Working in a Cloud IT environment, we are faced with regular prompts for multi factor authentication (aka MFA, two-factor authentication, 2FA) and when faced with deadlines or large workloads – the need to find your mobile and approve an MFA request can be annoying. To help me overcome this frustration, I felt it was a good opportunity to explore why MFA is becoming more important in the workplace and how to treat it as a friendly tool rather than a foe.
Cybersecurity is becoming more and more prevalent in our modern society; the bad people are becoming more sophisticated with their cyber-attacks in attempting to obtain your password. Unfortunately, we now live in a “Trust No-one Environment”. When applying for business insurance, you are now being asked what cyber protection security is in place and MFA is a mandatory requirement in most cases.
Most of us use two-factor authentication to log into our online Bank accounts without questioning it; so why do we find it a hinderance when working on other applications?
What is Multi Factor Authentication?
Multi-factor authentication is a security measure that protects applications / data from being accessed by non-authorised users. Logging into applications with just a username / password is old-school. Your username is likely to be your email address which may be visible on your Company’s website or in LinkedIn. Cyber criminals run automated tools to crack passwords – made simpler if you re-use the same password or use keywords that relate to your company’s services / products. Banned password lists can be implemented at the organization level, but your IT System Admin will not be adding your birthday / dog’s name in these lists.
Multi-Factor Authentication requires a second verification method for you to prove who you are before you can log into the system. We would recommend an MFA authenticator or fingerprint or facial recognition method where you are required to manually enter a temporary code rather than clicking an “Approve button.
How many times have you clicked Approve and not actually been at your computer – this is an exploit that cyber attackers are focusing on, and it is now termed as MFA fatigue.
The Microsoft MFA Authenticator app can be configured to display the approximate location where the login request was made (it does not show your exact house number) and what application is being accessed. I do not normally take any interest in these two values – I just focus on entering the validation code, but I would take note – if a verification request unexpectedly appears and I have not logged into an application. The information is useful for my IT Department to complete a security review and apply additional authentication policies to block the threat actor.
Microsoft’s Authenticator
Lucidity recommends that the Microsoft Authenticator is installed on your local mobile device, this allows us to configure how you authenticate with it – entering a two-digit number that is displayed on your screen. As mentioned above this combats MFA fatigue. The App is great for Microsoft applications however I have Google’s Authenticator installed on my mobile device for non-Microsoft applications.
Within the last 12 months, I purchased a new mobile phone and discovered that Microsoft Authenticator does not automatically transfer saved credentials to the new device, whilst Google does use cloud synching. For Microsoft’s Authenticator, you need to back up your account credentials to a personal Microsoft account – recovering Microsoft accounts was simple on Authenticator, but I struggled with other applications where requesting a reset was complex or not documented.
Remote Working
The way that we work has drastically changed over the last four years – desktops are being replaced with laptops and it is acceptable to work from home. Previously, we worked in a secure office network environment where there was managed access to the applications that you were accessing. These days, we are more dependent on our home internet services (a basic router or our mobile phone’s hot spot) rather than a managed firewall. Verifying my login details with MFA authentication does provide security that only I can access my account and applications that I have access to.
At Lucidity, we have an additional security layer where we use an Azure Virtual Desktop to access our confidential data. Accessing the Azure Virtual Desktop platform always prompts us for multi factor authentication.
Summary
In summary, MFA authentication is a MUST HAVE for any organization and I feel safer that it is protecting me and my work especially when working remotely. The extra 10 seconds to locate my mobile phone and find the right account to authentication is a small price to pay compared to a cyber-attacker obtaining my credentials and accessing all the systems and data that I have access to. It should be noted that you cannot just rely on MFA to protect yourself, there are a lot more functionality within Microsoft that you can configure to protect your data and as individuals we need to take ownership of increasing cyber security awareness by participating in regular Security Awareness Training, a product that Lucidity now offers.