Azure Active Directory Office 365 Security

Multi-factor authentication (MFA) experience in Office 365

Let start with why MFA is something you should investigate. When we look at the current use of authentication, we see that most systems use the combination of username and password as the primary form of authentication. This is based on the security system ‘something you know’. All approaches for human authentication rely on at least one of the following:

  • Something you know (e.g. a password).
  • Something you have (e.g. a card or a mobile phone)
  • Something you are (e.g. a fingerprint or iris of the eye)

When we talk about multi-factor authentication, we implement at least two of these principles in an authentication process. The benefits of implementing more than one principle is two-fold. Firstly, it increases security. If one method is compromised, the second can act as a backup. Secondly, and potentially more importantly when we are talking about end-user behavior and adoption, is that the implementation of two factors in your authentication process allows you to be more lenient in the strictness and complexity of authentication parts. Let me illustrate this with an example. When you solely rely on the combination of a username and password you feel forced to increase the complexity to make it more secure. This is caused by the fact that if a password is too easy, the chances of somebody guessing it are just too high. That complexity causes people to act in a non-secure way, they write their credentials down on a post-it, undermining that security level you were trying to achieve. However, when we include the use of a smart card, mobile phone or finger print, the password complexity can be reduced since whoever is trying to get into your system, will still need to get a hold of something you have or are. When you look in the secure score of Office 365 (https://securescore.office.com) , that is why you will find the following rules that will increase your security score related to this topic.

    • Enable MFA for all global admins -> +50 pts
    • Enable MFA for all users -> +10 pts/user
    • Do not expire passwords -> +10 pts

multifactor1-1030x353

The admin and end-user experience is explained in this video.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s