MFA vs. 2FA – why the difference matters for your O365 implementation
(Last updated on December 4, 2020)
When it comes to protecting cloud applications such as O365, two-factor authentication (2FA) has some serious limitations. The high-trust authentication options available in a dynamic multi-factor authentication (MFA) solution not only free users from passwords, but also secure the authentication process.
2FA commonly combines the password with a phone-based authentication factor. O365’s two-step verification solution (included with Office 365 for Business, Azure Active Directory Premium plans and Enterprise Mobility + Security plans) is no different. Azure MFA, as it is better known, supports one-time SMS codes, mobile app and phone call verification. By default, authentication options beyond phone-based factors are not supported.
A stagnant two-factor approach, such as the one described above, is commonly regarded as multi-factor. However, in comparison to a dynamic MFA approach, it has some serious usability and security shortcomings.
Usability and security shortcomings of 2FA
Forcing users to utilize more than one factor during authentication will inherently have an impact on the user experience. However, IT departments do not have to sacrifice security to ensure usability. 2FA utilizing the password as the first factor in combination with the mobile device, most commonly through SMS verification, does not guarantee authentication success nor does it increase security. With some determination, hackers can bypass wireless carriers, and intercept or redirect SMS codes. At one point, the National Institute for Standards and Technology (NIST) called for SMS deprecations, but later softened the recommendation in their Digital Authentication Guidelines.
Dynamic MFA is a better alternative for high-risk cloud applications such as O365. This approach can remove the password – the weakest form of authentication – as the first factor with alternatives beyond Microsoft’s default phone-based options. IT administrator can instead extend high-trust authenticators that will actually reduce authentication failure.
If you are a security conscious O365 administrator, you may believe that multi-factor authentication (MFA) is the answer to the credential-based threats that come with the Software-as-a-Service (SaaS) territory. Whether you are right, or not, depends on your definition of MFA.
Specops Authentication for O365 provides dynamic MFA to protect the O365 login while minimizing user disruption. With authentication options that span something you know, are and have, IT departments can ensure security that can be staggered across varying user groups while providing fail over options. To learn more about dynamic MFA, trial Specops Authentication for O365 for free today.