Microsoft will soon mandate MFA for some customers, and these are the key considerations before you deploy it. Microsoft will soon change the mandate to multi-factor authentication (MFA) with changes to Microsoft 365 defaults. As Microsoft points out, “When we look at hacked accounts, more than 99.9% don’t have MFA, making them vulnerable to password spray, phishing and password reuse. “Based on usage patterns, we’ll start [mandating MFA] with organizations that are a good fit for security defaults. Specifically, we will start with customers who aren’t using Conditional Access, haven’t used security defaults before, and aren’t actively using legacy authentication clients.”Microsoft will notify global admins of eligible tenants by email. “After security defaults are enabled, all users in the tenant are asked to register for MFA. Again, there is a grace period of 14 days for registration. Users are asked to register using the Microsoft Authenticator app, and global administrators are additionally asked for a phone number.” If you haven’t started MFA deployments, this is the time to do so. Attackers are using phishing attacks to go after unprotected accounts and MFA is a key way to protect user access.Can you still disable multi-factor authentication should you decide to accept the risk? Yes, but this means your firm will be low-hanging fruit for phishing campaigns. User accounts and logins are the new entry point for many attacks in a network. Determine multi-factor authentication methodMFA deployment means that you need to determine which authentication process you will support. Researchers often claim that SMS messages aren’t secure. Years ago attackers were able to bypass SMS based MFA using a reverse-proxy component. In reality, you just need to be secure enough. As with many security decisions, you need to perform a risk analysis of who needs best, better and good-enough security. If you believe that some of your users will be targeted the use of MFA applications, you can use devices such as Yubikeys. Users and consultants might point out that MFA is not bulletproof. It can be attacked and spoofed. The idea is that you want to just be a little bit better than the next domain or cloud deployment.Use conditional access rulesIf you add Azure Active directory P1 license (already included in Microsoft 365 Business premium subscribers), you can add conditional access rules that allow you to provide for whitelisting locations. Thus, you can set up MFA for only remote users to protect remote email access. These conditional access policies can be more granular to allow users to resources while balancing the needs for MFA. For example: Requiring MFA for users with administrative rolesRequiring MFA for Azure management tasksBlocking sign-ins for users attempting to use legacy authentication protocolsRequiring trusted locations for Azure AD MFA registrationBlocking or granting access from specific locationsBlocking risky sign-in behaviorsRequiring organization-managed devices for specific applicationsAssess user hardware requirementsWhen deploying MFA keep in mind the hardware you may need. You may need to provide cellular phones to your employees so they can use an MFA application. If you do not provide them with a cell phone and mandate MFA so that they have to use their personal phones, you may need to reimburse them for a reasonable use of their personal assets. States such as California, Illinois, Iowa, Massachusetts, Minnesota, Montana, New Hampshire, New York, Pennsylvania and the District of Columbia all have passed laws requiring employers to reimburse workers for work-related expenses such as the use of their personal phone in MFA. You can also deploy tokens such as Yubikey, which supports authentication with Azure AD.Consider backup and redeployment needsWhen deciding on the device or token, you also need to plan on backups and re-deployment. For example, it’s recommended to have at least two Yubikeys per user so that the person has a backup. Some deployments support more than two such tokens to the user account. If you use Microsoft Authenticator app, you may have to plan on backing it up using a local Microsoft account if you use an iPhone.Also, migration between iPhone and Android is not a direct backup-and-restore process. Your backup is stored in the iCloud for iOS and in Microsoft’s cloud storage provider for Android. This means that your backup is unavailable if you switch between Android and iOS devices. If you make the switch, you must manually recreate your accounts within the Microsoft Authenticator app. Ensure that you educate your users of MFA of these deployment issues ahead of time so that they know of the issues and plan accordingly. Microsoft is pushing the bar to protect user authentication. Make it a priority this year to ensure that users are protected from such attacks. A mere username and password are no longer enough. Related content news CISA inks 68 tech vendors to secure-by-design pledge — but will it matter? CISA’s pledge drew some big names, but the impact on software security could be limited. Meanwhile the org has extended its comment period on the CIRCIA cyberattack reporting law. By Jon Gold May 10, 2024 4 mins Regulation Technology Industry Security Practices news Google Chrome gets a patch for actively exploited zero-day vulnerability Details of the use-after-free memory vulnerability were not publicly released, but Google says it’s aware an exploit for the bug exists. By Lucian Constantin May 10, 2024 3 mins Threat and Vulnerability Management Zero-day vulnerability Vulnerabilities news Dell data breach exposes data of 49 million customers The company says the breach compromised non-critical customer data and involved no sensitive personal or financial information. By Shweta Sharma May 10, 2024 3 mins Data Breach Hacking feature Social engineering: Definition, examples, and techniques Social engineering is the art of exploiting human psychology, rather than technical hacking techniques, to gain access to buildings, systems, or data. Train yourself to spot the signs. By Josh Fruhlinger May 10, 2024 15 mins Phishing Social Engineering PODCASTS VIDEOS RESOURCES EVENTS SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe