Why engage GreenLoop to assist with your Multi-Factor Authentication (MFA) implementation project, instead of doing it yourself? It’s true that these days, implementing basic MFA in Office 365 isn’t that difficult, and many companies have a power user or two that feel able to enable this for your organization with much lower costs than GreenLoop’s implementation fee.
Ultimately, having basic MFA is absolutely better than none at all, so if that’s what you can afford, great! However, most SMB leaders would benefit by considering these questions before attempting to self-implement 365 MFA in your organization:
- Are you sure you’re getting everything Microsoft has to offer? The latest Microsoft MFA functionality to defend against the latest threats and make the process as simple as possible for end-users is not generally enabled or enforced by default.
- Are you securing your ongoing investment? Many implementations leave gaping security holes: for instance, by failing to ensure it’s enforced on an ongoing basis, which can mean future security lapses in the future as staff turnover or MFA gets turned off and never turned back on. Likewise, disabling legacy protocols that circumvent MFA requires an advanced understanding of the factors in play in order to avoid service disruptions.
- Are you confident the implementation will go smoothly? Users with legacy applications or who have never used MFA before often have a steep learning curve getting these to work correctly, and may need individualized attention from an experienced technician. In addition, many organizations struggle to balance the disruption of enforcing MFA for all users at once vs. the hassle and delay of coordinating with each individual user or waiting on them to self-complete the instructions.
GreenLoop is glad to set up a time to discuss your MFA requirements and how we can leverage our years of experience over thousands of 365 user enablements to best secure your organization.
Below is an overview of additional enhancements GreenLoop offers as part of our standard Multi-Factor Authentication (MFA) enforcement project. Except where noted, these are included by default with every 365 MFA Implementation Project.
Enforcement
It’s not enough to simply enable MFA for all of your current users. You’ll want to make sure that this is enforced going forward–not just for your existing employees but also for any future new hires. You don’t want to find out after a new hire is compromised that they were never onboarded with MFA. GreenLoop will create a Conditional Access Policy following Microsoft recommendations to enforce MFA for all your users, forever.
Phased-in Implementation
Optionally, GreenLoop can phase-in enforcement of MFA for 365, so that not all users are required to register and enforced at once. This can be individually or in batches of 5-10 users at a time.
White-Glove Assistance
Optionally, GreenLoop can work with each of your users individually to ensure they have a seamless experience getting started with Multi-Factor Authentication. We’ll work with them to get the Authenticator app installed and registered, enforce MFA for them individually, and then to make sure all their Microsoft apps work on their PC and mobile device. We can send you a list of users who haven’t responded to our request to work with them and then make a plan to get everyone in the organization set up on the timeline you need.
Disablement of Legacy Authentication methods
Even with MFA enforced, “legacy” authentication methods that allow authentication with only a username and password are still enabled by default for backwards-compatibility reasons—for instance, if you have scan-to-email set up, there’s an excellent chance it requires a legacy protocol. These legacy protocols are an attractive target to hackers and a common way an account can still be hacked even with MFA enabled (it’s not unusual to see hundreds of attempts per day to compromise accounts using legacy authentication). GreenLoop confirms whether any legacy protocols are in use, applies the minimum exception required in order to maintain operations, and then disables everything else.
Self-Service Password Reset Setup with “Combined Registration Experience”
Self-Service Password Reset allows you to reset your Office 365 password (and often your computer login as well) using your details registered with Microsoft. As part of our implementation, GreenLoop not only enables this from end-to-end, but also makes sure that you only have to register once, so that your MFA app can also be used to quickly and easily reset your password.
Passwordless Authentication
As part of your deployment, GreenLoop enables this feature so that you and your users can enable your account for Passwordless authentication once they’ve registered for MFA using the Microsoft Authenticator app. This turns login to Microsoft services into a challenge-response using the Authenticator app rather than via a remembered password. For more on why this enhances your security, and to get a look at the experience, see here [microsoft.com].
Number Matching Enforcement
When push notifications enabled through Microsoft Authenticator, a hacker who has acquired a valid password can generate an approval prompt. A common method hackers attempt to circumvent MFA is called “MFA prompt bombing”: they use the valid username and password to generate an approval prompt (or sometimes many of them) and hope the end-user mindlessly approves one. To reduce this risk, we recommend enabling Number Matching enforcement, which requires a user to type a number displayed in their Authenticator app into a web page, rather than simply clicking Approve. For further information on the user experience and why this is important, see here [linkedin.com].
Additional Context Notifications
As part of your deployment, GreenLoop will enable the additional context notifications feature, which adds the app name and a map of the location of the device that triggered the MFA notification. This gives users maximum context to know whether an approval prompt is generated by their actions and comes from their location, or may be suspicious/. This equips users to thwart MFA Prompt Bombing and other Man-in the Middle (MitM) MFA attacks. For more information and screenshots, see here [microsoft.com].
Office 365 “Best Practices”
GreenLoop has developed our own set of “best practice” security and operational settings for Office 365, based on Microsoft recommendations and our own proprietary experience. As part of every 365 MFA implementation, we apply these settings (even if they’ve been applied before) to make sure your Office 365 tenant is up to date with the latest settings and security.