Knowledge base
December 22, 2023
Microsoft Entra MFA: Security Over Passwords
In today’s digital world, securing accounts and data is more important than ever. Multifactor authentication (MFA) provides an additional layer of security by asking users for more than one form of identification during the login process. This means that even if a password is compromised, the chances of an unauthorized person gaining access to the account are low.
How Does Microsoft Entra MFA Work?
Microsoft Entra MFA strengthens security by requiring two or more of the following authentication methods:
- Something you know 🧠 – Typically a password.🔐
- Something you have 📱- Like a trusted device that is not easily duplicated, such as a phone or hardware key.🔑
- Something you are 👤- Biometrics, such as a fingerprint 👆 or facial scan🤳.
This layered approach helps secure accounts even if one factor is compromised.
Available Verification Methods
When logging into an application or service with Microsoft Entra MFA, users can choose from several registered authentication methods:
- Microsoft Authenticator
- Authenticator Lite (in Outlook)
- Windows Hello for Business
- FIDO2 security key
- OATH hardware token (preview)
- OATH software token
- SMS
- Voice call
1. Microsoft Authenticator
- An app that generates a security code or sends a push notification for approval. It is convenient and provides strong security by using something the user always has with them – their cell phone.
2. Authenticator Lite (in Outlook).
- A lightweight version of the Authenticator app integrated into Outlook. It offers similar features but can be accessed directly from the e-mail application, making it easier for users who often use Outlook.
3. Windows Hello for Business
- Uses biometrics, such as facial recognition or a fingerprint, to log in. This method is very secure because biometric data is unique to each user and difficult to fake.
4. FIDO2 security key
- A FIDO2 security key, such as a YubiKey, used for authentication. This key can be connected to a USB-A, USB-C, or NFC interface, or connected via Bluetooth, depending on the model. It offers a high level of security because it is a physical device that the user must own and cannot be easily compromised remotely.
5. OATH hardware token (preview).
- A physical token that generates a unique code used for authentication. This is especially useful for users who do not have smartphones or in environments where mobile devices are not allowed.
6. OATH software token
- A software version of the OATH token. It generates a temporary code that is displayed through an app or software. It is a flexible and accessible option for many users.
7. SMS
- A text message with a one-time code is sent to the user’s cell phone. This is a simple and widely accepted method, although it is less secure than other options because of the possibility of SIM swap fraud.
8. Voice Call
- A phone call that reads out a one-time code. This is useful for users who do not have access to smartphones or the Internet, but still need some form of two-step verification.
Implementation of Microsoft Entra MFA
For quick implementation, organizations can use the “security defaults” in Microsoft Entra. For more detailed control, Conditional Access policies can be used to define specific events or applications that require MFA.
Transition to Safer Authentication Methods in Microsoft Entra
When migrating to the new authentication policies in Microsoft Entra, it is important to review which authentication methods should be disabled, especially if they are part of the old MFA and SSPR policies. Methods such as SMS and voice calls may be considered less secure because of vulnerabilities such as SIM swapping and phishing. These methods are still available, but it is recommended to consider more secure options, such as Microsoft Authenticator or FIDO2 security keys.
Professional Support for Microsoft Entra MFA Implementation
Implementing Microsoft Entra MFA is a crucial step for companies and individuals to protect their digital assets. It is not only an additional layer of security, but also provides flexibility and convenience for users. For expert assistance in migrating to the new Microsoft Entra authentication policy, contact ALTA-ICT. Our experienced team will guide you through the entire process. Schedule your appointment at alta-ict.co.uk/AppointmentMaking for professional support.