Use MFA - Multi-Factor Authentication
Updated: Mar 3
Since we are a Microsoft GOLD Cloud Partner, it's all about Microsoft Security at Finchloom in 2020.
If you aren't using Multi-Factor Authentication, you are leaving yourself vulnerable to password theft and you should assume that you have already been breached! So what does this all really mean? I'm going to spell it all out for you in plain English in this blog post.
PASSWORDS ALONE ARE NOT ENOUGH (Were they ever really though?)
Remember when computers first came around and you had to enter a password to login to your computer? Many people thought that it was too annoying and time consuming to type a 4-12 character password (Most weren’t even enforcing complex passwords until the early 2000s) and they asked for the computer to login automatically, or they'd write their password on a sticky note and put it under their keyboard. Super secure stuff. But it wasn't as big a risk because the computer was physically secured in an office place with no Internet, so you only had to worry about a co-worker walking up to your computer and logging in as you.
I can tell you horror stories for days about the misuse of passwords in the old days…and in a separate shameful plug, I want to tell you that our new weekly YouTube show called "The Finchloom Show" has a segment where we just talk about horror stories. They're fun to learn from - you should check us out! Subscribe to our YouTube Channel for updates when the show goes live each week.
Let's fast forward a bit past the dawn of the Internet in business and go straight to Cloud Services. Now the organization's data is in the cloud - not on the local computer. The perimeter has changed where you aren't physically protected by the four walls that surround your business. There are hungry hackers around every corner trying to access your cloud resources, since it's easy to access. But the problem is they don't have your passwords - so this started a whole new breed of attack called PHISHING where hackers employ techniques to trick you into giving them your password on a fake website or by installing malware that records your keystrokes.
Or, maybe you are using a risky password that is well known or guessable to hackers or was released in a password dump on the dark web. You DO KNOW that entire databases of passwords have been posted to the dark web, right? I sure hope you aren't using one of those….But if a hacker does get your password and your data is in the cloud, they can simply login to the cloud service and establish camp inside your mailbox or inside your files.
Again, we've heard horror stories about hackers that login to a user's mailbox and they setup forwarding rules to forward all the email the employee writes or receives to the hacker. They are just sitting there quietly spying on you waiting to find the information that they need to launch the real attack.
AND IT'S NOT JUST YOUR EMPLOYEES YOU HAVE TO BE CONCERNED ABOUT
Users of the cloud are no longer just employees at your organization - we all have business
partners, vendors, customers who may now start to have access to our cloud data. Imagine you are using Microsoft Teams and you create a Team called "New Building Team" so your internal team can collaborate with external architects, planners, financial teams, etc….The same security approach applies to business partners and vendors and customers who login to your cloud. You don't want to protect their access with just a password either. With Azure AD, you can enforce MFA for guests who login to your Microsoft 365 tenant so you can also protect non-employees who are given access to your cloud data and apps. Think beyond just employees when looking to secure logins.
WE DON’T WANT THE PASSWORD TO BE THE ONLY THING THAT PROTECTS YOU!!!!!
You really MUST choose to use Multi-Factor Authentication in this day and age to go along WITH your password. Multi-Factor Authentication is the concept that it takes more than just one thing to access your cloud apps and data (i.e. password). With Multi-Factor Authentication you need TWO things to get in - something you know (The password), and something you have on you (mobile device authenticator, PIN code, physical keyfob/card)
MFA IS NOT INCONVENIENT - GETTING HACKED IS
I've heard countless IT Leaders and Business Executives [scoff] at Multi-Factor Authentication. They say it's too time consuming to pick up their mobile device and copy a 6-digit code into the browser. They say it's a pain to pull their phone out of their pocket to approve a multi-factor authentication request after they type their password. Well, it's time to get over it.
I've also heard from End Users who go to setup MFA and they too [scoff] at this extra protection and security. They wonder why they have to "give" Microsoft their personal cell phone number to get the text message with the MFA code. They fear that Microsoft is going to use their phone number to call or text them spam to buy Microsoft Office. I'm here to tell you - that is NOT the case. When you setup MFA, you are providing your phone number or using your mobile device ONLY to secure your login. That information is never used by Microsoft, Finchloom, or any other company to send you marketing or sales pitches.
The pain, suffering, inconvenience, and cost of a hacking attempt IS NO COMPARISION in inconvenience to the simple habit we are asking people to form in their daily login activity. Over time (In fact, some studies show it only takes 13 days to learn this new habit), you will find that Multi-Factor Authentication becomes second nature. Every time I enter my password now, I instinctively pull out my phone expecting the MFA prompt for me to approve. It's just literally part of me now, like putting on a seatbelt is in a car. It cannot be avoided either. In your personal life, you have to use MFA to access your bank and other highly sensitive types of online website. It's time to bring your business to the same levels of security that we use at home!
MFA IS SIMPLE TO ROLL-OUT.
Talk about low-hanging fruit! There is a free version of Multi-Factor Authentication that comes with Office 365 or Exchange Online that you can turn on and start using today! It just takes a little training of the end users but they will quickly come up to speed in this new normal. Also, there is a second way to do Multi-Factor Authentication with Azure AD called CONDITIONAL ACCESS which is included in most Microsoft 365 subscriptions. Conditional Access is the mechanism in Azure AD that decides if you are allowed access based on SEVERAL factors - such as WHO you are, WHERE you are, WHAT device you are using, and THEN if you pass those qualifications you get the MFA prompt. Conditional Access gives you much more control and ability to do things like block sign-ins from countries known for hacking and it may require an add-on license if you aren't already on Microsoft 365.
ENABLING MFA IS ONE OF THE EASIEST THINGS YOU CAN DO TODAY TO PREVENT THE MOST AMOUNT OF HACKING RISK IN YOUR COMPANY!
And if what I told you above is already second nature to you and you are already using MFA in your work and personal life, then I challenge you to the next frontier - GOING PASSWORDLESS!!!!! Yes, we can all stop having to remember passwords. It's a bit bleeding edge so if you are into that, we can talk ;)
Thanks for reading the blog - I'll post again in February with another Security topic.