Cloud services provide businesses with an unprecedented level of access to resources from anywhere around the world at any time. This increased level of access to resources has provided businesses with the tools to mobilize and modernize their workforce. However, with all the benefits of increased access to resources, this availability also exposes businesses to considerable risk from cyber adversaries looking to steal credentials. Appropriate measures should be taken to reduce this risk and the first and simplest step is to enable multi-factor authentication (MFA).
Multi-factor authentication is a method of authentication that requires users to provide two or more forms of authentication to gain access to their resources. The most common form of multi-factor authentication methods in the cloud is an initial username and password followed by one or more of the following;
- Phone calls
- Mobile apps
- One-time password (OTP) token
MFA in Azure Active Directory
Microsoft provides all Azure Active Directory tenants with cloud MFA for free for all users. Microsoft recommends at a bare minimum that MFA is enabled on any account that has privileged access to the Azure Active Directory tenancy. As well as the cloud-based MFA Microsoft also provide an on-premises MFA server, cloud MFA extensions for RADIUS and connectors for Active Directory Federation Services (AD FS).
When deploying cloud MFA, it is important to not only focus on the increased security posture but also factor in what would the impact be to end users once MFA has been enabled. Deploying MFA can add extra authentication prompts to sign in processes and can inhibit the single sign-on experience provided by AD FS or similar token signing services.
How to reduce end user impact
When deploying MFA, to reduce end user impact, Microsoft provides customers with the ability to purchase an Azure Multi-Factor Authentication license, which provides a feature called trusted IPs. The trusted IPs feature allows admins to specify their corporate sites public IP addresses or enable authentication requests originating internally from AD FS to skip the MFA process, allowing productivity to be maintained for internal access but security maintained for external access.
Should I enable MFA?
The answer when utilising cloud services is yes. The question that businesses should be asking themselves is “How much would a cyber breach cost me if I don’t enable MFA?”