Is two-factor authentication (2FA) as secure as it seems?

Sweet 2FA? She’ll be right.

One of the first things I ask when visiting a client is whether they are using 2 factor authentication (2FA) for Office 365 which is step 1 in Microsoft’s list of 10 ways to secure Office 365. The reason I’m passionate about 2FA is because I’ve witnessed first hand the risks – it’s not a case if there’s a breach but when. I even go to the extent that if I have to put any of my personal details into any system, I will only do it if it is secured with some form of 2 factor authentication. If a website does not support 2FA I either put fake details in or limit the details that I provide to the bare minimum.

Think about that – how useful are fake details to the website owner? Are you encouraging the same? I will also not let a customer give me admin access to their tenant without enabling 2FA on the admin account. Luckily Microsoft will not allow you to be an admin of an Office 365 tenant any more without 2FA. In this age we need to do everything that we can to protect our identity and access to confidential information. Granted, 2FA is not impenetrable, there are still ways for your authentication to be hacked with 2FA but it is about making it a lot more difficult.

“So why doesn’t everybody have 2FA setup?

Many don’t know what 2FA is, some find it inconvenient & others believe they won’t get caught”

2FA is all about preventing a phishing attack on your credentials. In simple terms it helps protect you from the scenario where you receive an email with a link to a file / invoice from a supplier or customer and it is stored in OneDrive for example. You then follow the link and sign in at which point you are told that you have entered an incorrect password and are redirected to an official Microsoft login screen. What happened on the first screen is that your username and password was captured by a criminal in a fake authentication screen. You think that you have entered your password incorrectly and so you re-enter it on the real authentication screen and it works so you don’t realise you have been a victim of a scam. The scammers will then use your credentials to do things like accessing all of your files on SharePoint or sending out emails on your behalf to scam all of your contacts with the same scam that caught you. They use what is called your zero mailbox which contains a list of every email address that you have ever sent an email to from that account. Yeah nah thanks.

So why doesn’t everybody have 2FA setup?

  • They do not know what 2FA is or even in some cases that it even exists
  • It is inconvenient
  • They think they will not get caught

Inconvenience?  You seriously need to consider the inconvenience of having all of your confidential files accessed or all of your customers being scammed from your email address without you knowing. We can help you make it less inconvenient by properly setting up your 2FA in Office 365 and because we have done for many clients we have developed a process to help you deal with the change for your team so that this change does not slow your business down.

If you think that you will not be caught because you are careful, think again. I have had to help some very tech savvy people recover from a phishing attack and they also thought that they would not get caught so if they can get caught, you need to consider the likelihood of your least tech savvy user getting caught and the impact of that on your business. Don’t say Sweet FA to 2FA.