Passwords are clearly not enough to protect networks. Any security advice will tell you that multi-factor authentication (MFA) is a key method to keep attackers out. But what kind of MFA should your company deploy? The choice of tokens and multifactor tools depends on your business, your needs, and how attackers are likely to target your business. Planning ahead will minimize deployment and migration issues when new tokens or new phones are issued.
These are the most important considerations when choosing an MFA solution.
Know what MFA will and won’t protect
You have several decisions to make when deciding which MFA tool to use. First, review how the tool protects your network. Often when adding MFA to existing on-premises applications, it may not fully protect your organization against certain attacks. The recent Exchange Server zero-day attack is a good example. MFA in this situation did not protect the servers. At least a victim used on-premises Exchange Server with a third-party MFA application. While it protected some parts of the authentication process, it did not protect Outlook Web Access (OWA), which uses Basic authentication. MFA did not protect this part of the site, so attackers could bypass MFA and attack the servers. Consider exactly what the MFA solution you choose protects, then consider what authentication processes are still exposed.
MFA deployment, migration and scalability
Deployment, migration and scalability of multi-factor tokens is another point to consider. Depending on the size of your business, you can deploy multi-factor tokens or choose to enable authenticator apps on phones. Depending on your company policies, you can deploy authenticator apps to company-provided devices or provide deployment information to personnel using personal devices. If personal devices are used, you may be required to reimburse business usage depending on local laws and regulations.
Deploying to these devices and managing replacement phones can be a daunting task. Depending on the authenticator application, they easily migrate or need to be backed up to non-corporate-controlled backup locations.
This is particularly the case for the redeployment of authentication applications. Some authenticator apps make it easy to export and import to a new phone. Others are more of a process and may need to be redeployed. Make sure your help desk is fully informed and has tested the migration process on both work and home phones. When new phone models come out, your staff needs to know what support you will provide for the migration. You may want to set limits for updating to new phone models to ensure that your users do not overload the help desk. Providing support to phones often takes more time and specialized remote tools that allow the help desk to examine the phone screen but not remotely control the devices.
Prepare documentation to properly deploy and migrate authenticator applications on phone platforms. Although you can easily find instructions on the web to help with the migration, make sure your help desk has instructions for your authentication needs.
Don’t wipe a device without making sure the information you need has migrated to the replacement phone. When migrating to a new phone, you may need to redeploy the MFA app. For example, if you use push notifications on phones, these types of credentials must be recreated because they are tied to the device hardware and cannot be migrated or exported. Push MFA or passwordless deployments will need to be redeployed as they are tied to the phone device. The Microsoft Authenticator app, for example, is hit or miss when it comes to successfully restoring it to a replacement iPhone. On one instance, the application restored without a hitch. In another, accounts had to be revalidated depending on whether the devices defined for push notifications are linked to the device. Other providers such as Google Authenticator have an import/export feature.
Trade-off between using hardware tokens and the phone for authentication
You can instead decide to deploy tokens or keychains. Although these solutions may be less economical, there is less need to migrate. Tokens incur additional overhead as they won’t always be with the user, whereas cell phones tend to be with them always. Tokens and keyfobs can take more getting used to, and you need to consider battery replacement and other deployment needs.
With Microsoft’s multi-factor needs, you have several options starting with Microsoft Authenticator. If most of your staff have Android or Apple phones, Microsoft Authenticator is a cost-effective solution that you can quickly deploy. Even if you’re not upgrading to an Azure P1 license (or have a Microsoft license that includes it), you should be able to use the Authenticator app as a second factor for global admin accounts Azure AD.
Review the MFA application method you’re using by logging into the Microsoft Azure admin portal and navigating to Security > Authentication Methods. Passwordless options range from using Windows Hello for Business, Microsoft Authenticator, and FIDO2 security keys. You can use FIDO2 security keys from other providers. You can often use FIDO2 keys with other applications that enforce MFA both to protect Microsoft applications and to provide a second factor of authentication for password management tools, remote access, and security. other needs.
Cloud Authentication Requirements
Often you can’t standardize on a single authenticator app for cloud services. Cloud services can align to a single authenticator app. Admins typically find they need a variety of MFA tools, including authenticator apps (Microsoft, Authy, Google Authenticator) as well as apps like Duo.com and hardware tokens. Plan ahead to ensure that the authentication method meets your regulatory requirements and specifications such as NIST mandates and can be handled by your help desk.
MFA should be a mandate in your organization, but how it’s deployed and maintained can either help your help desk or place a greater burden on it. Plan ahead to choose an option that is more manageable, won’t cause more problems when upgrading, and meets the needs of the organization.
Copyright © 2022 IDG Communications, Inc.