Multi Factor Authentication and Its Importance
written by Joel Reed 5/6/2020
MFA or multi-factor authentication is a security method that requires two or more credentials to verify identity. In an authentication procedure without MFA enabled, a user supplies their username and password to authenticate. This is considered proving identity through knowledge and answers the question of something you know. If MFA is enabled, you will need to provide another form of evidence proving identity. A relatable example is an ATM transaction, where you prove identity with “something you know” (your pin) and “something you have” (your bank card). The options on Microsoft 365 to verify identity all fall under answering three questions, “something you know”, “something you have”, or “something you are.” MFA is the simplest way to add a layer to your security. The goal is to increase the difficulty and add extra hurdles for an attacker, as you are only as secure as your weakest point in the chain of trust.
To further secure an account with MFA, the next step is choosing the least intrusive option for the second form of identification. Multi-Factor only works if it is used by the users in your network, so this next step needs to fit within the user’s workflow to decrease the amount of interruption it introduces. The most popular form of MFA is possession or providing evidence to the question, “what you have.” This is done by using something that virtually everyone has, their smartphone. All the major tech companies have some form of MFA or an associated app, i.e. Google Authenticator and Microsoft Authenticator, that will assist in making this process effortless and quick. This ensures that the adoption of this simple, yet effective security measure, is met with little resistance.
Proving identity with possession has a couple of different ways to go about providing credentials. After a user has authenticated successfully with “something they know”, their account information, they are then directed to authenticate with “what they have.” An example of this is randomly generated codes that expire quickly. After logging in, the user will open the predetermined authenticator that will give them a code to enter. This code usually only has access for 60 seconds to reduce the chance of the code from being intercepted by an attacker and used by an outside agent. There are also some variations to this that allows for a single input from the user from a trusted application. Google, for example, will have a pop up in Gmail simply asking if this is you attempting to login with a yes or no response. This simplifies the process allowing for minimal interruptions. Some other less popular options are connected or disconnected tokens. A connected token involves a physical connection to a device which will generate a random key and automatically transmit it electronically. A good example of this form of identification is a card reader. A disconnected token is like the connected variation but instead it typically has a screen that reads out the generated key to be input by the user manually.
The final variation of MFA is inherence. Proving “something you are” can be done in a couple of ways but usually tends to be associated with bio-metrics. These forms of identity can come from fingerprint, face, vocal, or even iris recognition. This variant allows for quick interactions with authentication but requires specific hardware to accomplish. This restraint is poised to be less of a restriction as smartphones are becoming more advanced and released with these hardware features.
I did say there were three forms of proving identity. There is a fourth option that is gaining popularity. The question poised for this authentication is “somewhere you are.” This newer option requires your physical location. This can be done either by having a hard-wired connection to a specific network or will utilize data from a GPS to verify location. This option has the advantages of not requiring anything more from the user while still restricting access to only those within the network or a geological location.
To enable MFA in Microsoft 365, the Security default properties will need to be enabled. To do this, you will need Global Administrator rights to be able to setup or modify MFA. Login to the Admin Center and navigate the Blade on the left to click Show All. Under Admin centers, find and open Azure Active Directory. This will open a new page in Azure. On the Blade on the left, select Azure Active Directory and then properties. At the bottom of this page there will be a link to Manage Security default. Once there, under Enable Security defaults, select Yes and then Save. The next time the selected users sign-in, they will be prompted to set up the Microsoft Authenticator application on their phone to begin using MFA. If you have Microsoft 365 Business or your subscription includes Azure Active Directory Premium P1 or P2, you can also set up Conditional Access policies but modern authentication must be enabled. If you don’t have these, it’s an easy task to change the default properties. This is heavily recommended for all Admin accounts or any accounts with access to sensitive data. This isn’t necessary for normal users but it wouldn’t hurt either and builds secure user habits.
MFA is the simplest way to add a layer to your security. Passwords aren’t secure and can always be compromised, no matter the length or complexity used. Adding a second form of verification can protect you from most forms of identity attacks but not all types of MFA are treated equally. Channel-Jacking and Real Time Phishing are still a threat to most types of MFA. Many authenticators rely on a channel to communicate and these signals can be intercepted. Email and SMS are the most used types of MFA and both are at risk of this. Radio signals and protocols have their own vulnerabilities that allow for the communication channel to be used by an attacker and most email accounts have a single layer of security, a password. Though these attacks are low cost, they are rare when compared to password only attacks. The goal is to increase the difficulty and add extra hurdles for an attacker as you are only as secure as your weakest point in the chain of trust.