Multi-Factor Authentication: What Is It, Why Do You Need It & How To Set It Up?

Today we’ll be talking about one of the hottest topics in our industry: multi-factor authentication. This is frankly one of the most frequent requests we are getting from our customers. I’ll show you how to rescue your resources from the bad guys with a mobile app and how not to get erased completely from the internet in seconds!

First, what is multi-factor authentication? It’s an additional solution, which introduces the second factor to your login process other than your standard username and password.

Usually, it goes with an additional authentication code you need to provide after it is sent to you over SMS. Or more common it is a mobile application you are using to verify your login process.

Why use multi-factor authentication?

To be honest, we – as users – are bad on managing passwords and there are some bad guys good at getting access to them for their not-so-secret purposes. To help you get this example clearly, you should honestly answer one question – how many passwords are you are repeating between multiple services?

Every password is at risk. No joke.  And we all know that it might eventually either leak or be stolen if got slipped from one source and used somewhere else… In such case, MFA can stop it.

Is it a problem?

Time for a short story – one of the editors at Wired magazine, Mat Honan, had published an article. He used the same password every time he was logging into different services and apps helping him at work. And boom! His entire digital life was erased. Only because he had a chain of accounts connected and not protected with second authentication factor.

What if it was your admin account that has all access rights in your organization?

The typical series of questions we are receiving from our customers at Predica are: “How can I protect my admin accounts?”, “Can I protect my remote access or applications?”.

MFA is not the only answer, being only one of the whole variety of solutions we can deploy.

Alright! We know we have a problem – the password can be broken. And thus, we want to engage an additional protection level, don’t we?

The question is – what we can do now and how much effort it requires? The MFA solution can be implemented in many ways and with multiple products. But the easiest one to use and deploy will be the Azure MFA – provided by Microsoft.

What is Azure MFA?

Azure MFA is a service hosted in Azure cloud that allows you to combine it with several options like one-time password codes, mobile authenticator applications or offline tokens.

One thing to notice here – it doesn’t mean that your accounts or data travel to Azure. If you want, you can keep all your data on-premises.

Let’s explore three options to protect our resources with Azure MFA:

  • On-line administrators’ accounts
  • On-line service user accounts
  • On-premises resources like VPN or remote access solutions.

Starting with on-line admins accounts. How can you use it to protect your administrators accounts for Office 365 or Azure?

Not everyone knows, but for admin for admin accounts, Microsoft provides MFA for free. If you are Office 365 global admin or an Azure global admin, you can just enable this on your account and start right away.

How to enable MFA for Office 365 administrators?

  1. Go to Admin Center and select Active Users. From “More tasks” menu select Setup multi-factor authentication auth option.
  2. This will bring you to the second portal where you can enable MFA options for a particular user.
  3. Once it is enabled, when the user will log on again, it will be prompted to provide additional authentication.

How? It depends on user choice and our configuration. Our advice is to use authenticator mobile app as it is most secure, convenient and works off-line as well.

You can also enable multi-factor authentication for Azure admin users, taking similar steps.

  1. Go to Azure Active Directory portal and choose the Users section.
  2. When you select a user, you will get  “Manage multi-factor authentication” option available.
  3. Just click it, and it will bring you to the similar portal, where you can enable MFA service for Azure users.

So, we have protected our admin accounts in few minutes, and it is completely free.

For Office 365 and Azure AD standard users, the process is the same, and the only difference is that you need to have a license for MFA included in your plan or it might be purchased separately.

See the main differences between Office 365/Azure admin MFA and full Azure MFA

Multi-factor authentication – what’s with on-prem?

Now you may have a question. “This is great for on-line but the majority or my services are still on-premises, and I need an idea how to deal with it?”
The truth is you can use the same services and methods to provide an additional level of protection to your current VPN or other remote access features working on-premises.

  • Azure MFA allows you to create the MFA adapter and uses it with MFA on-premises server.
  • This server acts as a proxy for standard protocols like RADIUS or LDAP.
  • Next, when your VPN solution asks for an authentication, the user provides his credentials. But before those are verified, the MFA server triggers this additional authentication process to verify the user.

To enable this scenario, you need to have per-user licenses, or per-use Azure MFA instance created. Then you can configure your MFA server to import users from your local Active Directory and manage all options on-premises.

As you can see, this service is universal and provides multiple options to explore. Moreover, you can integrate it directly with your applications – there is an API provided for that.

Summary

In this video, I showed you how to use the MFA service from Microsoft to protect your admin and user accounts. Stay tuned for our latest blog updates for more handy details on how to set it up, what options do you have and how to use it in various scenarios.

Now I encourage you to think about your accounts and go and enable MFA for them. Seriously. Think about your personal accounts on services like Facebook, Twitter or Gmail. If you haven’t done it yet, now it is the time. Azure MFA supports them all – on all mobile platforms.

Anyway, that’s it for today – so if you want to get even more IT insights and solutions, stay in touch with us, we are posting every week. If you honestly found this tutorial helpful, go spread the love and share it on social media! Any questions or help needed? Just contact me through this link.

See you in the next episode! 🙂

 

Comments

See also

SharePoint Is Dead, Long Live SharePoint

< READ MORE >

Omada Enables Advanced Governance Control In Microsoft Azure

< READ MORE >

Crucial Questions To Ask Your Future SaaS Applications Provider

< READ MORE >

Get the latest!
LIKE US ON FACEBOOK

Watch now!
SUBSCRIBE US ON YOUTUBE

Our experience.
FOLLOW US ON LINKEDIN

What's new?
FOLLOW US ON INSTAGRAM