Have you turned on MFA to lock up your filing cabinet, but left the doors to your office wide open?
Here’s why effective credentials protection using Multifactor Authentication should involve much more than just protecting your Office 365 account!
If you’ve been greeted with a new step in your Office 365 log-in process over the last 12-18 months – congratulations! It’s likely that you’re working for a very proactive and security-conscious organisation that has chosen to better protect your Office 365 login credentials from being breached!
Long story short, whether your organisation has suffered a credentials-based data breach or not, businesses today are more critically aware of need to protect their Office 365 accounts and logins to other critical systems. This stems from evidence and experience across industries and businesses large and small that credentials-based data breaches via phishing, business email compromise, or brute force attacks are the number-one way malicious actors get into your systems to wreak their havoc!
Thanks to last year’s spate of relentless Office-365-based attacks where unwitting users would click on fake, albeit legitimate looking, Dropbox or other file-sharing links and then give up their Office 365 credentials when asked to “log in” to access the document, many businesses have turned to MFA to better secure their users’ Office 365 credentials. And rightly so! At this point in time, MFA is still one of the best possible bang-for-your-buck security protection you can wrap around Office 365 accounts.
But we’re pretty sure you’d agree that despite the sheer might and domination of Microsoft’s workplace app and productivity tools, we all use, access and communicate via lots of other tools outside Office 365 as well to get our jobs done.
It’s important to remember that having MFA enabled for your Office 365 accounts, protects just that – your Office 365 account. What about all those other places and spaces you access, create and collaboration in daily to get your job done?
Think of it this way – If adding MFA protection to your devices and systems is like having a great lock on the front door to your office building, then the protecting your app and software access with MFA is like locking the door to your office, whereas protecting Office 365 alone is like locking up your filing cabinet.
I’m pretty sure in the real world you’ve got locks on all three, right?
The MFA Balancing Act
The MFA balancing act involves ensuring you’ve got the right extra factors of authentication enabled across
- your apps, software and cloud services (just like Office 365) AND
- your devices and systems.
Protecting your apps, software and cloud services with MFA
In cases when you use multiple devices to access the same software, for example, if you access your Office 365 account regularly from your desktop, phone and laptop, it obviously makes more sense to protect the software rather than any specific device.
This means that regardless of which device you use to access the software application, you will always be prompted to verify and authenticate your credentials to may sure you are…well…you!
Protecting your devices and systems with MFA
When MFA is enabled at a device level, users must provide the additional factors needed to authenticate a log-in attempt on the device. Failure to do so will block access to the device or system itself and all the data that resides on it. This is important to you do not allow device sharing across your organisation, and of course, as an added layer of protection in the event that the device is lost or stolen.
Covering More Bases with MFA – Better balancing up the scales
Beyond MFA at a high level, there are several more specific use cases you might also need to scope out in detail depending on the nature of your operations and the way your team actually works. Let’s look at few of these more specific MFA use cases below.
Location-based MFA, as you may expect, examines the location from which a log-in attempt is being made. If an employee is only permitted to access company data or emails from their office desktop but from no other device, including their phone, laptop or tablet or public/shared computers, then location-based MFA will reject their attempt to log in.
Location-based MFA through broader Conditional Access, as well as Mobile Device Management, policy settings is especially useful to assist with prevent fraudulent log-in attempts from overseas locations, preventing disgruntled or unauthorised employees from accessing (and possibly downloading) sensitive data from outside the office, and preventing employees from accessing company data from public or shared computers when they may be travelling.
Remote Desktop MFA protection
In the case where you do want to enable employees to log in and gain remote access to their desktop from wherever they are, you may require remote-desktop MFA protection to make sure only the people you intend to have remote access actually do!
When an employee logs in to access their desktop remotely with a username and password, remote-desktop MFA will prompt them to provide an additional factor to authenticate the log-in attempt. Naturally then, if a malicious actor gets hold of a username and password or attempts a brute-force attack, they will be blocked from gaining remote access to desktops or your systems.
Virtual Private Network (VPN) MFA protection
It’s all totally private…’till it’s not, right? If your organisation makes use of VPNs when travelling or working out of the office, then it’s a good idea to consider protecting your VPN with MFA. Again, users will be prompted to provide an additional factor of authentication before VPN access is granted. This gives your organisation the ability to carefully regular the number of people/legitimate users accessing the network.
Help desks around the world deal with multitudes of sensitive personal, financial, billing and account data that they bring up to solve customer service requests each and every day. If you operate a customer-facing support service of any kind that requires access to personal information and the giving of advice based on that information, help-desk verification may be something you need to consider. This will then require clients or customers to provide proof (via an additional authentication factor) that clients are who they say they are when contacting help desks or information centres.