Complete Webinar Transcript: Multi-Factor Authentication

Introduction:

Adam:  Thanks for joining our webinar today. My name is Adam Lee from Microsoft Gold Partner PEI.  Today we’ll be discussing the importance of multi-factor Authentication and how it’s essential in securing both admin and end-user accounts.

MFA is so important because a username and password is no longer secure enough when it comes to identity access. Remember, these attackers are in business to make money. They are using the best resources and constantly evolving their techniques to increase their success rate. It’s not a matter of if attackers figure out usernames and passwords it’s when. So we really need to be proactive—both on the partner side and the end-user side.

Although securing user identities is relevant across the entire tech industry, we’ll be focusing on why you should enable MFA for Office 365 users. It does not matter your company size, industry, or location; you have data (or even money) that can be stolen or held for ransom.

We’re joined today by Microsoft superstar Kevin Martins to discuss this topic. Kevin is a Partner Technical Architect at Microsoft and an all-around stud!

Kevin, thank you for joining us today.

Kevin: Thanks Adam, that’s quite the introduction. Let’s get started.

Question One: Using Data to Examine the Threat Landscape

Adam: So Kevin, tell me more about what Microsoft is seeing today with these attacks.

Kevin: So first of all, thank you for highlighting that this is not just a Microsoft problem as that is so true. All types of cloud identities are under attack from the account you use for work to the account you sign into your bank with. You name it, and the service is under attack. I see logs all of the time that show that.

Microsoft spoke at Ignite 2019 about the types and level of attacks they see. Now remember that Microsoft has over 200+ products and services that it must keep secured. For example, in December 2019 there were over 1.2 billion Windows devices, over 1 billion Azure user accounts, and over 65 million Xbox accounts. That comes out to 630 billion monthly authentications and so much more.

There’s a lot of telemetry coming in from all of these different types of services. All of this equates into over 8 trillion signals every day that Microsoft analyzes. The artificial intelligence in place enables them to understand a good logon vs. a malicious attempt as they continuously learn about evolving attacks. This data is analyzed and deployed across Microsoft’s Intelligent Security Graph to help secure all of these 200+ services.

And how do most of these users log in? With just a simple username and password. Again, not just with their Microsoft accounts, but with all of their user accounts. This is nothing in the eyes of the attacker. To properly secure identity accounts, MFA must be enabled.

Question Two: Real-World Identity Attacks

Kevin: One problem with implementing MFA is many companies think that this won’t happen to them. What are some real-world examples PEI has witnessed?

Adam: We’ve got a couple examples of really relatable ways that businesses are getting attacked. One of the most common methods we see is through email phishing. Malicious actors can send emails that look like they’re coming from Microsoft or another trusted entity you’re using for sign on.

Your users click on these emails and think they’re logging into their Office 365 account when really they’re sending their account information directly to the hackers.

Example 1: Email Phishing Identity Attack Causes $100K Loss

We spoke to an organization who had this experience with an employee in accounts payable. The hacker was able to log into her email account and send out a fake invoice. With access to the entire Office 365 account, the malicious party had all they needed to make the invoice and the email appear legitimate. The breach was not discovered until a significant amount of money had been wired to the hackers.

Example 2: Wireless Hijacking Closes a Business

In other cases, we’ve seen users connect to public wifi networks like airports, coffee shops, or other public spaces so they can catch up on work emails. These wifi networks may be named something that sounds legitimate to users, but actually it’s a malicious group who’s set up that wifi to steal passwords and usernames as they travel across the network.

In one specific example of this, an attacker got into a user’s Office 365 account and emailed all of his contacts a fake PDF containing malware. This was a business owner who then lost his business due to his loss of reputation.

 Kevin: Wow Adam, those are some pretty severe consequences for attacks that could have been stopped relatively easily with a correctly configured MFA policy.

Question Three: Is Mutil-Factor Authentication Effective at Securing Accounts?

Adam:  That’s right Kevin. Let’s talk about the impact of enabling MFA. Does it really help to secure users’ accounts?

Kevin:  Great question. Me being from Microsoft, I don’t want you to just take my word for it.

Let’s talk about a ZDNet article published on August 27, 2019; in that article, both Microsoft and Google said that enabling Multi-Factor Authentication (MFA) will eliminate 99.9% of account breaches. Nothing is 100% in this world, but that’s pretty close.

That advise is coming from companies who host billions of accounts and are the most-attacked platforms in the world. A recommendation like this should not be taken lightly. With MFA being included in Office 365 and so many flexible options available to use MFA, there really is no excuse why MFA is not yet enabled on all user accounts.

Question Four: Which Users Should Have MFA Enabled?

Adam: Having MFA for administrators is a no-brainer; they have total access to your Office 365 portal. But, can you go into a bit of detail about why it is important to have MFA for not only admins, but all end-user accounts?

