Why MFA is No Longer Optional for MSPs

Save to My DOJO

Why MFA is No Longer Optional for MSPs

One of the most common types of cyberattacks is one where cybercriminals seek to compromise the victim’s web credentials. Using email-based phishing attacks and increasingly convincing social engineering techniques, victims are tricked into providing their user ID and password for a wide range of cloud-based platforms and applications.

According to Ponemon’s 2019 Global State of Cybersecurity in Small and Medium-Sized Businesses report, over half (57%) of SMBs have experienced phishing/social engineering attacks in the last 12 months, and nearly one-third (30%) have experienced credential theft.

What makes online credentials so appealing to cybercriminals is the access these credentials provide to online banking, Office 365, Azure apps via Azure Active Directory, financial applications, customer data, and more. Gaining access to these kinds of applications and data can be detrimental to SMBs – potentially even causing them to shut their doors.

So, how can you as an MSP help protect your customers from this kind of cyberattack?

The answer lies in Multi-Factor Authentication (MFA).

Before we continue, if you or your customers use Office/Microsoft 365, we have an upcoming webinar you simply can’t be missing. On May 27, Microsoft experts Andy Syrewicze and Symon Perriman are giving a free live demo of the advanced security features of O365/M365 you should be using. Read more here and save your seat.

Now let’s get onto some MFA basics and then talk about how you can incorporate this security control into your service offerings.

What is Multi-Factor Authentication?

Multi-Factor Authentication (MFA) is a security method that uses multiple identifying “factors” to verify a user’s identity, instead of simply relying on the traditional username and password. MFA requires additional factors to identify and authenticate the user. These factors include:

  • Text messages to the user’s smartphone
  • Sending codes to an alternate email address
  • Asking additional security questions
  • Using secondary authentication to trusted 3rd party sources
  • Biometrics (such as fingerprint or retina scan)
  • Facial recognition
  • Security hardware token device
  • Security token app on a user’s smartphone
  • Certificates

Additionally, depending on the MFA solution being used, details about the when and from where the authentication request can come into play, including location, day/time, IP address, requesting device’s MAC address, etc.

All of these factors – in one form or another – fall into one of three generally-accepted authentication factors:

  1. Something you know – This can be information relevant to authentication that the user themselves knows already such as passwords, answers to security questions, etc.
  2. Something you have – These are generally represented by physical items the user possesses such as a smartphone, security token, or RFID badge.
  3. Something you are – This is where biometrics and facial recognition come into play. This factor uses any part of your personality that can help uniquely identify you.

Office 365 2 Factor Authentication Mobile Sign In

Office 365 2 Factor Authentication Mobile Sign In

How Does MFA Work?

First off, notice we’re discussing multi-factor authentication. The focus here is for you to use multiple factors with your customers. Why? Because each of these factors on their own can be (and in many cases, have been) hacked or spoofed. Mobile devices have had their SIMs swapped for an attacker-controlled device, passwords can be cracked, even fingerprints have been shown to be spoofable using 3D printing.

With MFA, the user authenticates by providing a number of factors – how many depends on the level of security needed, the individual’s role within the organization, etc. In general, the user first provides their usual username and password. Once provided, they are then presented with one or more additional challenges where the implemented factors mentioned above need to be satisfied.

MFA, Multi Factor Authentication Steps

Multi-Factor Authentication Steps

Where Do You Find MFA?

There are dozens and dozens of software vendors offering MFA. In many cases, it’s offered as part of a larger Identity and Access Management solution – which may be too complex for simply implementing MFA for your SMB customers. Microsoft offers Azure Multi-Factor Authentication to secure access to Azure Active Directory, Office 365, Azure-based VMs, applications, and data, as well as be a trusted authority for third-party cloud applications and platforms. This service is simple enough to scale down to an SMB’s needs. And, as mentioned, there are a number of vendors offering MFA solutions that are simple and cost-effective enough for an MSP.

Office 365 2 Factor Authentication Desktop Sign In

Office 365 2 Factor Authentication Desktop Sign In

Why is MFA No Longer an Option for MSPs?

Your customers are equally at risk of cyberattacks, data breaches, ransomware attacks, and more. It’s imperative that any kind of external access to applications, platforms, and data is protected via MFA to ensure that cybercriminals can’t leverage compromised credentials to steal data, send emails containing malware, access business details, or commit fraud. Should an attack successfully trick a user into giving up their ID and password, the cybercriminal doesn’t have the additional authentication factors to do anything with the compromised credentials. In essence, the credentials are worthless to the cybercriminal.

It’s important to note that MFA isn’t just for select users at a customer; it’s necessary that every single user is enrolled in and mandated to use MFA to keep your customer organization’s secure.

How to Go about Offering MFA to Your Customers

There are a few ways to do this. The first is to simply absorb the cost of setting up MFA and offer it at no charge. Microsoft Azure MFA has a free version that is a very viable option. If you are offering either Managed Office 365 services or Managed Security services, I’d suggest bundling it in as part of those services. For those SMB customers that are on the larger side and need MFA integration with single-sign-on access to multiple cloud applications, you’ll want to look at vendors like Okta who focus on the integration of their MFA with thousands of existing cloud products and services.

It’s Time to Secure Your Customer With MFA

Multi-Factor Authentication needs to be an embedded part of your service offerings intent on keeping your customer’s applications and data safe from cyberattacks intent on gaining access. By implementing MFA in your customer’s environments, you’ll help to minimize the risk of successful cyberattacks focused on credentialed access.

Altaro O365 Backup for MSPs
Share this post

Not a DOJO Member yet?

Join thousands of other IT pros and receive a weekly roundup email with the latest content & updates!

Leave a comment

Your email address will not be published.