Overview

MultiFactor Authentication Status

The Multifactor Authentication Status alert is triggered when one of the users inside your tenancy does not have Multi Factor Authentication (MFA) setup, and/or we cannot see a method of enforcement (such as Administratively, Security Defaults, or with a Conditional Access Policy).

Banner Image 2 1

Multifactor Authentication Status

  • Understand your status
  • Monitor for changes
  • Ensure enforcement
  • Protect user accounts
  • Be proactive
Administrative Access and Accounts

Situations

Situations faced by the client

How is this check useful in the real world? Let’s take an accounting firm as an example

Problems Faced

After much work getting everyone on-board, a recent manual review (only last month!) showed that everyone had MFA setup and operational.  Larry, a senior partner in the firm is travelling overseas next month and didn’t want any interruption to his email in case he misplaces his phone (which holds the MFA keys), so he disabled MFA just before departure.

Larry doesn’t have roaming data, so utilises a wifi point at the first airport he stops at.  He fails to login successfully at the airport, however once he arrives in his hotel he is able to check his email and thinks no more of it.

What Larry doesn’t realise is that his login at the airport was reloaded to a fake login page, upon which is username and password were stolen.  Malicious attackers now have uncontrolled access to Larry’s account.

Solution

It is important that any user accounts that are missing MFA are identified and rectified as a priority.   Whilst all your accounts may have MFA at the moment,  it is easy for a temporary disablement of MFA for a user to become permanent. The disabled account can easily be and forgotten about, only to be remembered potentially months or years later when the account is compromised.

Checking that each one of your user accounts has MFA setup and enforced on a daily basis is time consuming, and impractical.  It is not reasonable to expect an Administrator to undertake this task on a daily basis.  CatchBefore can undertake this check multiple times per day.   The sooner the situation is discovered, the sooner you can take mitigation steps, and reduce the potential for a larger impact.

Prevention

What are the main questions you should consider when working out how to manage this risk?

  • Do you have a system or solution in place to detect user accounts that do not have Multi Factor Authentication setup and enforced?
  • If a user account was to remove MFA, would you find out?
  • How long do you think it would take you to discover that you don’t have 100% MFA coverage?
  • Have you ever checked for accounts missing MFA?
  • What would the impact be on your organisation if a user account was compromised for an extended period of time without detection (due to lack of MFA enforcement)?
Problems Faced After much work getting everyone on-board, a recent manual review (only last month!) showed that everyone had MFA setup and operational.  Larry, a senior partner in the firm is travelling overseas next month and didn’t want any interruption to his email in case he misplaces his phone (which holds the MFA keys), so he disabled MFA just before departure. Larry doesn’t have roaming data, so utilises a wifi point at the first airport he stops at.  He fails to login successfully at the airport, however once he arrives in his hotel he is able to check his email and thinks no more of it. What Larry doesn’t realise is that his login at the airport was reloaded to a fake login page, upon which is username and password were stolen.  Malicious attackers now have uncontrolled access to Larry’s account.
Solution It is important that any user accounts that are missing MFA are identified and rectified as a priority.   Whilst all your accounts may have MFA at the moment,  it is easy for a temporary disablement of MFA for a user to become permanent. The disabled account can easily be and forgotten about, only to be remembered potentially months or years later when the account is compromised. Checking that each one of your user accounts has MFA setup and enforced on a daily basis is time consuming, and impractical.  It is not reasonable to expect an Administrator to undertake this task on a daily basis.  CatchBefore can undertake this check multiple times per day.   The sooner the situation is discovered, the sooner you can take mitigation steps, and reduce the potential for a larger impact.
Prevention What are the main questions you should consider when working out how to manage this risk? Do you have a system or solution in place to detect user accounts that do not have Multi Factor Authentication setup and enforced? If a user account was to remove MFA, would you find out? How long do you think it would take you to discover that you don’t have 100% MFA coverage? Have you ever checked for accounts missing MFA? What would the impact be on your organisation if a user account was compromised for an extended period of time without detection (due to lack of MFA enforcement)?

MS365 Block Lists & Email Quarantine Management

Improve your Office 365 Security Governance New

The truth behind MFA and 365 security

365 Security in 2023

Welcome, and what a time to launch