Microsoft Warns: Do Not To Ignore Multi-Factor Authentication
Multi-factor authentication (MFA) is not everyone’s favourite way of logging into business applications and private accounts, but it is a necessary burden.
We appreciate MFA is another level of complexity – and probably conflicts with your privacy interests – but it is among the best IT security tools available.
Microsoft is the latest tech giant to release a report demonstrating the virtues of the latest MFA solutions. The company’s Cyber Signals Report (2022) concludes:
“Leading with identity-focused solutions including enforcing multifactor authentication (MFA), adopting passwordless solutions, and creating conditional access policies for all users dramatically improves protection for devices and data, particularly as hybrid work continues to create scenarios where remote access, user roles, and physical locations vary.”
Previous data claims that 99% of Microsoft accounts that get hacked were not using their Azure AD multi-factor authentication (MFA) solutions. The tech giant also claims that MFA is one of the best layers of protection against remote phishing – especially with the increase of remote workers.
From our perspective and our experience, we completely agree with Microsoft and the hordes of other cybersecurity professionals. We think you should as well.
Why do users not like Multi-Factor Authentication?
It’s fair to say that resistance to MFA falls into two complaints; usability and privacy.
In our view, the first complaint is not really an argument. Okay, you have to take a step or two more than simply entering a password, but MFA takes a matter of seconds.
Those few seconds could save you thousands, if not ten of thousands or millions of pounds. The global average cost of a data breach is a jaw-dropping £3.03 million.
The second complaint is a valid argument. Privacy issues are a genuine concern and handing your personal number to corporate entities that you may not trust (trust in corporations is at an all-time low) is understandable.
What’s more, there are different methods of multi-factor authentication. And each method of security feels even more intrusive than the last. The types of MFA options offered to Microsoft users are:
- Voice call
The safest option today is to generate a one-time password that is sent to a device secured with your biometric data. Although many users do not feel at ease with biometric systems, they are the best mode of security we have to date. It’s been in the making for almost two decades.
Text is not a good MFA solution
Receiving a text message to your mobile phone is arguably the most popular and preferred way of executing MFA. It’s smile, relatively hassle-free and doesn’t feel like it’s violating your privacy rights. It’s also the worst method of two-way authentication.
It was shown back in 2016 that two-factor authentication (TFA) – another way of saying MFA – was not a convincing method of enforcing cybersecurity. As a matter of fact, it makes users even more vulnerable. The banks went with anyway.
Intercepting text messages sent across telecom networks is proven to have been performed multiple times by hackers and law enforcement agencies. Moreover, CNET reports that critical data that enables hackers to infiltrate a target’s bank account “tends to get leaked from banks and large corporations”.
As the T-Mobile hack illustrated, stolen credentials give hackers the ability to execute a “SIM swap” and intercept 2FA. Once bad actors have hacked a mobile network that gives them access to SIM card data, they can redirect your mobile number to a phone in their possession.
What’s more, if you’re travelling overseas and not able to receive a text message via your mobile service provider, a one-time password sent to your smartphone will stitch properly stitch you up – especially if your bank artificial intelligence fraud monitoring service has frozen your bank account because you purchased something with your debit or credit card. That also rules out voice calls to your mobile as an effective form of MFA as well.
Is Email A Good Mode of MFA?
Email-based multi-factor authentication provides users with a higher level of security than smartphones, but they are still vulnerable if a computer is hacked without your knowing it.
Because passwords can be changed via email, a compromised computer gives hackers access to your email account. They can use this to change the password on your business applications and get deeper into the network to steal valuable data. Or worse, your bank account.
Although the end-user will be alerted to the password change, by the time you get through to your bank’s customer service – waiting in a queue – hackers can have cleared out your bank account.
Take advantage of IT Support Security Services
To make the authentication process stronger, it is better to use several options on the basis that it is improbable that malicious actors will have access to every channel you use.
The other option is to use biometric data for every device on your network. Although taking fingerprints and retina scans may be met with resistance from some employees, it’s the best option available in the current paradigm.
Another strategy you can use to secure a business network is to ensure you have other layers of security in place that support traditional modes of two-factor authentication.
Micro Pro offers remote monitoring 24/7 which can detect suspicious activity on your network and anti-virus protection which identifies known malware deployed by hackers. We also highly recommend patch management services to ensure that every application on your network is updated with the latest security protocols. This makes sure that any vulnerable gateways that have been detected by software companies cannot be exploited by cybercriminals.
We are also masters of Microsoft 365 and utilise advanced security tools to enhance the security of your business network and the devices of your workforce. If your company deploys a remote workforce, our team of Surrey-based IT support and security experts can help you to prevent a potentially devastating data breach with minimum disruption or annoyance.