Should you consider adding Multi-Factor Authentication to Office 365?
What is Multi-Factor Authentication (MFA)?
Wikipedia states: Multi-factor authentication (MFA) is an authentication method in which a device user is granted access only after successfully presenting two or more pieces of evidence (or factors) to an authentication mechanism: )
- Knowledge (something the user and only the user knows.)
- Possession (something the user and only the user has.)
- Inherence (something the user and only the user is.)
Whereas Two-factor authentication (2FA) is a type, or subset, of multi-factor authentication. It is a method confirming users’ claimed identities by using a combination of two different factors:
- Something they know
- Something they have
- Something they are
One of the best examples of 2FA is when you withdraw money from a cash machine. Only the correct combination of a bank card (something the user possesses) and a PIN (something the user knows) allows the transaction to be carried out.
The goal of MFA is to create a layered defence that makes it more difficult for unauthorised persons to access targets such as physical locations, computing devices, networks or databases. If the attacker does manage to breach one barrier, they still have at least one more to get through before successfully getting access to what they are after.
What are some typical MFA scenarios?
- Swiping a card and entering a pin
- Logging into a website and then being asked to add some additional one-time information that is usually received via a text message or email
- Downloading a Virtual Private Network (VPN) client with a valid digital certificate and logging into the VPN before being granted access to a network
- Swiping a card, scanning a fingerprint and answering a security question
- Attaching a USB hardware token to a device that generates a one-time passcode and using that passcode to log into a VPN client
Why do we need MFA?
In order to provide a traditional user ID and password login, a password database needs to be maintained. Regardless of whether it is encrypted or not, should it be compromised it would provide attackers with a source to verify their guesses as quickly as their hardware set-up would allow. Given enough time, a compromised database will fall.
Nowadays, because of the increase to CPUs processing speeds, brute force attacks have become a very real threat. Further developments such as ‘GPGPU password cracking’ – password cracking using the more powerful and faster graphics processing units - and ‘rainbow tables’ – a precomputed table for reversing cryptographic hash functions, usually for cracking password hashes – provide yet more routes for attackers. Meaning a standalone password database doesn’t really stand much chance against the methods above, if it becomes a real target of interest.
What types of authentication factors are available?
This is information that a user must be able to provide in order to log in. E.g. Usernames or IDs, passwords, pins and answers to ‘secret questions’.
This is anything a user must have in their possession in order to log in. E.g. security tokens, one-time-password (OTP) tokens, key fobs, employee ID cards or phone SIM Cards. In regards to mobile authentication, the smartphone itself is often the possession factor, in conjunction with an OTP app.
This is any biological trait that the user has that are confirmed for login. E.g. biometric authentication methods including: retina scans, iris scans, fingerprint scans, facial recognition, voice recognition, hand geometry and even earlobe geometry.
This is often more prevalent on mobile devices, as those sorts of devices often have GPS installed. The GPS unit offers a reasonable level of accuracy as to the correct location of the device.
This is when the current time is used in order to consider authentication. For example, verifying an employees ID against work schedules could prevent user account hijacking attacks. Another example would be that a bank customer wouldn’t be able to physically use his bank card in the UK, and then use it in China 15 minutes later. These are called ‘logical locks’ and could prevent many cases of online bank fraud.
If you would like to talk to us about adding MFA to your Office 365 environment, please call us on 01905 758900 or email us via firstname.lastname@example.org and we’ll talk you through your options.
Sources: Wikipedia, TechTarget Search Security, Microsoft.