Multi-Factor Authentication: Understand the risks, focus on quick wins, and act as soon as possible

Posted by Claude Gagné, Present Group 21-03-2022 10:07 AM

« Hackers Don’t Break In, They Log In. » Day after day, adversaries connect to their victims’ services and applications using means such as:

  • Stealing user credentials through phishing campaigns.
  • Trying passwords from leaked datasets, in case a user has reused the same password on other services.
  • Attempting to log in to multiple user accounts using one of the passwords on the most used password lists (password spraying).

The goal
How can SMBs protect their critical data and personal information (Bill 64 compliance) against theft, malicious access, destruction, encryption and more broadly against downtime?

Make it harder for attackers by prioritizing quick wins
There are essentially 3 priority initiatives to put in place:

  • Implement Multi-Factor Authentication.
  • Implement advanced security and manage endpoints.
  • Protect your data and backup infrastructure.

Today we’re going to focus on Multi-Factor Authentication, keeping in mind an alarming disparity, as reported by Microsoft:

  • Over 80% of data breaches are directly related to the misuse and theft of credentials.
  • Less than 40% of companies have implemented Multi-Factor Authentication.

Identity is the new perimeter, but only a minority have embraced a Zero Trust mindset, and have implemented protection against today’s attacks.

The Colonial Pipeline example of what not to do
“The hack that took down the largest fuel pipeline in the U.S. and led to shortages across the East Coast was the result of a single compromised password… The VPN account, which has since been deactivated, didn’t use multifactor authentication, a basic cybersecurity tool, allowing the hackers to breach Colonial’s network using just a compromised username and password.”
- Bloomberg Cybersecurity “Hackers Breached Colonial Pipeline Using Compromised Password”

What is Multi-Factor Authentication
One of the most common ways adversaries gain access to corporate data is by guessing weak passwords or stealing them, whether through phishing or buying them on the Dark Web.

From there, they get the same permissions as legitimate users, including administrators and power users.

The goal of Multi-Factor Authentication is to create an additional layer of defence beyond just using a password.

How Multi-Factor Authentication Works
Multi-Factor Authentication requires at least two independent pieces of information (2FA) to verify a user’s identity when attempting to log in or access a resource.

For example, Azure AD Multi-Factor Authentication requires at least two of the following authentication factors:

  • Something you know, usually a password.
  • Something you have, like a phone or hardware key.
  • Something that you are, like a fingerprint or facial recognition.

Who does Multi-Factor Authentication apply to?
Companies that purchase cyber insurance are no doubt aware of today’s minimum requirements for Multi-Factor Authentication.

Today to benefit from coverage it is necessary that MFA be applied at least to the following situations:

  • Remote access (VPN, RDP, SSH and others).
  • Administrative accounts and privileged access accounts.
  • Email and collaboration platform such as M365.

Still, the best practice should be to implement MFA for all users, 100% of the time, especially if, as in the case with M365, companies can maximize features they already have with their plans.

Microsoft 365 Multi-Factor Authentication
There are several ways to enable MFA with M365, depending on the plans in use and the level of control and flexibility desired.

The table below provides a high-level overview. Legacy per-user mode is not mentioned, as it is being retired by Microsoft.

What to remember?

  • Default security settings enable Microsoft Authenticator for all users, and provide a basic level of security.
  • For more granular and comprehensive controls, and easy user acceptance, we recommend using Conditional Access policies to define events or applications that require MFA.

These policies can allow single-factor login when the user is on the corporate network and/or on a registered device, but require additional verification factors when the user is remote or on a registered personal device.

Conditional Access policies are based on "if-then" statements, as shown below.


  • Although Multi-Factor Authentication is unquestionably essential to protect organizations against cyberattacks — especially ransomware — too many companies still rely on authentication based on the use of a simple password.
  • In the case of M365, this means that companies are neglecting the vital cybersecurity functions available on the platform, which exposes them, unduly, to major vulnerabilities.
  • This is why SMBs must act without delay to secure access to their resources using strong authentication, and thus achieve significant and rapid security gains, at a low cost.

As a Microsoft Gold Partner, our platform of choice for Multi-Factor Authentication is Azure AD, which makes it very easy and integrated to meet different requirements, from the simplest (default security) to the most sophisticated (conditional access with or without integration with Azure AD Identity Protection included with Azure AD P2).

Deploying attack-resistant user authentication is the first initiative to put in place from a Zero Trust perspective.

Claude Gagné, Present Group.