and experience shows it’s the least reliable method in operation.