cybersecurity shield graphic

The MSP’s Guide to Enhancing Client Security with Multi-Factor Authentication (MFA)

In the managed IT services industry, keeping clients’ data secure is paramount. One of the most effective and easy-to-implement security measures is Multi-Factor Authentication (MFA). A study by Cornell University in 2023 found that simply using MFA can reduce risks by an astounding 99.2%. Despite its effectiveness, only 22% of Microsoft customers currently use it. This gap is primarily due to a lack of end-user awareness rather than neglect. Here’s a comprehensive guide for MSPs on how to effectively implement MFA and educate clients on its importance. 

A Brief History of MFA Adoption 

When Microsoft first introduced multi-factor authentication, it was only available through premium licenses. Users suggested making it free to boost its adoption. Following this change, worldwide MFA adoption increased from 1% to 2%. Although Microsoft has offered flexible solutions and tried to enforce its use, many users still resist the additional sign-in step. The key to overcoming this resistance lies in education, and this is where MSPs play a crucial role. 

Methods for Enabling MFA 

Good: Entra ID (Azure AD Per User) 

Entra ID, formerly known as Azure AD, is the backbone of Microsoft Identity management. While some businesses still use on-premises Active Directory, the current standard is Entra ID. The per-user method allowed administrators and MSPs to assign roles with precision, but because it required manual setup for each account, it saw limited adoption. Achieving full coverage of all accounts is challenging with this outdated method. In some cases, exemptions might be necessary for legacy applications or emergency access accounts, but these should be rare. Microsoft plans to phase out this method in favor of more effective strategies for securing user accounts. 

Better: Security Defaults 

Security defaults made MFA mandatory for all newly created Microsoft 365 user accounts, starting from October 2019. If your client’s M365 accounts were created post-2019, MFA will be automatically enabled. This is beneficial, although security defaults have some limitations. Their most significant challenge is the inability to support older applications that lack MFA capabilities. Enabling security defaults means these older applications will not function within your clients’ M365 environment. This requirement forces a choice between maintaining security standards or disabling these defaults to accommodate such apps. 

Best: Conditional Access Policies 

Conditional access policies offer granular control, flexibility to leverage third-party MFA apps, and the ability to support older applications. They operate by checking if user requests to access your data meet predefined conditions. If the conditions are met, access is granted; if not, the policy will block access or require MFA authentication. Examples of conditions include user role, location, or device used. 

Most businesses already organize users into groups like departments, locations, or roles. Implementing conditional access policies could be as simple as setting standards around these predefined conditions. Additional policies can also be added. For instance, access could be granted based on both department and trusted devices. Conditional access offers the ideal balance between flexibility and ease of management. Once these policies are in place, new users need only be added to the appropriate groups during onboarding, ensuring they automatically receive the correct permissions without further configuration. 

MFA Authentication Methods 

Good: SMS, Voice, and Email 

These are the most common authentication methods but are also the easiest to hijack. Most people have cell phones and email accounts, making this method widespread. However, SIM cards are easy to clone and email inboxes can be breached without robust security measures. Despite these vulnerabilities, implementing any form of MFA is preferable to none. Opt for stronger options when possible, but this is still a solid starting point. 

Better: Authenticator Apps 

Authenticator apps provide a one-time passcode (OTP) from an application on a user’s cell phone. It’s much more difficult for a hacker to mimic this code or breach the app. In most cases, the cell phone’s security standards also provide an additional layer of protection for the passcode. 

Best: Biometrics, U2F Tokens, and FIDO2: WebAuthn 

The goal of MFA is to ensure that the person doing the authentication is the right person. Biometric data, such as fingerprints, facial recognition, and voice, are much harder to steal than passwords. Universal 2-factor (U2F) tokens are physical devices that authenticate a user’s access, while FIDO2 allows users to use local devices like smartphones or laptops to verify their identity. WebAuthn, a major part of FIDO2, lets websites use FIDO2 authentication. Despite the potential risk of device theft, these methods offer robust security. 

The Role of MSPs in Promoting MFA 

Even with strong MFA practices, there’s always the risk of phishing scams tricking someone into sharing information. As an MSP, your client is unlikely to blame you for these types of human errors, assuming you’ve implemented solid security measures. Additionally, by implementing MFA, you’ve greatly lowered your chance of facing lawsuits from clients or insurance companies. 

Final Thoughts 

For MSPs, the implementation of MFA is a critical component of a comprehensive security strategy. By understanding the best practices and educating clients on the importance of MFA, MSPs can significantly reduce the risk of cyberattacks. Embrace these practices to enhance your security offerings and protect your clients’ data from evolving threats. 

Levi Rose

SUBSCRIBE for more resources
Related Content

Agent-based SaaS Discovery

    When it comes to Augmentt Discover, we believe in flexibility and power. Augmentt Discover can collect SaaS usage data using both an Agent and Agentless model. Here is a quick [...]

    Product Evaluation Guide

      Thank you for starting your Augmentt Product Evaluation and Trial   Here are a few resources that will help you through this technical process. Support Technical Support is available to [...]
      Augmentt is a centralized SaaS security platform built for MSPs to deliver scalable managed security services for Microsoft and cloud apps. Our multi-tenant platform gives you visibility across all your end-users to easily audit, protect and detect security threats for a holistic approach to cyber security.