Microsoft Changes MFA Practices: Our Thoughts

MFA: A Security Necessity for ALL Microsoft Users

MFA, or Multi-Factor Authentication, adds an additional layer of security to a system’s access controls and has become as standard as the technology it helps secure. At its most basic, MFA involves an extra step (or multiple) to help confirm that your login credentials are being used by the right person, often by sending a code or push notification to a separate device. [RS1] 

When it comes to account security, most systems that require security for confidential information will offer Multi-Factor Authentication. Bad actors are always looking for creative ways to gather confidential information; MFA is a way to combat security breaches by making it that much harder for hackers to access accounts. Requiring users to use MFA should always be a standard and not an option.

Should your login information be stolen, MFA also gives users an opportunity to limit access to a compromised account. With all your different accounts and having to remember multiple credentials, it is tempting to use the same password across multiple accounts (which we do not recommend, by the way). Without MFA, when a password is discovered, it could easily be used to just log right into an account. But even with an extra layer to stop someone, it won’t always work against persistent threat actors…

MFA Fatigue and Microsoft’s Answer

With many companies moving to multifactor authentication, hackers are now leveraging MFA Fatigue attacks to overwhelm users. Would-be hackers gain access to accounts by spamming users with authentication requests hoping that the user will accidentally accept the request.

To combat this increasing social engineering attacks, Microsoft is now shifting methods for MFA by moving to number matching through authenticator applications instead of SMS or email. Since SMS and email can be intercepted or vulnerable to other MFA attacks, we believe moving towards authenticator applications, like Microsoft has, is a move in the right direction towards better security.

Aaron Wagner, Rhodian Group’s Cybersecurity Team Lead, had this to say about the changes Microsoft is making to their MFA procedures:

“There has been a significant increase in MFA attacks. The technology for simple MFA authentication has become common yet remained unchanged for some time. 

Microsoft’s MFA helps to add defense in depth by requiring a secondary number match in addition to the increased context for both the user authenticating and alerts for administrators. While the application being signed in to has traditionally been part of authentication alerts, the additional location context helps users make a more informed decision and slow the response of clicking a request as they review the information. However, like all things in security, user education is critical to the success of these tools.”

What’s next?

Microsoft Office 365 offers multiple options for Multi-Factor Authentication. They even have their own Microsoft Authenticator app, and an extensive guide on how to set it up.

Rhodian Group can help ensure that accounts are secured and give you peace of mind that user accounts are safe.  Our team offers training and other resources so users can be more aware of how their passwords get released and ways to make sure they are alert and checking for suspicious activities.

For other services, you can typically see if it offers MFA by going to your profile settings and looking for a Security section. It is always recommended that any important information be secured with MFA.

Contact us to talk about other strategies to secure your systems and to get a no-obligation IT and Cybersecurity consultation.

You can also check out our Cybersecurity Handbook and HIPAA Compliance Checklist to learn more about ways to better secure your data and HIPAA compliance requirements.

Disclaimer: The appearance of external hyperlinks in our blogs does not constitute endorsement by Rhodian Group of the linked websites, or the information, products, or services contained therein. Where not stated otherwise, Rhodian Group does not own or maintain any of the external websites that are linked in our blogs.

Please let us know if you believe any existing hyperlinks are inappropriate.

Other Articles

MSPs in Context

We’re a managed service provider (MSP). (We’re also a cybersecurity firm. We’ve written about that here.) So, it shouldn’t be surprising that we have a

Read More

Who Ya Gonna Trust?

There’s more and more being written about zero-trust cybersecurity protocols. According to the National Institute of Standards and Technology (NIST) zero-trust is: an evolving set

Read More

How Do You Define Value?

When we think total cost of ownership (TCO) we think of reducing your costs of operation and increasing your efficiency and your productivity. That equates

Read More

Let's Discuss Your Needs

Our experience with hundreds of businesses across diverse industries provides us with the expertise to understand your unique challenges.

Let's Discuss Your Needs

Our experience with hundreds of businesses across diverse industries provides us with the expertise to understand your unique challenges.