In Office 365, administrators have the option to enable an additional layer of security: multi-factor authentication (MFA). This feature allows the IT staff to set two or more verification methods when it comes to user sign-ins and other transactions. Two-factor authentication (2FA) is a subset of MFA where the end user is required to provide two methods of verification, as opposed to more. But if you are not sure if you want to go through the trouble of enabling 2FA in your environment, let’s take a look at four reasons that may change your mind.
2FA Is a Simplified User Experience
Some people may think that if 2FA is good, wouldn’t MFA be even better, since there is more validation? Yes and no. While more validation may be more secure, it does make things less accessible. Go back to the old security triage of confidentiality, integrity, and accessibility. If you make things too difficult on the end user, they may either avoid using the application or service or look for ways to bypass the security controls.
Two-factor authentication gives you that second layer of security beyond a password while still making it easier on the user.
2FA Protects Against Unauthorized Access
With the introduction of Office 365, Microsoft has given IT departments and the end user much more control over their ability to access files, storage, and network resources. Office 365 integrates with Azure Active Directory to sync passwords and provide single-sign-on to a multitude of applications to make things much easier on both the end user and the IT department. However, since Office 365 account credentials are directly tied to so many other resources, it becomes a highly valuable target for attackers.
In the most simple terms, if an attacker is able to obtain someone’s Office 365 credentials in an organization where Azure AD is integrated, they have gained access to everything that person can see or do. If that person has access to sensitive data, intellectual property, or even an email account, the bad guy that owns them does as well.
2FA Helps Mitigate Phishing Threats
According to the 2017 Verizon Data Breach Investigation Report, 81 percent of hacking related breaches rely on stolen, default, or weak credentials. Dealing with default and weak passwords is something you can handle with other solutions, such as identity and access management. Stolen credentials are another problem altogether.
Phishing attacks designed to steal credentials, known as credential harvesting, are on the rise. Relying on fake login sites, such as a counterfeit Office 365 login page, attackers are able to trick users into handing over usernames and passwords. When 2FA is employed, however, having just the username and password is not enough. Without that additional form of verification, the attacker cannot access the account.
2FA Provides Many Options
With two-factor authentication, you can rely on highly sophisticated solutions—such as retina scans, fingerprints, or other biometrics—but you can also make use of much simpler forms of validation. Some organizations prefer the use of a device such as a hardware token that is plugged into the computer to verify the user identity, or even a software token that works on a computer or mobile device.
Other options include:
- An SMS message that provides a one-time use code
- A verification email
- A voice call to a known number
- A push notification to a mobile device app
You can determine which second form of validation works best within your organization and employ that as your additional layer of defense.
Though 2FA offers a promising layer of security, it only works if it is configured and managed properly. Mistakes made during the setup and ongoing management of this type of security control can leave the door open to attackers while giving your organization a false sense of security. On the other side, it could also lock down systems to the point that your organization is unable to get their work done because of misconfigurations.
When looking into 2FA options, work with a trusted partner that can not only help you make the best choice for your organization, but can also help ensure that you are implementing 2FA the right way for you. Rely on their years of knowledge and expertise to help guide you through the process and make the best decisions to protect your resources and data.