Brown’s Bytes – Not all Multi-Factor Authentication is created equal…
Welcome to Brown’s Bytes! Your weekly insight from Mobliciti’s CTO Andy Brown. Follow #brownsbytes
15th June 2018
This week we’ve been putting the finishing touches to a webinar we will be hosting about protecting Office 365 and how even two-factor isn’t enough.
It’s an interesting area where we feel there is a significant risk.
For a while now we’ve been banging the drum about static username and password not being enough. Amazingly many Office 365 customers still use this. That’s the crown jewels of company information made open to the internet (and therefore attackers) being protected with a piece of information that is pretty easily compromised in many cases. If you’re still in this camp you really need to watch our webinar.
Nowadays, most people I meet are agreeing that this isn’t good enough. Our messaging about using Multi-Factor Authentication (MFA) to protect this data is therefore met with many nodding heads.
However, the next piece is interesting. When looking to solve an issue it makes sense to first look at solutions you may already have in place and then to look at solutions you may have already bought through bundling with existing software agreements. This is clearly common sense – why buy something new when you may have already bought something already… even I can’t argue with that!
Often the Enterprise Licence Agreement (ELA) from Microsoft is often a good place to start. Navigating the bundles and deals of a Microsoft ELA is a black art that I am sure many readers will have a wry smile about. It is a precision exercise in making sure you can’t buy exactly what you want! I’ll save that for another day…
So, you need an MFA solution… and Bingo! You’ve got something already in your ELA… and it’s from Microsoft and should therefore be perfect for protecting Office 365. Or maybe the built in Office 365 MFA is good enough?
Seems logical… but here’s the rub… only if you believe all MFA is created equal.
Simply put, that just isn’t the case…
I’m not here to bash the Microsoft product. It is a hell of a lot better than a static username and password. It just isn’t anywhere near what can be achieved with something like SecureAuth – there is a good reason why companies that take Cloud Security seriously choose to buy it.