In the managed IT services industry, keeping clients’ data secure is paramount. One of the most effective and easy-to-implement security measures is Multi-Factor Authentication (MFA). A study by Cornell University in 2023 found that simply using MFA can reduce risks by an astounding 99.2%. Despite its effectiveness, only 22% of Microsoft customers currently use it. This gap is primarily due to a lack of end-user awareness rather than neglect. Here’s a comprehensive guide for MSPs on how to effectively implement MFA and educate clients on its importance.
A Brief History of MFA Adoption
When Microsoft first introduced multi-factor authentication, it was only available through premium licenses. Users suggested making it free to boost its adoption. Following this change, worldwide MFA adoption increased from 1% to 2%. Although Microsoft has offered flexible solutions and tried to enforce its use, many users still resist the additional sign-in step. The key to overcoming this resistance lies in education, and this is where MSPs play a crucial role.
Methods for Enabling MFA
Good: Entra ID (Azure AD Per User)
Entra ID, formerly known as Azure AD, is the backbone of Microsoft Identity management. While some businesses still use on-premises Active Directory, the current standard is Entra ID. The per-user method allowed administrators and MSPs to assign roles with precision, but because it required manual setup for each account, it saw limited adoption. Achieving full coverage of all accounts is challenging with this outdated method. In some cases, exemptions might be necessary for legacy applications or emergency access accounts, but these should be rare. Microsoft plans to phase out this method in favor of more effective strategies for securing user accounts.
Better: Security Defaults
Security defaults made MFA mandatory for all newly created Microsoft 365 user accounts, starting from October 2019. If your client’s M365 accounts were created post-2019, MFA will be automatically enabled. This is beneficial, although security defaults have some limitations. Their most significant challenge is the inability to support older applications that lack MFA capabilities. Enabling security defaults means these older applications will not function within your clients’ M365 environment. This requirement forces a choice between maintaining security standards or disabling these defaults to accommodate such apps.
Best: Conditional Access Policies
Conditional access policies offer granular control, flexibility to leverage third-party MFA apps, and the ability to support older applications. They operate by checking if user requests to access your data meet predefined conditions. If the conditions are met, access is granted; if not, the policy will block access or require MFA authentication. Examples of conditions include user role, location, or device used.
Most businesses already organize users into groups like departments, locations, or roles. Implementing conditional access policies could be as simple as setting standards around these predefined conditions. Additional policies can also be added. For instance, access could be granted based on both department and trusted devices. Conditional access offers the ideal balance between flexibility and ease of management. Once these policies are in place, new users need only be added to the appropriate groups during onboarding, ensuring they automatically receive the correct permissions without further configuration.
MFA Authentication Methods
Good: SMS, Voice, and Email
These are the most common authentication methods but are also the easiest to hijack. Most people have cell phones and email accounts, making this method widespread. However, SIM cards are easy to clone and email inboxes can be breached without robust security measures. Despite these vulnerabilities, implementing any form of MFA is preferable to none. Opt for stronger options when possible, but this is still a solid starting point.
Better: Authenticator Apps
Authenticator apps provide a one-time passcode (OTP) from an application on a user’s cell phone. It’s much more difficult for a hacker to mimic this code or breach the app. In most cases, the cell phone’s security standards also provide an additional layer of protection for the passcode.
Best: Biometrics, U2F Tokens, and FIDO2: WebAuthn
The goal of MFA is to ensure that the person doing the authentication is the right person. Biometric data, such as fingerprints, facial recognition, and voice, are much harder to steal than passwords. Universal 2-factor (U2F) tokens are physical devices that authenticate a user’s access, while FIDO2 allows users to use local devices like smartphones or laptops to verify their identity. WebAuthn, a major part of FIDO2, lets websites use FIDO2 authentication. Despite the potential risk of device theft, these methods offer robust security.
The Role of MSPs in Promoting MFA
Even with strong MFA practices, there’s always the risk of phishing scams tricking someone into sharing information. As an MSP, your client is unlikely to blame you for these types of human errors, assuming you’ve implemented solid security measures. Additionally, by implementing MFA, you’ve greatly lowered your chance of facing lawsuits from clients or insurance companies.
Final Thoughts
For MSPs, the implementation of MFA is a critical component of a comprehensive security strategy. By understanding the best practices and educating clients on the importance of MFA, MSPs can significantly reduce the risk of cyberattacks. Embrace these practices to enhance your security offerings and protect your clients’ data from evolving threats.
