Multi-factor authentication (MFA) serves as a crucial line of defense for securing your digital environment. That said, it is important to recognize that existing (dare I say, “legacy”) MFA solutions often fail to address inherent weaknesses and vulnerabilities that attackers have begun to exploit, sometimes purely because they haven’t been updated to answer the new threats. This was the theme of a recent session at Microsoft Secure, an annual security-focused conference inaugurated in March of this year. Among the experts weighing in during the session (“When MFA is Not Enough: 5 Easy and Essential Steps for Hardening Our Identities”) were Chris Hoard, Partner Education Lead at Vuzion; Siegfried Jagott, CEO / Principal Consultant of Intellity GmbH; Raphael Köllner, CEO of KöllnService GmbH; and Dwayne Natwick, Global Principal Cloud Security Lead at Atos. Despite lasting only thirty minutes, the session provided a valuable trove of insights into some basic steps that organizations can take to realize the promise of properly configured and fully adopted MFA solutions. Valuable insight from attendees also highlighted the importance of properly addressing the foundational elements that can make or break an MFA implementation: user adoption and the challenges that users face when required to build these tools into their daily work life.
To start, organizations can harden MFA by committing to a series of strategies that address the latest measures attackers have adopted to overcome them. Firstly (and almost as a prerequisite), organizations should mandate MFA for every user, eliminating single-factor authentication vulnerabilities. Secondly, weak MFA methods such as SMS or voice can be retired in favor of stronger alternatives like authenticator apps or hardware tokens. Taking this further, users can be required to match numbers in the MFA prompt, making it more challenging for attackers to bypass the app’s MFA checks. By implementing these strategies, organizations can substantially bolster the effectiveness of existing MFA systems, often without the need for additional investment in licensing or hardware.
Next, organizations with sufficient licensing in their M365 tenant can implement Conditional Access Rules. These rules govern access by considering various factors such as user location, requesting device, and detected IP address. By considering these factors, organizations can greatly reduce the potential risk presented by outside actors leveraging stolen credentials to gain access to sensitive systems. In conjunction with requiring MFA, these measures create a robust and context-aware security framework, ensuring that many malicious attempts that would normally bypass traditional security measures (passwords, login IDs) are caught on a much wider basis.
Finally, organizations can go further by implementing more sophisticated tools and measures that broaden the scope of what factors to consider when granting access. Privileged Identity Management (PIM) establishes that users will have zero standing access to privileged roles and resources, and via a request and approval process can ensure that any escalation into these roles is accompanied by a business-related justification offered by the requestor. Azure Active Directory Identity Protection can enforce restrictions on access based on policies that consider impossible travel (when a user attempts to sign in from a geographic location to which it would have been impossible for them to travel within a given time), or whether the user is logging in from a Tor browser (used by many to mask their location when browsing the web and thereby attempting to circumvent many of the above security measures).
The above technologies are invaluable in making MFA truly secure. But successfully implementing MFA requires not only a robust technical infrastructure, but also the consideration of user experiences, and even potential resistance. User resistance to secure authentication methods is nothing new, but we must recognize that it is a genuine response that comes from having to work with these measures in daily life, and it can quickly hinder the adoption and effectiveness of any proposed MFA solution. The need to address this challenge was echoed by several of the attendees in the Microsoft Secure session, and it speaks to the universal nature of this problem. To address these adoption challenges, IT should practice respectful communication that speaks to an understanding of user concerns and provide clear explanations of the benefits and necessity of MFA. Further, overly aggressive security measures should be considered in the light of their user impact. Striking a balance between security and convenience is never simple or easy, but it is necessary to ensure that users are not overly deterred by the processes and platforms put in place to protect them. One of the easiest ways to achieve this is by aggressively working on user education and training – these play a crucial role in fostering a security-conscious culture and empower individuals to navigate security technologies with confidence and understanding. In this way, organizations can successfully implement MFA and create a more secure environment that users will willingly support and securely engage.
In conclusion, there are many new tools that organizations have at their disposal for protecting their data, especially in the Microsoft cloud. It is, however, up to them to successfully pursue the best ways to make use of them, and to assist their users with adopting the mindset that will make them a real success. If you’re interested in either part of this process, please come and talk to us at Cloudforce.