Multi-factor can be implemented in many ways these days, but surprisingly, many organizations that have access to the MFA capabilities of Azure AD simply haven’t enabled it. Azure AD MFA has its limitations, but if you own the capability, any MFA is better than no MFA! This blog is for those who aren’t already taking advantage of their existing capabilities.
Why isn’t it enabled?
I’ve had lots of conversations with IT groups about MFA and the main reasons people haven’t enabled it fall into these common themes:
- Blame the users:
- Our users won’t like it
- Our users won’t use their phones for company business
- It’s just more work for us:
- It’s too hard to configure
- It’s yet more admin work
- Unneeded security:
- We don’t need that sort of security, we aren’t a target
- Management doesn’t think security is important
Let’s break down some of these themes and look at ways to overcome them. Some of the mechanisms might require a higher tier of licensing, but perhaps you already have that too.
Blame the users
Users might not like it. It’s another thing they need to do. It’s potentially another app on their phone. However, people have gotten used to MFA due to increased bank security and other online services. It certainly shouldn’t be considered strange, new, or confusing!
If the concern is an extra step, how about leveraging conditional access to trust certain locations or devices? Then, perhaps the user doesn’t need to be challenged, or the device used can be trusted for a specific period of time, reducing the need to frequently challenge them.
If the user doesn’t want an app on their personal phones, how about a SMS text or phone call instead? Or, how about you use the same conditional access rules to trust the device or location? That last option could lock the users out from using untrusted devices or their home office though, and depending on how strict you want to get, that might be a step too far.
It’s just more work for us
If you’ve not setup MFA before, the task can be daunting. There are plenty of resources out there to help guide you, and partners like Converge can help assist or implement these solutions for you. It doesn’t have to be a solo mission.
Configuring self-service and self-enrollment into the solution can reduce the IT admin burden, both at implementation and longer-term support. Reducing the burden by rolling out the solution over time is another approach to prevent a ticket spike.
One little thing to think about is how much extra work it will be to react or recover from a breach. Proactively implementing a solution to mitigate a potential issue is always going to be less stressful and less work!
“We aren’t a target” these days is a false statement. Everyone is a potential target, regardless of size or sector. You don’t need to be a CISO to make an organization security aware, especially if you are just looking to implement a solution you already own. Be the hero. Be the one to maximize your existing investments to protect the organization from real external threats. Sell the idea internally. Start with sensitive accounts such as payroll and build from that. Sometimes the best approach is allowing the organization to dip in their toe and understand that the water is fine before going in further.
MFA is all I need?
No. MFA should be considered just another tool in your toolbox. It’s just another layer of security, one I would argue isn’t as complex, costly, or burdensome as it used to be. It’s just one facet of what should be a comprehensive security posture to help reduce your overall threat.
Converge can help you evaluate your security strategy and posture, maximize your investments, and implement solutions. Converge can help you with your toolbox by adding to it or by sharpening some of your existing tools. For more information or assistance, contact your Converge account representative or visit https://convergetp.com/cybersecurity/.