Choosing the right MFA solution for a Microsoft environment that covers all authentication needs will reduce stress on your IT admins and help desk. Credit: Free-Photos / Matejmo / Getty Images Passwords clearly are not enough to protect networks. Any security guidance will tell you that multi-factor authentication (MFA) is a key method to keep attackers out. But what type of MFA should your firm deploy? Choosing multi-factor tokens and tools depends on your firm, your needs, and how attackers are likely to target your firm. Planning ahead will minimize deployment and migration issues when new tokens or new phones are issued.These are the most important considerations when choosing an MFA solution.Know what the MFA solution will and will not protectYou have several decisions to make when deciding what MFA tool to use. First, review how the tool protects your network. Often when adding MFA to existing on-premises applications, it may not fully protect your organization from some attacks. Case in point is the recent Exchange Server zero-day attack. MFA in this situation did not protect servers. At least one victim used on-premises Exchange Server with a third-party MFA application. While it protected parts of the authentication process, it did not protect Outlook Web Access (OWA), which uses basic authentication. MFA didn’t protect that part of the site, so the attackers could go around MFA and attack the servers. Consider exactly what the MFA solution you choose protects, then review what authentication processes are still exposed.MFA deployment, migration, and upgradabilityDeployment, migration, and upgradability of multi-factor tokens are another point to consider. Depending on the size of your firm, you may deploy multi-factor tokens or choose to enable authentication applications on phones. Depending on your firm’s policies, you might deploy authentication applications on firm-provided devices or provide deployment information to staff using personal devices. If personal devices are used, you may need to reimburse for business use depending on local laws and regulations. Deployment to these devices and managing replacement of phones can be a monumental task. Depending on the authentication application, they either migrate easily or need backing up to non-firm-controlled backup locations.Case in point is the redeployment of authentication applications. Some authentication applications make it easy to export and import to a new phone. Others are more of a process and may need to be redeployed. Ensure that your help desk is fully informed and have tested the migration process on business and personal phones. When new phone models come out, your staff should know what supportability you will provide for migration. You may wish to set boundaries for updating to new phone models to ensure that your users don’t overwhelm the help desk. Providing support to phones often takes more time and specialized remote tools that allow the help desk to review the phone screen but not remotely control the devices. Prepare documentation to properly deploy and migrate authentication applications across phone platforms. While you can easily find instructions on the web to assist in migration, make sure that your help desk has instructions for your authentication needs.Do not wipe a device without ensuring the information you need has migrated to the replacement phone. When migrating to a new phone, you may have to redeploy the MFA application. For example, if you use push notifications on the phones, these style of credentials must be recreated as they are tied to the device hardware and cannot be migrated or exported. Push MFA or passwordless deployments will need to be redeployed due to it being tied to the phone device. The Microsoft authentication application, for example, is hit or miss when it came to successfully restoring it to a replacement iPhone. On one instance, the application restored without a hitch. In another, the accounts had to be revalidated depending on whether the devices set for push notifications are tied to the device. Other vendors such as Google Authenticator have an import/export function.Trade-offs of using hardware tokens vs phone for authenticationYou may instead decide to deploy tokens or keyfobs. While these solutions can be less budget friendly, there is less need to migrate. Tokens come with additional overhead as they will not always be with the user, whereas cell phones tend to be always with them. Tokens and keyfobs may take more getting used to, and you need to consider battery replacement and other deployment needs.Microsoft-specific optionsWith Microsoft multi-factor needs, you have several options starting with Microsoft Authenticator. If most of your staff has Android or Apple phones, Microsoft Authenticator is a cost-effective solution that you can quickly deploy. Even if you do not upgrade to an Azure P1 license (or have a Microsoft license that includes it), you should be able to use the Authenticator app as a second factor for Azure AD Global Administrator accounts.Review what method of MFA application you are using by logging into the Microsoft Azure admin portal and navigate to Security > Authentication Methods. Passwordless options range from using Windows Hello for Business, Microsoft Authenticator, and FIDO2 security keys. You can use FIDO2 security keys from other vendors. You can often use FIDO2 keys with other applications that mandate MFA to both protect Microsoft applications and to provide a second authentication factor for password management tools, remote access, and other needs.Cloud authentication requirementsYou often can’t standardize on just one authentication application for cloud services. Cloud services might align themselves with one authentication application. Administrators typically find that they need a variety of MFA tools including authentication applications (Microsoft, Authy, Google Authenticator) as well as applications such as Duo.com and hardware tokens. Plan ahead to ensure that the authentication method meets your regulatory requirements and specifications such as NIST mandates and can be managed through your help desk. MFA should be a mandate in your organization, but how it’s deployed and maintained can either help your help desk or place a greater burden on them. Plan ahead to choose an option that is easier to manage, won’t cause more issues when upgrading, and meets the needs of the organization. Related content news Apple patches info-stealing, zero day bugs in iPads and Macs The vulnerabilities that can allow the leaking of sensitive information and enable arbitrary code execution have had exploitations in the wild. By Shweta Sharma Dec 01, 2023 3 mins Zero-day vulnerability feature The CSO guide to top security conferences Tracking postponements, cancellations, and conferences gone virtual — CSO Online’s calendar of upcoming security conferences makes it easy to find the events that matter the most to you. By CSO Staff Dec 01, 2023 6 mins Technology Industry IT Skills Events news Conti-linked ransomware takes in $107 million in ransoms: Report A ransomware campaign linked to the ostensibly defunct Conti malware group has targeted mostly US businesses, in a costly series of attacks. By Jon Gold Nov 30, 2023 4 mins Ransomware news Okta confirms recent hack affected all customers within the affected system Contrary to its earlier analysis, Okta has confirmed that all of its customer support system users are affected by the recent security incident. By Shweta Sharma Nov 30, 2023 3 mins Data Breach Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe