Whether you know it or not, you’re probably already using Multi-Factor Authentication (MFA). MFA is a security method that uses more than one password or security method to authenticate users when they log in. When you log in to your online bank account, your PayPal account, or most any website with financial information, you are likely prompted to put in a password and enter a code sent to you by text or email. This is two-factor authentication (2FA), the most basic type of Multi-Factor Authentication, and it adds an extra layer of security to protect your logins.
Multi-Factor Authentication relies upon two or more pieces of information to determine if you are authorized to log in. Examples of the information you may be required to provide include:
- Something you are: e.g. Retina scan or fingerprint
- Somewhere you are: e.g. GPS location or computer network
- Something you have: e.g. Fob or USB stick or text information sent to a cell phone
- Something you know: e.g. Password or PIN number
In situations in which implementation of MFA in software solutions can be expensive and difficult, developers choose to implement only two “MFA” methods. This is referred to as 2FA or Two-Factor Authentication. The most common 2FA is when you enter your password and an authentication code that is sent to your cell phone. This covers the “Something you know” and “Something (cell phone) you have” methods.
With 2FA now familiar to most people , it is time you add more security to your Microsoft 365 account.
Why Secure Your Microsoft 365 Account?
Microsoft has been highly successful transitioning users to their Microsoft 365 service. Some businesses are able to run their entire operation completely from the Microsoft software ecosystem. With so much sensitive data consolidated in Microsoft 365, it is a focal point for cyber criminals in phishing attempts. According to a 2019 cyber security report published by Verizon, phishing constituted over 80% of security breaches and resulted in billions of dollars in financial losses to businesses worldwide.
When a password is compromised, remote criminals are able to gain direct access to Microsoft 365 accounts to read email, access documents, and even impersonate users to contact customers and vendors. With so much at stake, it makes sense to add an additional security method to Microsoft logins to make disruption and theft more difficult for cyber criminals.
Use Microsoft Authenticator
The pushback against enabling 2FA on accounts is that adding this extra step to the login process creates additional security but at the expense of user convenience. Fortunately, Microsoft has addressed the “Something you have” angle of MFA with a convenient app to install on your phone. The app Microsoft Authenticator makes logging in from a new device very simple.
Anytime Microsoft 365 determines a user is logging in to an account from a new device, it sends an authentication request to the Microsoft Authenticator app installed on the user’s smartphone. From the user’s phone, they are able to allow or deny the new login. This allows a user to deny log ins from cyber criminals who may have gained access to an account password.
By default, Microsoft 365 accounts with MFA enabled will re-prompt a user to authenticate a login every thirty days. This ensures that any lost or stolen authenticated device will soon require re-authentication. A new authentication may also be prompted by a password change.
The Microsoft Authenticator app is free and can be downloaded on iOS and Android devices. With the Microsoft Authenticator app ready to go, users only need their administrators to enable 2FA on their accounts, and then they are ready to set up extra security in minutes.
Additional Security Considerations
Cyber security is a game of cat and mouse between security experts and the cyber criminals determined to gain account access. Despite the additional security of Multi-Factor Authentication, users need to follow some security basics to help MFA work. Users should remember these security guidelines to further solidify their logins:
- Do not use the same password on multiple accounts
- Do not increment or make only minor changes to passwords at password changes
- Do enable lock screens on phones
- Do use strong PIN numbers on phones
- Do use passphrases that are 12 or more characters long
- Do use encryption on phones and computing devices
Now is the time to step up. Secure your assets by implementing Multi-Factor Authentication.