by Andy Jonak
This past week, we held a seminar on Multi-Factor Authentication (MFA) and why firms would want to consider using it for their Office 365 environments. It was hosted by me and Vicom’s Infrastructure Architect, Dani Houpt. There were two parts to it: 1) why to use MFA and 2) how to implement MFA. I am going to talk this month about why to use it, and Dani will post his summary narrative from the webinar on how to implement MFA in a separate blog post. Why? There's so much to discuss around MFA that we feel it justifies two posts. So let’s get started.
What is and why use MFA? As we all know, MFA is quite simply more than one way to authenticate who you are. We've all used MFA in some way. Have a bank card and use an ATM? That's MFA where you use your card and PIN to get into your account. When you log in to your bank account online and you get a text with an authorization code, that is, of course, MFA. When you log in to a website or account with your password, and it asks you to enter your security question, again, that’s MFA. We’ve been using MFA for a long time and in many different ways, even if we don’t realize it. It's been a consumer-facing thing for quite a while. Then why haven’t we started using it more for our own internal back end operations? A very good question.
Many of the firms that have customer-facing operations, such as banks, healthcare, Apple, etc. generally have MFA enabled—you all seen it. Some have because it’s the right thing to do and some because of compliance issues. The compliance part is critical. If you are an organization with customer-facing operations and do not do all you can to give people the ability to protect and secure their accounts (such as using MFA), then you can be held liable or at the least, accountable, if something happens.
For example, both PCI and HIPPA compliance require strong authentication, but what does that mean? Generally, it needs two out of these three strong authentication requirements: something that you know, something that you have, and something that you are. Something you know can be a password or security question. Something you have could be your phone, a secure card, token, or app. Something you are, a fingerprint or face scan. You get the point.
While nothing is completely safe and secure, most people—probably upwards of 80 to 90%—believe that using MFA makes you feel more secure. However, that’s how they feel about using it, without knowing if actually makes them secure. Larger, enterprise firms, are more likely to implement and use MFA versus smaller firms but that's not unusual when it comes to technology adoption overall. Yet just about all of us use MFA in our consumer solutions.
Most firms are starting to embrace MFA because it works and it helps them show the world that they are doing what—or some would say all, but that's not correct, as we always can do more—they can to keep themselves and their customers safe.
Many are Microsoft Office 365 customers that have MFA capabilities included in their subscriptions, but in many cases, it makes sense to implement an upgraded version of MFA that provides additional capabilities needed. The point here is that most get a version with their subscription, so it's prudent at the last, look into it, but even better implement it. Don't know how or are unclear as to what you have? Reach out a trusted partner to help guide you.
Does MFA make sense? The answer is yes it does, but the question is, does it make sense for you and your firm? If you are looking at only security, the overwhelming answer is a resounding, yes. Most find that it’s also a bit of culture change as well, as people will have to get used to the idea of essentially, “logging in” twice. People don’t tend to like change in any IT process but it is something that people will have to get over real quick as being secure is much more valuable than convenience, though you’ll hear users disagree with that statement, I’m sure.
Do your research on MFA, see what you might have as part of the solutions you already have in place, such as Office 365. There are many MFA solutions out there that can accommodate anyone's price and needs. If you are using O365, I see it as a no-brainer to investigate, since you get a scaled down version with your E3 or higher subscription but, as I mentioned earlier, you might need to invest in the upgraded version with more of the features you need. Not sure? Again, reach out to a partner for help. Your security is worth it.