What You Need to Know About Multi-Factor Authentication (MFA) and Misconfiguration

What is MFA?

MFA is a security enhancement that requires you to present two pieces of evidence when logging into an account. Sometimes it’s also referred to as two-factor authentication. The credentials fall into these three categories – something you know (like a password or PIN), something you have (like a smart card or verification app), or something you are (like a fingerprint). To be considered MFA, the credentials must come from two different categories.

Why is MFA important?

MFA adds an additional layer of security, making it harder for bad guys to impersonate someone. Information is safer because thieves would need to steal two different credentials to gain access. It’s one of the best things companies can do to protect their security. When organizations deploy MFA on all remote access points, they can significantly reduce the likelihood of an attacker successfully using stolen credentials to compromise a network.

What happens when MFA is misconfigured?

While MFA is one of the best things businesses can do to improve their security posture, opportunities are available for attackers when MFA fails due to improper configuration. Here are a few examples:

Relying on Legacy MFA alone leaves businesses vulnerable as it’s the least secure approach to implementing MFA for Microsoft 365. Block all Basic Authentication such as IMAP, POP3, SMTP, and other clients that do not use Modern Authentication.
Failure to configure MFA for all instances in an enterprise leaves an opportunity for attackers.

Create a strong security posture with MFA

An attacker’s ability to circumvent MFA is still rare, especially if it is configured correctly. Organizations can make it more difficult for them in several ways:

Overcome any hurdles to implementing MFA. Upgrade or replace legacy applications and disable protocols that might be causing compatibility issues with MFA and implement MFA whenever possible.
Implement MFA on all supported devices, accounts, and applications. Think beyond VPN and webmail and include cloud-based applications, privileged accounts, and administrative portals like M365, Azure, or other third-party applications in your MFA plans.
Educate your employees. Teach your employees about the importance of enabling optional MFA so it becomes a habit along with other cybersecurity education.