Published August 19, 2020
On a daily basis Microsoft stops 300 million fraudulent sign-in attempts yes, that’s right daily. In January of this year approximately 1 Million accounts were breached and Microsoft state that 99.9% of these would have been stopped if the accounts had MFA enabled. There are a few ways that accounts are commonly compromised.
Password Spray attacks – This is when an attacker uses a common password like Liverpool20 and attempts to login to thousands of accounts in the hope that someone is using this password.
Credential stuffing – Out there on the web attackers are selling passwords lists retrieved from system hacks because many people re-use the same passwords on multiple accounts your password may have been discovered in a hack on a completely different service, you can check if your email address or password shows up on some of the common lists using https://haveibeenpwned.com/.
Phishing or it’s big brother Whaling – You will commonly receive an email from a fake sender or a compromised account linking you off to fake login page (made to look identical to the login page you would expect) once you have entered your login details the attackers take control of the account, setting up various Outlook rules, sending emails on your behalf or sometimes just monitoring your mailbox waiting for a time to strike.
Currently the Microsoft 365 system insists that cloud only users passwords be at least 8 characters, and have 3 of the following 4 categories, UPPERCASE, lowercase, number and special character, generally the automatically generated passwords will look something like Hptq3546.
People will often say their account has been hacked but generally speaking this isn’t really the case and they have been guilty of re-using passwords, or falling for other social engineering tactics, to reduce the risk of an account takeover MFA is the answer.
MFA stands for Multifactor Authentication essentially this means adding an extra credential, these are commonly a code to a smartphone/text message, answering a question/prompt, hardware token.
These automatically generated passwords or even your secure 20 character pass phrase with numbers, letters and special characters, might be enough to reduce the likely hood a password spray attack is successful and if you haven’t used it anywhere else then Credential Stuffing is unlikely, but it only takes a momentary lapse in concentration to phished. Without any further security measures as soon as your username and password are compromised then you have essentially lost the keys to the castle. With MFA enabled the authentication flow will change to something more like
This means that if someone tries to sign as you and they already have your password, not only do they not get in but you would essentially get an alert to the fact, be that a pop up notification to your mobile or a call to a registered telephone number (assuming you don’t confirm the prompt).
The Microsoft 365 platform gives you an MFA option straight out of the gates you just need to enable and configure it for each user through an enforcement process, their preferred authentication method is an App (available from all good app stores) called Microsoft Authenticator, this is then paired to your Office 365 account and initially gives 2 extra credential options, a push notification where upon sign-in you get a pop up on your phone asking you to confirm that your actually trying to login or a one time password code, much like the fobs the banks used to give out giving you a new random code every 30 seconds.
Passwordless is the new shiny toy in the world of identity protection, some companies find that the extra steps involved with this extra layer of security can frustrate their users and when making security improvements every step should be taken to reduce burden otherwise users will start to cut corners (Like the user who was given a horrible password like W@^M3l0n//* and rather than remembering carries it around on a post-it stuck on their laptop) with this in mind Passwordless solutions look to negate this, as an example with the Authenticator app.
That is one less step and at no point has the user had to try and type the convoluted password and away they go. This gives you the high security of MFA without the inconvenience of the extra authentication steps.
– Good password practices are no longer enough, just because you look after your passwords doesn’t mean every 3rd party you signup with can look after them.
– MFA would stop 99.9% of account compromises
– I can check if my password or email account may be on a compromised passwords list at https://haveibeenpwned.com/
– MFA doesn’t have to be inconvenient when used in conjunction with current Passwordless technologies.
– All of the features described above are already included in the cost of the licenses for each of you Microsoft 365 accounts, so no extra license costs.
– Authenticator app on a mobile isn’t the only option when it comes to Passwordless
Call React now on 01394 387337
Published August 19, 2020
