MFA, is it enough?
Author: Carlos Concha
For as long as I can remember, “username and password” were a fundamental combo to everything in your digital life. You had a username for work, school, even your bank account. Simple passwords became complex passwords as security grew – but that only led to password reuse across platforms typically stored in plain text in your ‘passwords.xls’ file or worse, a ‘sticky’ on your monitor. Over the last twenty years we’ve watched news headlines report security breaches at the places we expected to have the highest levels of security; however, they had cracks in their armor. The breaches became so abundant sites like www.haveibeenpwned.com were built to give you the ability to check if you’ve been compromised. To improve upon complex passwords, two-factor authentication (2FA) and multi-factor authentication (MFA) came about with promise of higher levels of security. But is that enough?
A brief history:
Two-factor and Multi-factor authentication have been around since the early 2000s and were introduced to add layers of security. Do they do that? Yes, they are something that all organizations should consider, both large and small. The difference between MFA and 2FA is simple. Two-factor authentication uses two factors (typically something you know and something you have like an ATM card with a PIN number) to authenticate a user’s identity. Multi-factor authentication uses the same two factors plus additional factors (biometrics are quite popular), hence multi-factor.
Fast forward to recent times:
Hackers continue to hone their skills and have figured out methods to hijack MFA. They’ve used techniques such as SIM card duplicating to impersonate text messages or call back authentication factors. They’ve been bold enough to call technical support and impersonate the individual to either gain access to their account or mobile device. Most mobile carriers now implement additional security measures to protect your accounts and if you’ve ever had to reset your Apple ID you know they have implemented some serious changes. It took me a week to reset my Apple ID password, no joke!
In 2019 Microsoft reported there were over 300 million fraudulent sign-in attempts to their cloud services every day. That is a scary number and that is why I feel MFA is simply not enough. My recommendation: MFA AND Conditional Access.
What can Conditional Access do for you?
Microsoft’s Conditional Access allows the control of how and where your organization’s users are going to be allowed access to their Microsoft 365 (formerly known as Office 365) accounts and applications. The true power of Conditional Access is its granularity. The first step to help protect your organization is simply restricting Microsoft 365 access to only countries you have employees in. If you don’t have frequent travelers, why allow access outside of the countries where your employees operate? Next step is to prevent access through legacy protocols such as SMTP, POP and IMAP that do not support Conditional Access. You can even further refine access by device types and operating system. One of my strictest recommendations is to disable all legacy protocols at the Exchange level preventing the attacks from even starting. While it may be too strict for some organizations at least you know the option is available because Conditional Access is granular and can be refined to meet your organization’s needs.
If you are interested in enhancing your Microsoft 365 security with MFA AND Conditional Access, please feel free to reach out to us. We are committed to helping secure both large and small businesses.