If you only use a username and a password you are increasingly vulnerable to these targeted attacks, but there are some very simple steps you can take to add additional layers of protection. One of those is to deploy Multi-Factor Authentication.
What is MFA?
Before we answer this, it’s worth understanding what a ‘factor’ is in this sense. The basic ‘factor’ is your password. Multi-Factor Authentication still uses a password, but it also requires a second stage before you can access your account. Commonly, though not always, this second stage is a mobile phone set up as a known device in your account.
What’s Wrong With My Password?
Usernames are easily found out. When you type in your credentials, you will have noticed that your username is fully visible – whether that’s logging into your PC or an online account. Your password, meanwhile, is always blanked out.
With most online services such as Office 365, your username is easy to guess; it’s usually your email address. Your password should be complex, making it hard to guess, and you should not share your password with others or re-use the same passwords across multiple accounts.
Of course, having dozens if not hundreds of portals and services all with a different password is a recipe for chaos. You either forget all those passwords or have to use some sort of system for remembering them – like incrementally adding a number to the end. Unfortunately, this is a well-known method, and thus, easily guessed.
Many people also do re-use the same passwords for multiple logins; that’s also known, so if you use one password for Office 365, perhaps you use the same one for Facebook, LinkedIn, Twitter, online banking?
Although simple to setup and use, Basic Authentication makes it easier for attackers armed with today’s tools and methods to capture users’ credentials and increases the chance of credential re-use against other endpoints or services.Microsoft, Sep 20 2019
Password vaults, like Last Pass, are a great way to manage all your passwords, while still keeping them complex. You only have to remember one password to the vault then copy the one you need.
However, just having a complex password doesn’t quite go far enough. The most obvious exploit is a phishing attack. Commonly, this involves an email sent to your account with a link or an attachment which takes you to a fake sign-in page. Once you enter your username and password, perhaps nothing happens. You think, well that didn’t work, and go back to what you were doing, or maybe forward it to IT Support to have a look for you.
That fake sign-in page is the problem, though. It’s set up by the hacker to get you to enter your credentials. It doesn’t matter how complex your password is, once someone has it, they have access.
How Does MFA Help?
Having your phone or another device set up as a second factor in authenticating your online accounts means that, on a basic level, you cannot access the account without both your password and that device. If you were to ‘lose’ your password to a phishing attack, the hacker would still not be able to access your account unless they also had your phone.
The phone can be used in different ways:
- PIN sent by Text
When you set up MFA you give the account your mobile phone number. At sign in, you are sent a PIN (usually 4 or 6 digits) which you enter after your password. This is a one-time pin code that expires after a minute or so.
- PIN generated by an App
Like a text, you have an app installed on your phone that has been registered against the account, usually by scanning a QR code. It generates the PIN for you. One benefit of this is that should the hacker have obtained your phone, or spoofed your phone number (yes, that can happen) they might have the PIN visible on the lock screen. Using an App means that the phone has to be unlocked to get the PIN. The Microsoft Authenticator has an even easier method, simply asking you to ‘Approve’ the sign in by pressing a button on the phone.
Where Can I Use MFA?
Most online services worth their salt will have MFA as a sign-in option, though you will usually have to go and enable it in the settings. Most are also compatible with the common authenticator apps, like Google.
If you are using a corporate service like Office 365, then you will probably need to get your IT Admins to enable it for you across the whole organisation.
Microsoft Moves to Enforcing Modern Authentication
As a result of the heightened security awareness around online services, Microsoft will be ending what they call ‘basic authentication’ to access certain email services from October 2020, effectively making signing into Office 365 and other free services dependent on MFA of some kind.
Microsoft Partners (like us) are already required to use MFA on all user accounts in Office 365. This is a reflection of the importance Microsoft places on security; as partners, we have privileged access to client services through our login accounts, and thus the scope for abuse should we be compromised is even higher than it might otherwise be. It’s also something that we enforced well before Microsoft did as part of our basic Cyber Security, reflecting, in turn, the importance we place on those same clients – and our own data!
In fact, every service we use requires MFA, enforced for all users. We wouldn’t have it any other way.
If you want to know more about MFA, how to use it and why, you can always drop us a line.