Kevin: Sure, so MFA for all user accounts is just so important. Attackers are going to attack all different types of accounts, because once they have one, now they’re in and they can move laterally to attack other accounts.

Let’s say I’m an attacker and I attack a receptionist’s account. That person does not generally have any purchasing capabilities or approving capabilities. But, if I’m the attacker and I get in, now I have access to the global address list of everyone else in that company. I can figure out who I need to go after next. That might be the CFO of the company, or some other team or specific person in accounts payable. I can start to move around to attack them in the same way.

If I got in one way, I can get in the same way with a different account, which is the one I’m after.

Question Five: The End-User Experience

Adam: Those are some great examples, but let’s talk about the end-user experience.

We constantly get clients who are concerned about MFA becoming a roadblock for their employees. After implementing it across their organization, what will an end user see when they log onto their account the next day?

Kevin: So you’re right, the end user experience here is so important. MFA must be easy to use and can’t be interpreted as a pain in the rear.

So Microsoft has designed their MFA to utilize multiple formats, giving the user flexibility to choose how they want to provide that second layer of authentication. I’m going to quickly show you several options you can authenticate within Office 365:

Method 1: Using Multi-Factor Authentication with Text Message

In this demonstration, we will use a text-message for our two-factor authentication. We will start by going to the Office 365 portal. Here, we are prompted to log in as our test user.

We enter the password, and click on Sign In.

Now we wait for our text message to arrive. Within a second or two it arrives, and we now have our six-digit PIN.

We enter it into the code area, click on Verify, click on Yes to stay logged in, and now we’re fully logged into the Office 365 portal.

Method 2: Using Multi-Factor Authentication with Phone Call

Here we will use a telephone call for our two-factor authentication. One again, we will log into portal.office.com. We will be prompted to enter in the username. We enter in our password.

And now we wait for our phone call.

Phone Audio: Thank you for using the Microsoft sign-in verification system. Please press the # key to finish the verification.

Kevin: We press the pound key.

Phone Audio: Your sign in was successfully verified. Goodbye.

Kevin: And now we’re fully logged in.

Method 3: Using Multi-Factor Authentication with the Microsoft Authenticator App

On an Android phone, we will use the Microsoft Authenticator App to approve our two-factor authentication request. Once again, we will start by going to portal.office.com and entering the username and password.

And now we receive our two-factor authentication request. We will approve it in the app.

Click Yes to stay logged on, and now we’re fully logged in.

Method 4: Using Multi-Factor Authentication with a Rotating PIN

Still on an Android phone, we will now use a rotating PIN displayed within the Microsoft Authenticator App to approve a two-factor authentication request.

One again, we’ll start by going to portal.office.com. Enter our username, followed by the password.

Now we go into our Authenticator app, and we will see a rotating PIN. We enter it in, click on Verify, click on Yes to stay signed in, and now we’re fully logged in.

Question Six: Implementing MFA

Adam: That really is easy. That was less than five minutes, and you were able to log in with multi-factor authentication four different ways. This seems extremely user friendly.

Kevin: Exactly Adam. It really is. I use it every day. And most importantly, it would have stopped the attacks for both of the examples you mentioned before. Even if those users fall for those scams and their information is compromised, their username and password, MFA stops these malicious actors from taking that last step and getting into their accounts.

Though I need to highlight that while MFA is straightforward to implement, the impact of this should not be underestimated. Before you enable this in Office 365, do your research and work with a Microsoft Partner like PEI for their advice and assistance.

As an organization, you may only do this once, but Partners who specialize in this area do it all the time and know the proper steps to follow for a smooth implementation. Things like a pilot, proper user communication, training, making sure users understand why this is being done to avoid resistance, and more things like this come to mind that need to be taken into account for a project like this.

MFA Conditional Access Policies

You also do not want users to be prompted for MFA all of the time, for example, while they are logging in from a company office behind a firewall or from a company managed device—those are on trusted networks and on trusted devices where MFA is not typically needed. The flexibility of these conditional access policies, as we call them, is built right into Office 365.

So Adam, as you can see, the user experience for MFA is not painful at all. In fact, it will give users the extra sense of security their employer is taking to protect everyone while at the same time making a tremendous increase to its own cyber security posture.

Question Seven: What is Next?

Kevin: I think we’ve given everyone a lot to think about regarding why MFA is so important and how painless it is to use, but also why they should consider some additional help in their planning and implementation.

What’s the next step our viewers can take to learn more about MFA and the implementation process?

Free Security Assessment

Adam: For those interested in MFA, where we explain the threat landscape, examine your risk, and discuss how MFA would work in your environment.

We also examine issues we’ve seen during implementation.

The point of MFA is to be easy but at the same time, make sure you are secure.

On behalf of Kevin and myself, thank you so much for listening. Tune in next time for another one of our Tech Talks. And we’ll see you out there.