Today we’ll be talking about one of the hottest topics in our industry: multi-factor authentication. This is frankly one of the most frequent requests we are getting from our customers. I’ll show you how to rescue your resources from the bad guys with a mobile app and how not to get erased completely from the internet in seconds!
But first, what is multi-factor authentication? It’s a solution which introduces the second factor to your login process other than your standard username and password.
Usually, it goes with an additional authentication code you need to provide after it is sent to you over SMS. Or more commonly, it is a mobile application you use to verify your login.
Why use multi-factor authentication?
To be honest, we – as users – are bad at managing passwords and there are some bad guys good at getting access to them for their not-so-secret purposes. To help you get this example clearly, you should honestly answer one question – how many passwords are you repeating between multiple services?
Every password is at risk. No joke. And we all know that it might eventually either leak or be stolen if it got slipped from one source and used somewhere else… In such case, MFA can stop it.
How to stop #hackers from accessing your account, even if they’ve stolen your #password? Watch @Predica tutorial on #mfa
Is it a problem?
Time for a short story – one of the editors at Wired magazine, Mat Honan, had published this article. He used the same password every time he was logging into different services and apps helping him at work. And boom! His entire digital life was erased. Only because he had a chain of accounts connected and not protected with second authentication factor.
What if it was your admin account that has all the access rights at your organization?
The typical series of questions we are receiving from our customers at Predica are: “How can I protect my admin accounts?”, “Can I protect my remote access or applications?”.
MFA is not the only answer, being only one of the whole variety of solutions we can deploy.
Alright! We know we have a problem – the password can be broken. And thus, we want to engage an additional protection level, don’t we?
The question is – what we can do now and how much effort does it require? The MFA solution can be implemented in many ways and with multiple products. But the easiest one to use and deploy is the Azure MFA – provided by Microsoft.
What is Azure MFA?
Azure MFA is a service hosted in Azure cloud that allows you to combine it with several options like one-time password codes, mobile authenticator applications or offline tokens.
One thing to notice here – it doesn’t mean that your accounts or data travel to Azure. If you want, you can keep all your data on-premises.
Let’s explore three options to protect our resources with Azure MFA:
- On-line administrators’ accounts
- On-line service user accounts
- On-premises resources like VPN or remote access solutions.
Starting with online admin accounts. How can you use it to protect your administrators’ accounts for Office 365 or Azure?
Not everyone knows this, but for admin accounts, Microsoft provides MFA for free. If you are an Office 365 global admin or an Azure global admin, you can just enable this on your account and start right away.
How to enable MFA for Office 365 administrators?
- Go to Admin Center and select Active Users. From the “More tasks” menu select Setup multi-factor authentication auth option.
- This will bring you to the second portal where you can enable MFA options for a particular user
- Once it is enabled, when the user logs on again, they will be prompted to provide additional authentication.
How? It depends on the user’s choice and our configuration. Our advice is to use the authenticator mobile app as it is the most secure, convenient and works offline as well.
You can also enable multi-factor authentication for Azure admin users, taking similar steps.
- Go to Azure Active Directory portal and choose the Users section
- When you select a user, you will get the “Manage multi-factor authentication” option
- Just click it, and it will bring you to the similar portal, where you can enable MFA service for Azure users.
So, we have protected our admin accounts in a few minutes, and it is completely free.
For Office 365 and Azure AD standard users, the process is the same, and the only difference is that you need to have a license for MFA included in your plan or it might be purchased separately.
Multi-factor authentication – what’s with on-prem?
Now you may have a question: “This is great for on-line, but the majority or my services are still on-premises, and I need an idea of how to deal with it?”
The truth is you can use the same services and methods to provide an additional level of protection to your current VPN or other remote access features working on-premises.
- Azure MFA allows you to create the MFA adapter and uses it with the MFA on-premises server
- This server acts as a proxy for standard protocols like RADIUS or LDAP
- Next, when your VPN solution asks for authentication, the user provides their credentials. But before those are verified, the MFA server triggers this additional authentication process to verify the user.
To enable this scenario, you need to have per-user licenses, or per-use Azure MFA instance created. Then you can configure your MFA server to import users from your local Active Directory and manage all options on-premises.
As you can see, this service is universal and provides multiple options to explore. Moreover, you can integrate it directly with your applications – there is an API provided for that.
In the video, I showed you how to use the MFA service from Microsoft to protect your admin and user accounts. Stay tuned for our latest blog updates for more handy details on how to set it up, what options do you have and how to use it in various scenarios.
Now I encourage you to think about your accounts and go and enable MFA for them. Seriously. Think about your personal accounts on services like Facebook, Twitter or Gmail. If you haven’t done it yet, now is the time. Azure MFA supports them all – on all mobile platforms.
Anyway, that’s it for today – so if you want to get even more IT insights and solutions, stay in touch with us, we post every week. If you honestly found this tutorial helpful, go spread the love and share it on social media! Any questions or help needed? Just contact me!
See you in the next episode! 🙂