Let start with why MFA is something you should investigate. When we look at the current use of authentication, we see that most systems use the combination of username and password as the primary form of authentication. This is based on the security system ‘something you know’. All approaches for human authentication rely on at least one of the following:
- Something you know (e.g. a password).
- Something you have (e.g. a card or a mobile phone)
- Something you are (e.g. a fingerprint or iris of the eye)
When we talk about multi-factor authentication, we implement at least two of these principles in an authentication process. The benefits of implementing more than one principle is two-fold. Firstly, it increases security. If one method is compromised, the second can act as a backup. Secondly, and potentially more importantly when we are talking about end-user behavior and adoption, is that the implementation of two factors in your authentication process allows you to be more lenient in the strictness and complexity of authentication parts. Let me illustrate this with an example. When you solely rely on the combination of a username and password you feel forced to increase the complexity to make it more secure. This is caused by the fact that if a password is too easy, the chances of somebody guessing it are just too high. That complexity causes people to act in a non-secure way, they write their credentials down on a post-it, undermining that security level you were trying to achieve. However, when we include the use of a smart card, mobile phone or finger print, the password complexity can be reduced since whoever is trying to get into your system, will still need to get a hold of something you have or are. When you look in the secure score of Office 365 (https://securescore.office.com) , that is why you will find the following rules that will increase your security score related to this topic.
- Enable MFA for all global admins -> +50 pts
- Enable MFA for all users -> +10 pts/user
- Do not expire passwords -> +10 pts
The admin and end-user experience is explained in this video.