Instead of believing everything inside the corporate firewall is safe, the Zero Trust model assumes breach and a ‘never trust, always verify’ access approach. All users and devices inside and outside the enterprise perimeter are verified in real time. Every access request is authenticated and authorized based on a multitude of available data points, including user identity, location, device information, data classification and anomalies.
Identity is one of the six foundational pillars of a Zero Trust framework, along with devices, applications, data, infrastructure and network. Each of these pillars is a source of signal, a control plane for enforcement and a critical resource to be defended. Microsoft recommends four steps for implementing strong identity for a Zero Trust security model:
- Multi-factor authentication (MFA)
- Policy-based access
- Identity protection
- Secure access to SaaS and on-premises apps
In this blog post we will review Multi-factor authentication (MFA), the foundation of strong identity. Password-only authentication mechanisms are no longer sufficient to protect user accounts, because employees and external collaborators connect to enterprise resources from inside and outside the corporate network using a variety of devices, including unmanaged employee-owned smartphones and tablets. MFA adds an additional layer of defense by requiring users to provide two or more forms of authentication to access an account. The forms of authentication can include something the user knows (such as a password), something they have (such as a phone or other trusted device) or something that makes up who they are (such as a fingerprint or other biometric).
The second-factor authentication methods supported in Azure AD MFA include the following:
- Microsoft Authenticator App
- Windows Hello for Business
- FIDO2 security keys
- Hardware tokens
- SMS messages
- Automated voice calls
- Security questions
“Condition-based access and controls such as MFA are important to prevent unauthorized access to corporate applications, services and data. MFA spamming has become more prevalent with increasing adoption of strong authentication. Azure AD offers a broad range of flexible authentication methods to meet the unique needs of your organization and helps keep your users protected. Build up your organization’s strong identity by enabling stronger MFA features in Microsoft Authenticator. You can choose to approve sign-ins from a mobile app using push notifications, biometrics, or one-time passcodes, or replace passwords and boost the security of your accounts from your mobile device.” – Balazs Maar, Microsoft Solutions Sales Manager.
All Microsoft customers can enable MFA for free with the Microsoft Authenticator app and MFA is now enabled by default for all new Azure AD tenants for Microsoft 365, Office 365, Dynamics and Azure. Reach out to us to consult on improving security posture with a seamless MFA enablement.