Azure MFA outage – is it time to rethink MFA?

Back in November, Microsoft’s Azure Active Directory multi-factor authentication (MFA) service suffered two global outages. The service adds an authentication factor to the Office 365 (O365) login. Without it, millions of users were unable to access O365, or any other Azure AD connected services. The first occurrence locked out affected companies for 15 hours. Fast forward just one week – another outage.

The problem

Three root causes are referenced in the detailed analysis from Microsoft. With their update deployment procedures and testing cycles under scrutiny in the past, this latest string of events could be viewed as a step back for security, and undermine user confidence in MFA. The problem is not with MFA itself, but the sole reliance on Microsoft to manage both user identities, along with access and authentication.

The solution

For IT departments, the key is to balance the user experience and productivity with security.  MFA is critical for any application that houses company data. However, for it to be effective, it must be easy to use. What organizations should really be asking themselves is ‘Who besides Microsoft should I be considering to protect the O365 login?’

What services should I look for in an MFA solution?

When evaluating alternative MFA solutions for O365, shift away from the reliance on a single vendor. Look for solutions that provides users with more authentication options (beyond one-time mobile codes) for the same reason as the topic of this blog – if one authentication method fails, they can still authenticate with another.