No two-factor authentication is like asking to be hacked?

I am a firm believer with using two-actor authentication (2FA) with important business apps but what happens when you don’t? When you adopt cloud services such as Salesforce or Office 365, is not using two-factor authentication tantamount to inviting hackers to have a go?

If the company you worked for wouldn’t properly protect their cloud-based apps, what would you do?

See my more recent post as well - 'Use Two-Factor Authentication for cloud applications or risk fines and data breaches' for more commentary.

More...

You might think two-factor authentication is a given, especially with cloud apps that can be accessed from anywhere. This isn’t the case, certainly in my environment, I haven’t been able to convince the right people to adopt this as a must.

Relying on passwords - a case-study

In our conventional, increasingly irrelevant, on-prem remote access system we use two-factor authentication.  It's seen though as a hindrance and something that just gets in the way.  These same stereotypes are why 2FA has been rejected for our cloud apps primarily Office 365 and Dynamics CRM.

To give you a bit of background, as an organization, we respond to millions of requests for help from members of the public. Much of their personal information we collect, often with intimate details of their circumstances ends up in our cloud based CRM system. This is only protected by passwords alone, with no other measures to protect access.

Even with the best, strongest password in the world if your home PC is compromised, you use public Wi-Fi or use shared computers etc., this won’t help in the slightest.  Passwords are easily intercepted and cloud systems encourage staff to work from all sorts of places, making this more likely.

Security in an insecure world

One of these scenarios is laid out by the ICO, I don’t think anyone could argue this isn’t a possible, if not a likely situation:​

An organisation has implemented a cloud-based email service for its employees. Employees can access this account from the office, from personal computers at home and through mobile devices such as smartphones and tablets.
An employee accessed the email service from a personal computer at home. The PC had no security protection in place and was infected with key- logging malware. The employee’s username and password were captured and transmitted to the malware author who was then able to gain unauthorised access to the email account, the contents of which contained personal data of the organisation’s clients.​
This breach of personal data occurred because the data controller did not ensure that the IT its employees used to access its system was adequately protected

From 'Guidance on the use of cloud computing'

I’d go further and say rather than the PC having no security protection in place in this example, it might have out of date or expired AV.  What about an old OS such as Windows XP or an old browser like IE 10, all very susceptible to attack. 

Microsoft couldn't make Two-Factor authentication any easier

Two-factor authentication, or as Microsoft call it, Multi-Factor Authentication (MFA) isn’t a panacea but it considerably bolsters security. This would mitigate the example above to a large extent. Employees need something they have (mobile phone, work phone, authenticator app) , as well as something they know (password) to login.

Multi-Factor Authentication is provided free with Office 365​ as per these details.  MFA is built into Office 2013 and 2016, as well as most of the mobile apps like Outlook, Office, OneDrive for Business, with support for what Microsoft call Modern Authentication.  The is much better than app passwords that were previously were needed.

Azure Multi-Factor Authentication

There is an even better version of MFA included with Azure Active Directory Premium.  This page has the details - What is Azure Multi-Factor Authentication? Azure Multi-Factor Authentication includes some nice extra features like fraud alerts, reports and one-time bypass.  There is even support to protect on premise systems with the MFA server. 

It gets even better, if you have Azure Active Directory Premium, you can protect all you cloud (SaaS) apps, not just the Microsoft apps.  You can add MFA for example to Salesforce, controlling MFA with conditional access, as shown below.  ​

Two factor authentication MFA Salesforce

Microsoft support a good couple of thousand apps, many supporting single-sign on and lots more.  This all integrates with the Office 365 app launcher and offers a one stop shop for all your apps through the 'My Apps' portal.

MFA - The way forward​

With it being #DataPrivacyDay, I thought this was a good time to post this.  I'll continue trying to persuade the powers that be that we can do more to protect the data that public entrusts with us.  The technology is there, we just have to start using it! I hope you have better luck with getting your company, business or organization to use MFA if your an Office 365 customer.