Comparing Specops Authentication for O365 and Office 365 MFA: An MVP’s Perspective
(Last updated on January 8, 2019)
Organizations using Office 365 have embraced the need for anytime, anywhere, any device access of their business operations. Users can be located within corporate offices or working entirely remotely.
Cybercriminals today are keenly aware of changes in how businesses operate. They look for ways to take advantage of the lowered level of security to compromise cloud credentials for malicious use. After all, a user working on their personal laptop is not as secure as a user working behind the corporate security infrastructure),
So, it’s necessary for organizations relying on the cloud – especially those utilizing Office 365 for some or all of their business operations – to leverage multi-factor authentication (MFA) to protect their data from prying eyes. The use of MFA virtually eliminates the ability for a cybercriminal to leverage stolen credentials. I regularly recommend that organizations today utilize MFA for every single user in their organization, regardless of role or access to sensitive data.
Today, Microsoft offers MFA as part of Office 365 at no extra cost. So, it seems like a no brainer that it be used by every single user. But, as with every Microsoft solution, certain gaps are left in place to allow their partners to create solutions that go beyond just the basics. Their MFA is no exception.
Specops offers Specops Authentication for O365 as an alternative to the built-in solution. For some organizations, the capabilities with the native MFA solution meet their needs. But, in many cases, there is a need for additional functionality that Microsoft simply doesn’t offer. I believe that is Specops’ intent – to meet that need.
As a Microsoft Cloud and Datacenter MVP, I feel there’s definitely a case for a comparison between the two answers to providing MFA. This blog will focus on comparing some of the higher-level concerns most organizations would have when considering a third-party offering.
I’m not here to promote product (in fact, it’s something I stay away from completely). But given how critically important securing the authentication of Office 365 is, I want to ensure organizations have a clear understanding of what they should be looking for in their MFA. My goal in this blog is to provide a high-level comparison of how both Microsoft and Specops implement MFA, and what it means to the security-conscious organization.
I’m going to cover four factors I believe are most important – integration, MFA methods, MFA requirements, and service uptime. Let’s take a look at how the two options compare.
Integration with Office 365
This one is a non-starter; either you integrate or you’re out. The MFA offered by Microsoft is, of course, fully integrated into Office 365. So, it’s important that any third-party solution be equally integrated to ensure proper security functionality. Specops Authentication for O365 is a federated SSO solution with Windows Integrated Authentication, allowing it to seamlessly work with Office 365 authentication.
Many organizations simply want to use the two-factor authentication (2FA) methodology of something you know and something you have to authenticate a user. Microsoft definitely meets this requirement.
Specops have taken the idea of additional identity sources and gone well beyond just something you have to balance security requirements with an ease of use and ease of adoption. The table below provides a high-level list of the identity sources supported by each solution.
|Office 365 MFA||Specops MFA|
|• Verification code via SMS|
• A phone call
• A smart card (virtual or physical)
• A biometric device
|• Verification code via SMS
• A smart card (virtual or physical)
• A biometric device
• Security questions
• Microsoft authentication
• Google authentication
• Social identity validation
• Third-party authenticators
• Specops Fingerprint app
• Specops Authenticator app
Keeping with the 2FA mindset, it makes sense that Microsoft policies simply require a second factor (with the specific identity source specified by policy). Specops have created a powerful and flexible multi-factor authentication model for organizations using Office 365. It allows for multiple authentication options to be used during logon, enhancing security while also improving usability. Leveraging any and all of the identity sources above, Specops Authentication for O365 can accommodate even the most complex compliance and security requirements of an organization while simultaneously meeting the user’s need for simplicity, familiarity, and ease of use.
This is a touchy subject, given Microsoft’s recent outage of Office 365 MFA. That outage only proves that any company can experience gaps in service. It also highlights the need to ensure that the MFA service used be highly available. After all, without MFA running (especially in cases where it’s required by policy), you’re not going to get into Office 365. Instead of touting each solutions redundancy specifics, I’ll instead state that both organizations have taken equally prudent steps to ensure the uptime of their MFA.
Finding the Right MFA
As previously stated, this all boils down to the usual discussion of native vs. third-party solution. Microsoft provides a robust, but only functionally adequate MFA solution, leaving the door open for other vendors to craft solutions with additional innovation. I’ll say it once more – there is zero wrong with the native MFA; but if you’re in need of additional identity sources, more flexible authentication policies, and are of the mindset that security should be the business of someone other than the vendor providing the office services, it may be worthwhile vetting third-party solutions like the one from Specops.
When it comes to protecting cloud applications such as O365, two-factor authentication (2FA) has some serious limitations. A dynamic MFA solution frees users from passwords, and secures the authentication process.Read More
The adoption of SaaS services requires organizations to house user data in the cloud. Without the right strategy in place, this can mean user management and authentication processes – outside the confines of IT. Take the move to O365, and its creation of a tenant in Azure AD. Maintaining it alongside the on-premises Active Directory…Read More