Skip to main content

Menu

Resources for IT Professionals

Get the information you need to guide your strategy and point you towards the right IT solutions.

To MFA or Not to MFA – It’s Not Really a Question Anymore

Multi-Factor Authentication Concept - MFA - Screen with Authentication Factors Surrounded by Digital Access and Identity Elements

If you’ve ever used Microsoft 365, you’ve likely encountered multi-factor authentication (MFA). And if you’re like most, you probably find it a bit of a hassle. But the truth is that MFA is essential today, where cyberattacks are becoming increasingly common. In this blog, we’ll explore the importance of MFA and other steps to keep your accounts secure.

The Problem with Passwords

Passwords are the most common form of authentication. And while better than nothing, they’re not particularly secure. One of the most significant issues is their vulnerability to being compromised. Cyber-attackers employ various methods to obtain passwords, including phishing, keyloggers and dictionary attacks. Additionally, many users choose weak passwords, such as “123456,” “password,” or “guest,” making it simple for hackers to access accounts and steal sensitive information, putting users’ data at risk.

However, using passwords that are not easily guessable creates challenges in password retention. With numerous accounts and logins to remember, it can be challenging to track them all. As a result, people often reuse passwords across multiple accounts or write them down, leaving them vulnerable to security breaches.

Even with best practices in place, there are still risks. If an organization’s password database is compromised, all its users’ passwords are exposed. Several high-profile breaches have compromised millions of passwords and associated user IDs.

Better Passwords

Passwords are the first line of defense against unauthorized access to accounts. Therefore, it’s essential to make them as secure as possible. Complex passwords should include letters (upper and lowercase), numbers and symbols. By using a mix of characters, passwords become more challenging to crack.

According to Microsoft, passwords should be at least 14 characters long. Lengthier passwords make it harder for attackers to use brute-force methods to crack them. However, longer passwords can be harder to remember. One way to manage password length is to use passphrases. A passphrase is a sentence or combination of words that are easy to remember but difficult to guess.

Microsoft also recommends users change passwords periodically. Over time, passwords can become compromised. Organizations can reduce this risk by compelling users to change their passwords regularly. However, it’s important to note that changing too frequently can be counterproductive, creating weaker passwords or resulting in the user writing them down.

Finally, using a good password manager is helpful. Password managers can generate strong passwords, store them securely and automatically fill them in when needed. By employing a password manager, users do not have to remember every password while still keeping them safe from prying eyes.

Better Accounts

Creating a “break-the-glass” account is a critical security measure every organization should consider. In a security breach, having an emergency account with the highest level of access can be a lifesaver. However, it’s crucial to remember using this account should only occur in extreme situations. Companies must store these account credentials securely and make them accessible only to a limited number of individuals.

Assigning roles and permissions to security groups is another worthwhile step in securing your accounts. Limiting resource access is vital so users can only access what they need to do their job. Separating admin and user accounts is also critical and reduces the risk of security breaches. Admin accounts should only be used when necessary and assigned on a limited basis.

When it comes to admin accounts, it’s essential to have control over them. Privileged Identity Management (PIM) and Privileged Access Management (PAM) are two solutions that can provide the necessary controls. PIM allows you to manage, monitor, and audit the use of privileged accounts and resources. PAM isolates privileged accounts to reduce the risk of stolen credentials and helps re-establish control over a compromised Active Directory environment by maintaining a separate bastion environment unaffected by malicious attacks.

MFA and Conditional Access Policies

Microsoft recommends using conditional access policies to enforce layers of control around admin and user accounts. These policies often require MFA and specify where, when, what, and how users can access specific resources. Additionally, they log the use of privileged accounts to track who is accessing what.

Conditional access policies also provide an extra control layer to secure admin and user accounts. Conditional access policies allow organizations to set specific rules around access to resources based on conditions, such as user location, the device used and even the time of day.

For example, you could create a conditional access policy that requires MFA for any user attempting to access your company’s financial data outside of regular business hours or from an unrecognized device. This example ensures only authorized individuals access critical financial information under specific circumstances that meet your organization’s security standards.

Implementing MFA and conditional access policies strengthen your organization’s security posture and reduce the risk of security breaches. As always, it’s essential to work with a trusted IT partner like OneNeck to ensure security measures are correctly implemented and maintained.

The MFA Difference

So how much of a difference does MFA truly make? According to Microsoft and the Cybersecurity and Infrastructure Security Agency (CISA), MFA can prevent 99.9% of hacks. Even if a cyber attacker compromises your password, they won’t be able to meet the second authentication requirement, which ultimately stops them from gaining access to your accounts.

MFA is not a one-size-fits-all solution but rather an essential step in securing your accounts. While it may seem like a hassle to set up MFA and follow password management and account protection best practices, it is important to remember that the consequences of a data breach or account compromise can be far-reaching and costly. In addition to the potential loss of sensitive data, there can be legal and regulatory ramifications, reputational damage, and financial losses. It is much better to take proactive measures to prevent these outcomes than to deal with the aftermath of an attack.

Another benefit of MFA is that with a bit of finesse and conditional access, it can improve or at least minimally impact the user experience. While the initial setup and authentication process may take a few extra seconds, users feel more secure knowing that an additional layer of security protects their accounts. Additionally, many MFA solutions offer the option for “remembered devices” or “trusted locations” where the user will not be prompted for an MFA login. This automation makes the process smoother and less disruptive while maintaining security.

It is worth noting that while MFA is highly effective at preventing most types of account attacks, it is not the end of your security journey. Some attacks, such as phishing or social engineering, can bypass MFA by tricking the user into providing their credentials to a malicious actor. Additional layers, such as Endpoint protection, will be the next step on your path to a more secure environment.

Get the Most from Microsoft 365 with OneNeck

Whether you need support securing Microsoft environments, backing up M365 data or maximizing your licensing investment, OneNeck is here to help. We are a skilled Microsoft Cloud Service Provider with wide-ranging experience assisting hundreds of clients throughout their M365 adoption journey. Let us help you find the right-fit solutions for your organization’s productivity needs.

Contact us today to speak with a member of our team.

grey line