Best Multi-factor Authentication for Office 365: Text, Call or App?
Multi-factor authentication (MFA) is no doubt an effective way to secure your services. Identify which MFA type is best for your business.
Cyber risks are inherent in every organization. Every technology utilized in a company, be it legacy systems or the latest applications, comes with its own share of security issues.
One best practice that IT administrators can employ to mitigate risks is multi-factor authentication (MFA). MFA can be an organization's first line of defense against cyber incidents, especially if it barely has any security protocols in place. At Intelligent Technical Solutions, we require our business clients to enable MFA on all their Office 365 accounts as an added layer of security.
This article aims to provide you with an answer as to which MFA option for M365 is the best for your organization. But before we dive in, let's first touch on the definition of multi-factor authentication, its different forms, and why your organization needs it.
What is multi-factor authentication, and how does it work?
Multi-factor authentication, also known as two-factor authentication or 2FA, is a means of confirming a user's identity. As its name suggests, it utilizes not just one but two or more factors or sources of validation to verify users' identity before granting them access to an account or transaction. MFA combines multiple methods of authentication such as:
- Something you know - a username, password, PIN, secret handshake
- Something you have - a key, access card, smartphone, token devices
- Something you are - a fingerprint, iris scan, or facial recognition
With MFA, you don't necessarily have to enter a password when logging into a computer or program. MFA can make use of your username, a generated code, or biometrics to sign you in. For instance, MFA works with the Microsoft Authenticator App in three ways: a notification, a verification code, or a passwordless sign-in.
MFA is one element of an enterprise's identity and access management (IAM) framework, which refers to a set of policies that define the roles and access privileges of users and devices. IAM dictates whether a person or device is permitted to access cloud and on-premise applications.
Why do you need multi-factor authentication?
Here are the top reasons why you need to enable MFA in your business:
Establish a layered defense.
More people are now working from home using their personal devices. MFA secures your network by creating an additional barrier for attackers to infiltrate before reaching their target.
Prevent identity theft.
Password theft is more common than you think. Hackers are now becoming more creative in stealing them by using keyloggers, password cracking tools, pharming, or social engineering tactics. MFA prevents credential theft by eliminating the risks involved with weak employee passwords and human error.
MFA supports compliance by preventing data leaks. It ultimately helps you remain in compliance with several regulations, including the Health Insurance Portability and Accessibility Act (HIPAA), Payment Card Industry Security Standard (PCI), and General Data Protection Regulation (GDPR), to name a few.
Password resets for forgotten passwords equate to lost time. With MFA, you can streamline your employees' access to company resources, keeping their productivity and morale high.
Which MFA method is the best and why?
A cellular network itself is not inherently secure where someone could either SIM-jack your service (i.e., transfer your number to a new sim card). Basically, threat actors can steal your phone number and be able to get your MFA codes. They can take over your subscription by calling your cell carrier posing as you and convincing the carrier to change the number associated with your sim card. Whereas with the app, they can't easily get into that.
Using the Microsoft authenticator app for MFA is, therefore, more secure than call or text. We recommend using the push or send notification of the app. When you set it up, you can scan in the code and then allow an "approve" or "deny" option. When you log in, it sends a notification to verify if it's indeed you. You just have to select "approve" and don't have to type in a six-digit code.
The advantage of using Microsoft's Authenticator App over keying in those six-digit codes is convenience. With six-digit codes, the browser remembers that login session through a cookie, so users don't have to repeat the authentication process the next time they log in. The cookie has an age limit, however. When you switch browsers or use a new computer, you will have to put in those codes again. However, with a Microsoft Authenticator app, you can back up your codes in the cloud, so even if you reinstall it on a new phone, you don't have to reset your MFA settings.
How ITS Helps Clients Enforce the Use of MFA?
ITS has a set of standards that we find is a good starting point for all clients. This is to set up MFA on all of their existing Office 365 accounts and allow that flexibility to choose which one works for them.
We have MFA restricted where you can only use the Microsoft Authenticator app. You can't do text and calls as they don't show up as options. Even though the Microsoft 365 platform supports it, we've set a policy that disables them. Clients, then, have an out-of-the-box, default experience that will guide them through account management. If they have a need or concern, ITS can adjust it from there.
Having MFA enabled will cut out the majority of attacks that clients are going to come across. The next thing for MFA that would have the next most significant impact would be a virtual private network (VPN) access that allows clients to securely connect to the work network and access office resources from home. This connection should also have MFA on it, which we've been implementing for clients as well.
Security You Can Trust
Deploy MFA across your devices and applications. Get in touch with our service consultants for assistance on how to set up MFA within your organization. Beef up your security posture with ITS today.