Microsoft will soon mandate MFA for some customers, and these are the key considerations before you deploy it. Microsoft will soon change the mandate to multi-factor authentication (MFA) with changes to Microsoft 365 defaults. As Microsoft points out, “When we look at hacked accounts, more than 99.9% don’t have MFA, making them vulnerable to password spray, phishing and password reuse. “Based on usage patterns, we’ll start [mandating MFA] with organizations that are a good fit for security defaults. Specifically, we will start with customers who aren’t using Conditional Access, haven’t used security defaults before, and aren’t actively using legacy authentication clients.”Microsoft will notify global admins of eligible tenants by email. “After security defaults are enabled, all users in the tenant are asked to register for MFA. Again, there is a grace period of 14 days for registration. Users are asked to register using the Microsoft Authenticator app, and global administrators are additionally asked for a phone number.” If you haven’t started MFA deployments, this is the time to do so. Attackers are using phishing attacks to go after unprotected accounts and MFA is a key way to protect user access.Can you still disable multi-factor authentication should you decide to accept the risk? Yes, but this means your firm will be low-hanging fruit for phishing campaigns. User accounts and logins are the new entry point for many attacks in a network. Determine multi-factor authentication methodMFA deployment means that you need to determine which authentication process you will support. Researchers often claim that SMS messages aren’t secure. Years ago attackers were able to bypass SMS based MFA using a reverse-proxy component. In reality, you just need to be secure enough. As with many security decisions, you need to perform a risk analysis of who needs best, better and good-enough security. If you believe that some of your users will be targeted the use of MFA applications, you can use devices such as Yubikeys. Users and consultants might point out that MFA is not bulletproof. It can be attacked and spoofed. The idea is that you want to just be a little bit better than the next domain or cloud deployment.Use conditional access rulesIf you add Azure Active directory P1 license (already included in Microsoft 365 Business premium subscribers), you can add conditional access rules that allow you to provide for whitelisting locations. Thus, you can set up MFA for only remote users to protect remote email access. These conditional access policies can be more granular to allow users to resources while balancing the needs for MFA. For example: Requiring MFA for users with administrative rolesRequiring MFA for Azure management tasksBlocking sign-ins for users attempting to use legacy authentication protocolsRequiring trusted locations for Azure AD MFA registrationBlocking or granting access from specific locationsBlocking risky sign-in behaviorsRequiring organization-managed devices for specific applicationsAssess user hardware requirementsWhen deploying MFA keep in mind the hardware you may need. You may need to provide cellular phones to your employees so they can use an MFA application. If you do not provide them with a cell phone and mandate MFA so that they have to use their personal phones, you may need to reimburse them for a reasonable use of their personal assets. States such as California, Illinois, Iowa, Massachusetts, Minnesota, Montana, New Hampshire, New York, Pennsylvania and the District of Columbia all have passed laws requiring employers to reimburse workers for work-related expenses such as the use of their personal phone in MFA. You can also deploy tokens such as Yubikey, which supports authentication with Azure AD.Consider backup and redeployment needsWhen deciding on the device or token, you also need to plan on backups and re-deployment. For example, it’s recommended to have at least two Yubikeys per user so that the person has a backup. Some deployments support more than two such tokens to the user account. If you use Microsoft Authenticator app, you may have to plan on backing it up using a local Microsoft account if you use an iPhone.Also, migration between iPhone and Android is not a direct backup-and-restore process. Your backup is stored in the iCloud for iOS and in Microsoft’s cloud storage provider for Android. This means that your backup is unavailable if you switch between Android and iOS devices. If you make the switch, you must manually recreate your accounts within the Microsoft Authenticator app. Ensure that you educate your users of MFA of these deployment issues ahead of time so that they know of the issues and plan accordingly.Microsoft is pushing the bar to protect user authentication. Make it a priority this year to ensure that users are protected from such attacks. A mere username and password are no longer enough. Related content news Iranian hackers harvest credentials through advanced social engineering campaigns Mandiant observed several malicious campaigns with threat actors impersonating journalists and harvesting the victim’s cloud environment credentials. By Shweta Sharma May 02, 2024 4 mins Hacker Groups Social Engineering news Dropbox Sign hack exposed user data, raises security concerns for e-sign industry The names and email addresses of those customers were also exposed who had never created an account with Dropbox Sign but had “received or signed a document through Dropbox Sign.” By Gyana Swain May 02, 2024 5 mins Data Breach news UnitedHealth hack may impact a third of US citizens: CEO testimony Despite paying a $22 million ransom in Bitcoin to regain access to encrypted files, the company cannot confirm whether copies of the data were made or published online. By Prasanth Aby Thomas May 02, 2024 4 mins Data Breach Ransomware Hacking news Most interesting products to see at RSAC 2024 Tools, platforms, and services that the CSO team recommends 2024 RSA Conference attendees check out. By CSO Staff May 02, 2024 6 mins RSA Conference Security PODCASTS VIDEOS RESOURCES EVENTS SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe