Americas

  • United States

Asia

Oceania

sbradley
Contributing Writer

Top considerations when choosing a multi-factor authentication solution

Feature
Oct 12, 20225 mins
AuthenticationMulti-factor Authentication

Choosing the right MFA solution for a Microsoft environment that covers all authentication needs will reduce stress on your IT admins and help desk.

Passwords clearly are not enough to protect networks. Any security guidance will tell you that multi-factor authentication (MFA) is a key method to keep attackers out. But what type of MFA should your firm deploy? Choosing multi-factor tokens and tools depends on your firm, your needs, and how attackers are likely to target your firm. Planning ahead will minimize deployment and migration issues when new tokens or new phones are issued.

These are the most important considerations when choosing an MFA solution.

Know what the MFA solution will and will not protect

You have several decisions to make when deciding what MFA tool to use. First, review how the tool protects your network. Often when adding MFA to existing on-premises applications, it may not fully protect your organization from some attacks. Case in point is the recent Exchange Server zero-day attack. MFA in this situation did not protect servers. At least one victim used on-premises Exchange Server with a third-party MFA application. While it protected parts of the authentication process, it did not protect Outlook Web Access (OWA), which uses basic authentication. MFA didn’t protect that part of the site, so the attackers could go around MFA and attack the servers. Consider exactly what the MFA solution you choose protects, then review what authentication processes are still exposed.

MFA deployment, migration, and upgradability

Deployment, migration, and upgradability of multi-factor tokens are another point to consider. Depending on the size of your firm, you may deploy multi-factor tokens or choose to enable authentication applications on phones. Depending on your firm’s policies, you might deploy authentication applications on firm-provided devices or provide deployment information to staff using personal devices. If personal devices are used, you may need to reimburse for business use depending on local laws and regulations.

Deployment to these devices and managing replacement of phones can be a monumental task. Depending on the authentication application, they either migrate easily or need backing up to non-firm-controlled backup locations.

Case in point is the redeployment of authentication applications. Some authentication applications make it easy to export and import to a new phone. Others are more of a process and may need to be redeployed. Ensure that your help desk is fully informed and have tested the migration process on business and personal phones. When new phone models come out, your staff should know what supportability you will provide for migration. You may wish to set boundaries for updating to new phone models to ensure that your users don’t overwhelm the help desk. Providing support to phones often takes more time and specialized remote tools that allow the help desk to review the phone screen but not remotely control the devices.

Prepare documentation to properly deploy and migrate authentication applications across phone platforms. While you can easily find instructions on the web to assist in migration, make sure that your help desk has instructions for your authentication needs.

Do not wipe a device without ensuring the information you need has migrated to the replacement phone. When migrating to a new phone, you may have to redeploy the MFA application. For example, if you use push notifications on the phones, these style of credentials must be recreated as they are tied to the device hardware and cannot be migrated or exported. Push MFA or passwordless deployments will need to be redeployed due to it being tied to the phone device. The Microsoft authentication application, for example, is hit or miss when it came to successfully restoring it to a replacement iPhone. On one instance, the application restored without a hitch. In another, the accounts had to be revalidated depending on whether the devices set for push notifications are tied to the device. Other vendors such as Google Authenticator have an import/export function.

Trade-offs of using hardware tokens vs phone for authentication

You may instead decide to deploy tokens or keyfobs. While these solutions can be less budget friendly, there is less need to migrate. Tokens come with additional overhead as they will not always be with the user, whereas cell phones tend to be always with them. Tokens and keyfobs may take more getting used to, and you need to consider battery replacement and other deployment needs.

Microsoft-specific options

With Microsoft multi-factor needs, you have several options starting with Microsoft Authenticator. If most of your staff has Android or Apple phones, Microsoft Authenticator is a cost-effective solution that you can quickly deploy. Even if you do not upgrade to an Azure P1 license (or have a Microsoft license that includes it), you should be able to use the Authenticator app as a second factor for Azure AD Global Administrator accounts.

Review what method of MFA application you are using by logging into the Microsoft Azure admin portal and navigate to Security > Authentication Methods. Passwordless options range from using Windows Hello for Business, Microsoft Authenticator, and FIDO2 security keys. You can use FIDO2 security keys from other vendors. You can often use FIDO2 keys with other applications that mandate MFA to both protect Microsoft applications and to provide a second authentication factor for password management tools, remote access, and other needs.

Cloud authentication requirements

You often can’t standardize on just one authentication application for cloud services. Cloud services might align themselves with one authentication application. Administrators typically find that they need a variety of MFA tools including authentication applications (Microsoft, Authy, Google Authenticator) as well as applications such as Duo.com and hardware tokens. Plan ahead to ensure that the authentication method meets your regulatory requirements and specifications such as NIST mandates and can be managed through your help desk.  

MFA should be a mandate in your organization, but how it’s deployed and maintained can either help your help desk or place a greater burden on them. Plan ahead to choose an option that is easier to manage, won’t cause more issues when upgrading, and meets the needs of the organization.

sbradley
Contributing Writer

Susan Bradley has been patching since before the Code Red/Nimda days and remembers exactly where she was when SQL slammer hit (trying to buy something on eBay and wondering why the Internet was so slow). She writes the Patch Watch column for Askwoody.com, is a moderator on the PatchManagement.org listserve, and writes a column of Windows security tips for CSOonline.com. In real life, she’s the IT wrangler at her firm, Tamiyasu, Smith, Horn and Braun, where she manages a fleet of Windows servers, Microsoft 365 deployments, Azure instances, desktops, a few Macs, several iPads, a few Surface devices, several iPhones and tries to keep patches up to date on all of them. In addition, she provides forensic computer investigations for the litigation consulting arm of the firm. She blogs at https://www.askwoody.com/tag/patch-lady-posts/ and is on twitter at @sbsdiva. She lurks on Twitter and Facebook, so if you are on Facebook with her, she really did read what you posted. She has a SANS/GSEC certification in security and prefers Heavy Duty Reynolds wrap for her tinfoil hat.

More from this author