Secure Your Accounts: Does MFA Need Approved Authenticators?
By Tom Seest
At BestCybersecurityNews, we help entrepreneurs, solopreneurs, young learners, and seniors learn more about cybersecurity.
MFA (Multi-Factor Authentication) can provide your organization with an additional layer of defense against cybercriminals. Users who need access can verify their identity using factors like one-time passwords (OTPs) and Duo security codes before being permitted into an app.
Be mindful that MFA configurations only support authorized authenticator devices. For instance, an OATH hardware token cannot be activated unless it has been verified to work with your Azure AD account.
Table Of Contents
MFA allows users to utilize both their standard login credentials and an additional verification factor such as email, SMS, or a time-based one-time password (TOTP) authentication token each time they log in. You can customize MFA configurations globally or for users within specific Roles.
MFA provides an additional layer of security by requiring users to verify their identities using more than just their username and password, thus helping to ward off potential malicious attacks that could compromise personal data or gain entry to an organization’s data.
To meet your business requirements, Auth0 provides an array of MFA verification factors – One-time Passwords (OTP), email, SMS, mobile apps, and voice authentication are among them – that you can choose from for additional protection – One Time Passwords (OTP), emails, SMSs, mobile apps or voice. Furthermore, contextual MFA can be set up so that arbitrary conditions, such as geographic location or device type, trigger additional authentication challenges for increased protection.
As an efficient way of deploying MFA for customers and employees alike, when users access your company network from outside devices, they will automatically be asked for MFA authentication. This approach reduces both costs and complexity associated with its deployment.
Additionally, you can set up one multi-factor authenticator to protect all Microsoft 365 accounts – this way, your customers’ devices remain safe even if they lose or lock themselves out of their phone or account.
Create recovery codes that your users can use to gain site access after being locked out of their Microsoft accounts. As these one-use codes may only ever be needed once, be sure to store a copy in an easily retrievable location for quick and safe retrieval.
The Auth0 platform is an ideal choice for Microsoft 365 customers looking to provide the highest possible protection to their users, but if your company needs to secure multiple devices at once, it may make more sense to utilize an Identity as a Service (IDaaS) solution like OneLogin instead. IDaaS solutions typically feature strong authentication methods and work seamlessly with various third-party applications.
Configuring MFA with Azure Active Directory often raises one question: Will MFA configurations only support approved authenticators? Fortunately, the answer is “yes.”
MFA allows multiple authentication methods on your site, enabling you to choose which ones to employ. Options could include TOTPs (time-based one-time passwords) or SSH keys with TOTP secret keys.
Although these options are the most secure options available to us today, they can make managing the system more complicated if one or more factors become unavailable – for instance, with TOTP, it is crucial not to lose its secret key so that your account can still be accessed even without knowing its verification code.
One alternative approach is to configure multiple independent authenticators linked to one Microsoft 365 account that can each be managed independently; however, this may reduce security as each time users log in, they must provide a unique MFA PIN code instead of simply using their Microsoft Authenticator app.
Administrators typically enable MFA with their identity management solution or SSO IdP to ensure users are authenticated before signing in on their sites. If you don’t use an SSO IDP, manually setting up MFA can also be accomplished using PAM modules on servers that provide multi-factor authentication, such as timed one-time passwords and SSH keys or TOTP tokens.
Once enabled, whenever a user tries to log in to an Office 365 tenant, they will be presented with various authentication methods based on what has been configured for that role in your environment. When they select one, they will add it as part of their profile in the MFA configuration.
Once this step has been taken, any user attempting to log in will encounter a pop-up window similar to that shown below when trying to log in. It displays all authenticator apps associated with their Microsoft 365 account, including any that were set up as duplicate or standalone authenticators.
As soon as a user attempts to use an authenticator, the MFA configuration will display an option for them to enable push notifications for that authentication method and will send an email directly to their email address when their login is successful.
On the Configure tab of an authentication method policy, you can also specify that only users in certain roles should be permitted to use it – thus ensuring only people who meet certain criteria can utilize an authenticator and leave others out.
Your identity management solution also gives you control of when users should or shouldn’t enroll in MFA. For instance, using a self-service portal could force users to enroll when they log in; MFA would be automatically enabled once this process has been completed and they completed it successfully.
To stop users from automatically enrolling in MFA, create a policy set that prohibits this action by visiting Core Services > Policies and creating one named MFA.
Please share this post with your friends, family, or business associates who may encounter cybersecurity attacks.