James Thew - Fotolia
Top Office 365 MFA considerations for administrators
A complex password only goes so far to stop a breach. Implementing multifactor authorization can help, but make sure the product you select fits your current and future needs.
With the rise in data breach incidents reported by companies of all sizes, it doesn't take much effort to find a cache of leaked passwords that can be used to gain unauthorized access to email or another online service.
Administrators can make users produce complex passwords and change them frequently to ensure they set a different password for different applications or systems. It's a helpful way to keep hackers from guessing a login, but it's a practice that can backfire. Many users struggle with memorizing password variations, which tends to lead to one complex password used across multiple systems. Industrious hackers who find a password dump can assume some end users will use the same password -- or a variation of it -- across multiple workloads online to make it easier to pry their way into other systems.
IT departments in the enterprise realize that unless they implement specific password policies and enforce them, their systems may be at risk of a hack attempt. To mitigate these risks, many administrators will try multifactor authentication (MFA) products to address some of the identity concerns. MFA is the technology that adds another layer of authentication after users enter their password to confirm their identity, such as a biometric verification or a code sent via text to their phone. An organization that has moved its collaboration workloads to Microsoft's cloud has a few Office 365 MFA options.
When considering an MFA product, IT administrators must consider several key areas, especially when some of the services they may subscribe to, such as Microsoft Azure and Office 365, include MFA functionality from Microsoft. Depending on the level of functionality needed and services covered by MFA, IT administrators might consider selecting a third-party vendor, even when that choice will require more configuration work with Active Directory and cloud services. IT workers unfamiliar with MFA technology can look over the following areas to help with the selection process.
Choosing the right authentication options for end users
IT administrators must investigate what will work best for their end users because there are several options to choose from when it comes to MFA. Some products use phone calls for confirmation, code via text messaging, key fobs, an authenticator app and even facial recognition. Depending on what the consensus is in the organization, the IT decision-makers have to work through the evaluation process to make sure the vendor supports the option they want.
Identifying which MFA product supports cloud workloads
More organizations have adopted some cloud service, such as Office 365, Azure, AWS and other public clouds. The MFA product must adapt to the needs of the organization as it adds more cloud services. While Microsoft offers its own MFA technology that works with Office 365, other vendors such as Duo Security -- owned by Cisco -- and Okta support Office 365 MFA for companies that want to use a third-party product.
Potential problems that can affect Office 365 MFA users
Using Office 365 MFA helps improve security, but there is potential for trouble that blocks access for end users. This can happen when a phone used for SMS confirmation breaks or is out of the user's possession. Users might not gain access to the system or the services they need until they recover their device or change their MFA configuration.
Another possible problem to the authentication process can happen on the other end if the MFA product goes down and blocks access for everyone who has enabled MFA. These probabilities require IT to discuss and plan before implementing Office 365 MFA for the appropriate steps to be taken if these issues arise.
Evaluate the overall costs and features related to MFA
For the most part, MFA products are subscription-based that charge a monthly fee per user. Some vendors, such as Microsoft, bundle MFA with self-service identity, access management, access reporting and self-service group management. Third-party vendors might offer different MFA features; as one example, Duo Security includes self-enrollment and management, user risk assessment with phishing simulation, and device access monitoring and identification with its MFA product.
Single sign-on, identity management and identity monitoring are all valuable features that, if included with an MFA offering, should be worth considering when it's time to narrow the vendor list.