Ah it happened again, Microsoft Azure Multi Factor Authentication was down. If you google it, you will probably find the details somewhere. But in short, people were not able to use their mobile device to deliver the second layer of authentication to make their authentication more secure. Security is important, reliable services for security even more. People complained for hours how they couldn’t work anymore, how their services became inaccessible, how they couldn’t perform their normal day to day operations due to the outage. So, shame on you Microsoft for allowing customers to be in a situation like this.
But also shame on you customers (and by extension IT service providers) for not using MFA smarter than you are currently.
Wait, what? What a nerve, blaming us for an outage of a cloud service, we pay good money for something that is supposed to have 99.9% uptime.
To be honest, I am not blaming you for the outage. I am blaming you for the fact that you couldn’t work. Too many times I see people using MFA as an on/off switch without a clear plan or design when MFA is actually needed. Mike Tyson once said, “Everyone has a plan and then they get punched in the face”. Well, consider this outage your proverbial punch in the face. If you were unable to work due to a second security layer failure you clearly have not done your due diligence about two things:
- What are we going to do when MFA goes offline? Granted since we are dealing with a cloud service, we have come to expect the necessary uptime of cloud services especially the Microsoft ones, but still, good service providers have a plan in case something fails. Working with cloud services is not an excuse to be lazy or to forget crucial things in service design.
- Do we really need ALWAYS MFA to be on? Is MFA indeed an on/off switch or do you just need to use MFA where it is really necessary?
And the reality is that MFA is not always needed. The truth is that too many people look at MFA as an on/off switch because they don’t know how to configure MFA properly or maybe are (dare I to say it) too lazy to do it in a more thought through way.
Because let’s be honest, when you work in a controlled environment like in your office, on a laptop or desktop with the necessary security measures like device enrollment in a managed device management suite, what is the added value of MFA? Security measures need to be in place to protect your end-users and devices in an unsafe environment, where the risk of being hacked or your users and devices being compromised is the highest. If you consider your own office an unsafe place, you might have potentially bigger problems than MFA. Like with the use of a super complex password and a frequent request to change passwords, unbalanced security measures can lead to end-user to actively time to go around your security measures. When that happens, your security plan (even if you have one) goes out the door.
Microsoft Azure has a service for those specific cases. It is the exact same service you have been using for your MFA, Azure Active Directory. AAD has a feature called conditional access. It allows you to define the different scenarios where you actually do MFA and where you don’t. It can help you to be selective in the usage of MFA and allow people to work ‘normally’ in a safe environment. It gives your end-users confidence that they are being taken care off and when indeed the request for MFA comes up, they also get the mental note that they are currently in an unsafe environment and should behave in a more secure way than they normally would when they are in the office.
So, back to original statement, would this have helped 100% against the MFA outage? No, but if people were working in a secure environment they wouldn’t have been impacted by the MFA since there was no need for MFA. Like I said, consider this outage your wake-up. Having a security plan is one thing, having a balanced security plan, with attention for end-user convenience and the possibility that certain services can and will go offline might be even a better approach.