Skip to content

In my previous blog I discussed which important questions you should ask when drawing up a Multi-Factor Authentication (MFA) policy. But setting the policy is just the beginning. The most important thing is to ensure that the policy is being adhered to, as well as updated where necessary.

Written by Colm Lennon

For a robust security posture, MFA should be enabled on all user accounts, all cloud services, and from all locations. Unfortunately, this often turns out not to be the case in practice. There are several reasons why this can happen:

1. MFA isn’t linked to all (required) cloud services. You often see this when, for example, an Azure Virtual Desktop, Citrix environment, or Exchange online environment in the cloud was set up early on. This is equipped with MFA, but then all new cloud services and solutions are no longer linked to your MFA policy.

2. MFA isn’t configured for all user accounts, but only for a group of employees who specifically use certain cloud services. The problem here is that there can be multiple admin accounts, service accounts, and guest accounts that are not governed by the MFA policy. There is also a chance that managers will forget to add new employees to the right group, which means that they will not be required to have MFA.

3. Guest accounts and accounts of customers or suppliers aren’t always governed by MFA. Many companies believe it’s too complicated and that these types of users, especially customers, shouldn’t be bothered with this. But bear in mind any kind of access involves data from your organisation. Convenience should not trump risk.

4. The office is seen as a safe place. With an office login, MFA is often not required, as it is seen as a trusted location. But is it really? The starting point for the trusted location is often that only employees are there, and they shouldn’t have to bother with MFA. Think about this, though:

  • Do you always know exactly who is present within the building? (how is the access control arranged, is the reception continuously staffed, must visitors be accompanied when in the building at all times?)
  • If someone can enter the building, can this person enter your office space and connect a network cable to their laptop?
  • Can someone connect to the office WiFi from close by, like your office car park?

Trusted locations don’t exist. Zero Trust instructs us to never trust, always verify.

Despite the Zero Trust principle, most employees believe that they shouldn’t have to be constantly asked for MFA. Using a compliant device could be a solution here. When an employee logs in with their password or PIN from a device managed by the organisation, then they wouldn’t need to be asked for MFA. However, if the device they’re logging in from doesn’t comply with the rules, for example because the employee has disabled the firewall, they will be asked for MFA.

Number-matching MFA is changing authentication

Be warned: MFA is not a guarantee

Unfortunately, using MFA does not guarantee secure authentication. For example, hackers can obtain an authentication token, which contains the authentication data for someone’s session, through certain attacks. By using this token, the hacker can log in as the user, whereby the password and the MFA token are also automatically applied. This means that you can log in without asking for a password, and without asking for MFA. Microsoft has taken steps to protect this token with a new feature in Preview, but it still has limitations.

In summary, then, it’s not just enough to just set up an MFA policy. Make sure you plug those gaps and that your policy continually evolves with your business.

MFA can be a minefield. Let us help you navigate it. Get in touch today.


Our specialists have the answer