MFA - Multi-Factor
Authentication
Multi-factor Authentication (MFA) is a method of
authentication that requires the use of more than one verification method and
adds a second layer of security to user sign-ins and transactions. It works by
requiring any two or more of the following verification methods:
- A randomly generated pass code
- A phone call
- A smart card (virtual or physical)
- A biometric device
Multi-Factor
Authentication in Office 365.
Office 365 uses multi-factor authentication to help provide the extra security
and is managed from the Office 365 admin center. Office 365 offers the following
subset of Azure multi-factor authentication capabilities as a part of the
subscription:
- The ability to enable and enforce multi-factor
authentication for end users
- The use of a mobile app (online and one-time password [OTP])
as a second authentication factor
- The use of a phone call as a second authentication factor
- The use of a Short Message Service (SMS) message as a
second authentication factor
- Application passwords for non browser clients (for
example, the Microsoft Lync 2013 communications software)
- Default Microsoft greetings during authentication phone
calls
Multi-Factor Authentication, or 2-step verification, adds a
second layer of protection to your Office 365 account. After you have signed in
with your username and password, you will receive a verification code. Only
after entering the code will you have access to your account.
This feature significantly reduces the risk of unwanted access to
your data.
Multi-Factor Authentication is not enabled by default, but can
be turned on or off at any time by an Office 365 Global Administrator.
Compliance Controls addressed by
Multi-Factor Authentication (MFA):
ISO 27018:2014; Control C.9.4.2, A.10.8
CSA CCM301; Control DSI-02
GDPR; Control 6.6.5
NIST 800-171; Control 3.5.2
FedRAMP_Moderate; Control IA-3
NIST 800-53; Control IA-3
Threats reduced by
Multi-Factor Authentication (MFA):
- Password Cracking
In this scenario, an attacker has acquired access to a service interface, or
to a data store that allows them to try many different password combinations
for an account. Using specialized software and high capacity computing,
attackers can complete many thousands of combinations in a very short amount
of time. If the password is very short, very weak, very common, or the same
as another account password owned by the user, the chances are very good
that an attacker can 'guess' the password and compromise the account. Most
Office 365 interfaces will lockout an account or 'tarpit' logons after
multiple failures, but credentials can be stored in many other places which
attackers can attempt the cracking operation.
- Account Breach
In this scenario, an account in your tenancy is breached such that it can be
used by an attacker to interact with either resources in Office 365, or with
your on-premises infrastructure. There are a variety of ways that this can
happen including spearphishing for credentials with harvesting websites,
spearphishing with malware to install rootkits and keyloggers, or other
sorts of attacks. Another, less common, model is to use password cracking
techniques to guess the user's password by trying many variations with a
computer. Since most companies with substantial numbers of users, or complex
application ecosystems end up running a hybrid or federated domain model, an
on-prem account and an Office 365 account will have the same credentials,
and will represent a single target around the services accessible by the
affected user. Once the attacker has the username and password for the user,
they will generally be able to find a way to authenticate and interface with
Office 365 as if they were actually the end user.
Multi-Factor Authentication (MFA)
is an option available with the Smart Subscription Bundles:
03/05/2024