Secure Your IT Using Multi-Factor Authentication (MFA) Where Possible

What is MFA?

Multi-factor authentication (MFA) adds an additional layer of security that helps to protect you from people trying to access your computer accounts, data and services.  

It works by adding an extra level of security, MFA in its simplest form can be broken down into two parts, something you know and something you have.  The something you know is your username and password and the something you have is typically an application that provides a six digit code that changes every 30 seconds or a biometric scanner or an SMS one time code sent to your mobile.

Over time there have been various ways of securing accounts, each getting more comprehensive and adding more security

• Single factor authentication, which is a plain old username and password
• 1.5 factor authentication, which would be a username, password and then selection of letters and numbers from a known word, which used to be a favourite with banks where they would ask you to enter, for example, the 3rd and 7th letters of your known word
• Two factor authentication, which is a username, password and a changing code, often sent via a text message to your mobile to then enter
• Multi facto authentication, which is a username, password and an application where you can use an authentication application, or SMS, or biometric reader, or a near field reader security card, adding multiple layers and options for authentication

Why should you use it, especially in Microsoft 365?

I have come across people who say things like "why should I use it, we're not a big company, no one would want to break into my account", and "it's too complicated, my staff won't want to use it".

But in all honesty, neither of these things is true. 

Hackers and bad actors who have intent opportunistically target hundreds of millions of users trying to phish for login details.   It is purely a numbers game to a lot of them, send out and email purporting to be from a company like Microsoft saying they need to login to their account to access a new message, and they get provided with a link that looks like a Microsoft login page.  If you don't use branding for your Microsoft account, it is even easier to get phished because it is very easy to mimic the standard Microsoft login page, a user enters their username and password in the fake site and the hacker has their details.

If MFA were setup, the hacker would then try to access Microsoft using these login details, only to find their access is blocked because they cannot provide the multi-factor authentication part of the login process meaning your Microsoft account is safe.

To say people find it too complicated to use MFA is also a bit disingenuous as most banks and online financial service sites already require users to have some form of multi-factor authentication, so people are already used to using it.

Once it has been setup, users are only ever required to use it if they need to renew an authentication session, so it is not needed for day to day usage.  If you login to your computer, this is enough to allow you access to your information in Microsoft 365, it is only if you were to use a new computer to login, one you don't usually use, or a web browser and login through that, then you would be prompted for MFA credentials. 

There have been some high level examples of businesses being hacked and compromised recently, we hear about these examples because of the scale of the hack, the number of people affected and the impact it has. 

However, even small organisations HAVE to notify the Information Commissioners Office if they have a security breach so you have to notify anyone affected, such as clients or suppliers or staff.  Even if this doesn't make the local papers, it still has an impact to your business and the reputational damage often is enough to make the business go bust.   After all, would you want to do business with a company that doesn't take steps to protect your information, especially when the steps they could have taken are free?

Additional benefit of MFA

Another benefit of MFA is that it helps with Cyber Essentials and Cyber Essentials Plus security accreditations, after all you are increasing your security which is why these accreditations like you to have it enabled where possible.

So why wouldn't you implement MFA?  After all, it is free in most cases, as are the authentication applications you can use with it.

Examples of some of the authentication applications you can use are:

• Microsoft Authenticator
• Apple Passwords
• Authy
• Google Authenticator
• LastPass

The above are a few examples, there are many out there.

NOTE: You don't need one application per service as each will provide you with multi-factor authentication across most services so you only need one application to manage multiple accounts across different platforms.  It is surprising how many sites use MFA as an option these days as well and they can all be incorporated into one authentication application.

We STRONGLY recommend that it is enabled and used where ever it can be, this could be technology or cloud providers, such as Microsoft or Google, or it could be a site like Government Gateway, or it could be something like shopping sites like eBay or Amazon.  Where ever you can enable MFA, it is typically free and provides that extra layer of security.   What's not to like?

If you would like to enable MFA in your Microsoft tenant and need help, call us on 01722 411 999 or if you would like some advice about how to setup or use an authenticator application, again, call us and we'll be happy to help.