Crown Logo

Technology Support For San Diego Since 1996

Click here for 60 minute consultation858-483-8770

Multifactor Authentication (MFA) is a widely recognized way to keep your business’ proprietary data safe and stop attackers from impersonating you or other members of your organization. Because it’s a pretty widely recognized and adopted standard, Microsoft choosing to turn it on forcibly might not affect you all that much, especially since this move is aimed at those who administer cloud-based business accounts, not every user. On the other hand, it’s a good reminder that MFA is a current best practice for secure authentication, and having it enabled for everything you can is a good idea.

Today, we’ll talk a little bit about why Microsoft would take such a strong position, as well as share some tips on using an authenticator app, like Microsoft Authenticator.

The Gold Standard of Authentication

For most purposes, two-factor authentication (2FA) and multifactor authentication (MFA) are a really strong defense for your login information. The most common way to implement MFA involves sending a cryptographic token shortly after putting in your login and password.

The security principles behind MFA are that three kinds of things can be used for authentication: something you know, something you have, or something you are. “Something you know,” for our purposes here, is your login and password. “Something that you are” would be biometrics, like a fingerprint (also more and more common in MFA these days), or an iris scan.

The “something you have” that is most commonly used is your smartphone. When you set up an authenticator app (DUO, Microsoft Authenticator, Google Authenticator, and others), behind the scenes, the app creates a cryptographic signature specific to your device. I won’t go into much detail here, but cryptographic keys generated by your smartphone are a very strong way of generating unguessable authentication materials. Much work over many years has been done by computer scientists and mathematicians to ensure that these keys aren’t at all easily crackable.

These MFA setups sometimes use a text message or email to send the token that you enter after your password is successful. These are fairly safe, because while they can be attacked, it takes a fairly elaborate attack that involves redirecting your phone number to the attacker’s phone (in the case of text messages) or implies that someone has already hacked your email account (in the case of emails).

Another drawback of using emails for MFA is that if your login to another website is your email address, then it’s a bit of information that an attacker doesn’t have to guess. For example, if my login to another vendor (besides my email provider) is derek@mydomain.com, then for someone to gain access to my account at the vendor, they need to gain access that email inbox as well. If my login was something else, they’d have to find out what it is, possibly introducing more complexity into the potential attack.

Just because MFA is a good form of protection doesn’t necessarily mean that it’s perfect, though. We wrote last year about a widespread exploit in Office that was entirely stopped by enabling MFA on your business accounts, but more complex attacks are still out there. For example, one flaw that we see in security incidents is that attacks can set up a malicious website that looks just like the Microsoft login screen, then ask you to put in a token as well. Behind the scenes, the attackers see that you gave them your login and password, so they try to log in to the service themselves.

At this point, the ongoing login attempt triggers the service to send you a token. If you supply it to the attackers, then they can use it.

All of this is to illustrate that MFA is good at stopping the easiest kinds of attacks, and it requires more sophistication and resources for someone to compromise an account with MFA. That much of a deterrent can really cut down on the number of attempts made to break in to your account. Microsoft estimates that MFA cuts the number of attacks on an account by around 99%.

What if I Don’t Have My “Something You Have” Anymore?

There two most common complaints about MFA are:

  1. it’s obnoxious or time consuming to log in to services when it’s enabled;
  2. what happens if I don’t have my smartphone anymore?

The first has to be addressed with a shift in perspective: the authenticator is good at what it does, which (as put above) dramatically cuts down on the number of potential attacks on your account. This is-simply put-a good and desirable thing. Remembering that security is sometimes inconvenient should also be a reminder that it’s better to do the secure thing instead of having a catastrophe on your hands.

The second complaint is really important: people get new phones all the time. As long as it’s commonplace for cell phone providers to buy back or trade in your old phone for a new one, there will be many instances where an easy upgrade also comes along with some research on how to prepare to move your authenticator keys from the old phone to the new. In other words, when you get that shiny new phone in hand, you probably want some time with both phones in-hand to make sure you can log in to all of your accounts.

In this case, you’ll want to look at any detailed instructions for setting up a new device with your authentication codes. Because the codes are for your specific device, it isn’t the kind of thing that your IT team can just reset, like a password. Instead, you’ll need to create a backup or a link to your existing codes and load them onto your new phone.

With Microsoft Authenticator, you’ll need to make a Cloud Backup of your codes and send them to a personal Outlook account or iCloud account on iPhones. Once the backup exists in the personal account, you can open the authenticator app on your new phone, and click Restore from Backup to download the backed up authenticator codes.

On Google Authenticator, this process is done with Export Accounts, which creates a QR code that you can scan on the new phone. Once this is done, your new phone’s authenticator will be ready to go.

Using either of these apps, the most important step is to plan ahead. If you need to hand over your old phone, you will likely need to spend some time in the store setting up the new phone and taking these steps to get your authenticators sorted out. Once you don’t have access to the old authenticator, you’ll be very limited in your options for setting up the new device as your “something you have.” Remember, the reason why this process looks so different than just signing in to your accounts is that the old device and new device have unique keys unless they’re transferred from the old to the new.

The keys can’t just be remade on the new device unless they’re for new accounts, or if you turn off and turn back on the MFA on your accounts.

-Written by Derek Jeppsen on Behalf of Sean Goss and Crown Computers Team