It is useful to remember that you can overcome objections to change if you understand how that change makes people feel and if you work to make the change as positive (or least painful) as possible. Today I will talk about how you can tune Azure MFA to balance security and user experience.
The Kaseya Ransomware Attack Has Got People Thinking About Security
As news of the Kaseya ransomware attack came out, Chantal Forster, Executive Director of the Technology Association of Grantmakers (TAG) took a temperature check of the organization. She determined that TAG members wanted to know how they should respond. So, in her words, she “got the band back together.” In this case “the band” was part of the 2019 Cybersecurity Working Group. In short order she arranged for Charles Boname (Vancouver Community Foundation), Jonathan Mergy (The Mergy Organization), Katie Kiemann (Houston Endowment) and me to sit on a panel to answer the “what do I do” question.
During my part of the panel discussion, I talked about steps that IT managers should take now to protect themselves against ransomware attacks like Kaseya. One of the steps I recommended was to implement multifactor authentication, MFA, for all members of the organization. In the breakout room after the panel, we had a great discussion about how exactly to implement MFA. We also discussed some of the obstacles to implementation. Audience members shared stories of MFA implementation challenges that they faced and how they met those challenges.
We talked about user resistance to MFA. I noted that I have frequently seen such resistance rooted in user experience concerns. Namely, how often would a user be asked to go through a two-step authentication process? Some users assumed that they would have to go through this process every time they logged in to the network. However, you can tune Azure MFA to change the period when a user would not be required to log in with MFA. I will talk about how to do that in just a moment. But first, we should remember why it is so important to get MFA implemented in your organization.
Allow me to remind you why multi factor authentication MFA matters. The most common avenue for hackers to gain access to your network is through credential theft, usually because of phishing. An attacker might steal someone’s credentials. They might use a brute force tool to guess a user’s credentials. Or they might go to a breached account data set and buy a set of credentials. (And by credentials, I mean username and password).
MFA makes these credential compromise attacks much more difficult. The attacker must present a second form of authentication to access the account. That second factor could be entering a code from a text message. Or it could be responding to a prompt from an authenticator app. Alternatively, responding to a phone call, or providing some biometric evidence could be required. Stealing or imitating this second authentication factor is much more difficult for hackers. As a result, most account login attacks fail if MFA is enabled. I will talk later about how to implement MFA in your organization.
Understand the Behavior of Azure MFA
Azure MFA has some wrinkles. First, Azure MFA capabilities differ across Azure AD premium plans. So, which plan you have may make a difference in how you tune Azure MFA. Second Azure MFA responds to devices differently, depending on whether they are recognized in Azure AD or not. Finally, the default setting for retaining MFA information can differ between browsers and Office client applications. These differences mean that the user can experience being asked to enter MFA in some circumstances but not others. For instance, we found with a recent customer that the user was being prompted every time to enter two factors of authentication because they were using a browser set with InPrivate browsing to connect to Office 365. InPrivate browsing suppresses all cookies and therefore there was nothing to pass to the server indicating that this user had successfully logged in using MFA in the past.
How to Tune Azure MFA
As I said earlier, you can tune Azure MFA to shorten or lengthen the interval during which users will not be prompted for a second factor of authentication when they log into Office 365. By default, when you successfully log in to Azure Active Directory with your two authentication factors, Azure MFA will wait 90 days before it asks you to repeat that process. Meanwhile, Azure MFA will set a cookie in your browser to note that you have already provided a valid second factor of authentication. As long as you are logging into the service from the same endpoint and using a browser that is not disabling cookies Azure MFA will see that you have previously logged in successfully with two factors of authentication. In this case, it will not ask you to provide a second factor of authentication.
(One note: I imagine that Google 2-step authentication and DUO authentication can be tuned this way as well. However, I was unable to find sources online that would tell me how to tune either of these.)
Tune Azure MFA by enabling default Azure security settings or by creating conditional access policies. Use the security defaults if you want to “set and forget.” Security defaults will be your only option if you are using the free version of Azure AD (i.e., not Azure AD Premium Plan 1 or Plan 2). You can, for instance, use the security defaults to require all users to register for MFA.
If you have an Azure AD Premium subscription, you can use Conditional Access to configure Azure MFA. One benefit of using Conditional Access here is that you can support multiple second-factor authentication methods. With the free version of Azure AD, you are limited to using the Microsoft Authenticator app.
Take These MFA Implementation Steps
Here are my recommended steps for implementing MFA in your organization. With this method, you can tune Azure MFA as you go. This should result in a more positive user experience and faster adoption.
- Let people know that MFA is coming, and why. As was said in today’s panel, emphasize that IT, like other functions in the organization, has a responsibility for financial stewardship, which extends to enabling proper security controls. Meaning: it is not about the technology.
- Start by enabling MFA for your administrative users. These are the accounts hackers are most interested in anyway. Get some feedback, tune Azure MFA, and move forward.
- Roll out Azure MFA in increments. A small organization might do this user by user. A larger organization might enable Azure MFA for one group at a time. Again, tune Azure MFA before proceeding to the next group.
- Pick two authentication methods that you want to support for MFA. You can choose among receipt of a code via text message, use of an authenticator app, use of a hardware key, or receipt of a phone call. If you want to corral the number of authentication options after an initial rollout period, standardize on a single method. I prefer use of an authenticator app. But another good choice would be use of a FIDO hardware key. This is a USB device you plug into your computer that will provide the authentication token when asked.
Tune Azure MFA to Win Your Users Over
Tune Azure MFA settings as you go, with an eye toward eliminating as much user pain as possible. For instance, you could require MFA just for selected apps, or for specific login situations. It would also be wise to check that you have not set authentication policies that are inconsistent with each other. Azure MFA will enforce the most restrictive MFA policy. So, if you set a policy to require Azure MFA every 14 days, that is the policy that will be enforced, even if you have another policy to remember the user’s login forever.
Azure MFA offers a rich set of options. Be sure to understand those options and tune Azure MFA to provide the level of security you want while minimizing the level of user inconvenience you create.