Azure MFA outage – is it time to rethink MFA?

Back in November, Microsoft’s Azure Active Directory multi-factor authentication (MFA) service suffered two global outages. The service adds an authentication factor to the Office 365 (O365) login. Without it, millions of users were unable to access O365, or any other Azure AD connected services. The first occurrence locked out affected companies for 15 hours. Fast forward just one week – another outage.

The problem

Three root causes are referenced in the detailed analysis from Microsoft. With their update deployment procedures and testing cycles under scrutiny in the past, this latest string of events could be viewed as a step back for security, and undermine user confidence in MFA. The problem is not with MFA itself, but the sole reliance on Microsoft to manage both user identities, along with access and authentication.

The solution

For IT departments, the key is to balance the user experience and productivity with security.  MFA is critical for any application that houses company data. However, for it to be effective, it must be easy to use. What organizations should really be asking themselves is ‘Who besides Microsoft should I be considering to protect the O365 login?’

What services should I look for in an MFA solution?

When evaluating alternative MFA solutions for O365, shift away from the reliance on a single vendor. Look for solutions that provides users with more authentication options (beyond one-time mobile codes) for the same reason as the topic of this blog – if one authentication method fails, they can still authenticate with another.

(Last updated on October 11, 2021)

Tags: ,

Back to Blog

Related Articles

  • MFA vs. 2FA – why the difference matters for your O365 implementation

    When it comes to protecting cloud applications such as O365, two-factor authentication (2FA) has some serious limitations. A dynamic MFA solution frees users from passwords, and secures the authentication process.

    Read More
  • New MFA requirements for PCI password compliance

    The Payment Card Industry Data Security Standard (PCI DSS) regulates security practices to protect cardholder data. Password compliance plays an important role in the PCI standards by dictating password complexity to strengthen defense against unauthorized access. New requirements coming into effect this January demand multi-factor authentication (MFA) for administrators, and anyone with remote access. PCI…

    Read More