Cybercrime, Data Protection, and Multi-Factor Authentication (MFA)

Most people are familiar with the concept of an arms race. In the world of cybersecurity, this phrase is also in use. A cybersecurity “arms race” typically refers to escalating responses when one party creates a threat, and then a counter-measure is created to meet the new threat head on, resulting in a new baseline which then requires ever more sophisticated attacks in order to be successful. For better or worse many of the significant technological advancements that shape our modern world have been developed, yet we must also live in a world of constant vigilance. Those technologies that are successful often begin with a focus on functionality, then adoption, and eventually they move on to a maturity phase that commonly includes dealing with unexpected issues that arise from the choices made in previous stages.

As evidenced in past Microsoft cybersecurity reports, one of the most common ways in which a system is compromised by cybercriminal activity results from weak passwords. We’ve published a number of  resources that can help guide employees on how to develop strong passwords with resources such as our recent “Security Tips & Talk blog” series: 5 passwords you should never use, and Create stronger passwords and protect them. While creating strong passwords is essential, organized crime is now driving a cyber “arms race” and it’s clear that counter measures organizations have implemented to better protect them are frequently playing catch up.  Now more than ever is the time to adopt new counter measures that have become available including multi-factor authentication.

Multi-Factor Authentication (MFA) is a counter-measure that provides an added layer of protection by requiring a person to supply multiple forms of identify making it harder for cybercriminals to successfully gain access to the system. Self-identification is commonly broken down into these three factors:

  • Something you know (a password or a Personally Identifiable Number  [PIN])
  • Something you have (a smartcard or device)
  • Something you are (a fingerprint or other biometric scan)

When an organization requires its employees to provide more than one factor in order to grant access to their data, it gets more difficult for a criminal to impersonate that employee. A stolen password on its own is no longer enough to gain access, and without the additional required physical element, a cybercriminal will be further challenged.

There are many MFA implementations available, but they have been relatively expensive to roll out and were often only seen in high security environments. Two-Factor Authentication (2FA) is a common MFA scenario in the business world where smartcards are used in conjunction with a PIN when logging into a system.  MFA is in no way a new technology; however, there have been many advances in modern device hardware that have greatly simplified its rollout and administration. 2FA has been made available in Microsoft’s products and services for some time now and can often be adopted at little or no cost. (List below)

For those of you looking for an added layer of security to help protect your organization’s data, I encourage you start by adding Two-step verification to you own personal Microsoft accounts and then evangelize it within your organizations. Enabling two-step verification is a fairly straightforward process and can turned on quickly. From here check out the following resources which can help you add 2FA to Microsoft’s Windows, Office, and Online Services to better protect corporate identities: Windows Virtual Smartcards, Azure Multi-Factor Authentication, Windows Azure Multi-Factor Authentication Overview, and Multi-Factor Authentication for Office 365.

About the Author
Adrienne Hall

General Manager, Trustworthy Computing

Adrienne Hall is a General Manager in the Microsoft Trustworthy Computing group, where she leads a team of information technology (IT) professionals who are focused on the security, privacy, reliability, and accessibility of devices and services built on Microsoft technology. Read more »