You need more than a good password to protect your data these days. There are few things worse, from an IT security perspective, than having to tell my customers they have been compromised. No matter how many times we send out reminders or warnings, someone always ends up falling for the email that absolutely came from Microsoft asking them to login because they’d exceeded their storage limit and files were going to be deleted.
See our article on How to Spot a Scam Email for some great tips but even then, the conclusion is that it isn’t enough just to be vigilant. If you want to protect your business you have to use some form of Multi-Factor Authentication (MFA).
So what is MFA?
Multi-Factor Authentication is pretty much what it says. A password is a single factor authentication. You have a password. If anyone else has that password – they have access to everything you have access to.
MFA adds layers of protection. I’d be surprised if anyone hadn’t run into MFA somewhere in their life. The most common form of MFA is the text message or phone call you get to confirm it is you logging in. Microsoft offer this level of service with all Microsoft365 Business Professional (and above) subscriptions.
There are also tokens you can get that keep generating new codes on a timer. That token is linked to your login information so when you log in, if you don’t enter the same number that currently appears on your security token, you can’t get in – even with the correct username and password.
And this is why MFA can save me having to call you and give you bad news. If one of your staff accidentally gives up their password, it’s still not enough to compromise their account because the person who has cleverly stolen their credentials will get stopped by the MFA check.
You’ll also hear about Two Factor Authentication (2FA) which is a subset of MFA. Generally, two factors of authentication are considered enough for day to day protection. This could be like either of the above examples where a password is the first factor and a code, either generated by a security token or sent to mobile device, is the second factor.
But there are other options available as well. Microsoft allows you to limit logging in by geographic regions. If all of your staff are in Melbourne, Australia – don’t allow sign ins from anywhere else! (Be aware that if you do that, your staff have the perfect excuse for not checking their email on holiday or while travelling!)
Windows 10 offers a service called “Windows Hello” that can use a number of options to identify and authenticate a user. Many devices use biometrics like face or fingerprint unlocking. Combine any of these options to find the best way to secure access to your data without making your staff jump through hoops.
How Do I Enable MFA?
Aside from speaking to your Managed IT Service provider, we have a number of articles coming up that will step you through turning on some of the easier options like geographical restrictions or using mobile devices as an extra layer of security.