Why MSPs Should not Apply MFA Solutions Blindly

We know Multi-Factor Authentication is great, but!  

Microsoft engineers shared that 99.9% of compromised accounts forgot to turn on MFA. Despite so many warnings and proof of the efficacy of MFA, an M365 security report by Coreview reveals that 78% of M365 administrators do not have MFA activated. Isn't that crazy?    

It's not always perfect (phishing, social engineering and password brute-force attacks, device theft etc.); nevertheless, it is clearly better than not having it. However, if not implemented with care, it can create headaches for MSPs.  

Some Not So Obvious Benefits of Multi-factor Authentication  

1. MFA helps MSPs protect their clients by protecting the confidential customer information shared with them.    

2. MFA also gives MSPs more operational productivity by preventing security incidents that can cost them technical resources. It saves them the losses incurred in remediation.  

3. The insights gained during MFA implementation can help fix the gaps by putting in place the right automation. This helps improve the value delivered to the clients.  

The REAL Multi Factor Authentication Implementation Challenges for MSPs

So why can't MSPs roll out MFA for ALL accounts at once and save themselves from the administrative hassles and from burning precious hours?  

According to the Next-Gen Managed Service Provider Research Report 2022, about 84% of MSPs in the UK had experienced an average of 16 outages in a year. Among these, 41% suffered productivity losses as a result. MSPs also admitted they were "not very confident" in their ability to address a cyberattack for their customers successfully.  

This does not come as a surprise, analysing some of the realistic yet inevitable headaches that MSPs experience with clients every day, dealing with:

• Users who cannot figure it out,  
• Users who are lazy,  
• Users who lose devices  
• Service accounts that cannot use MFA,  
• Ensuring that new users automatically have the chosen policy applied  
• Ensuring that if MFA gets turned off for a user that it does not remain off

Do not underestimate these seemingly straightforward issues. For example, about 20-50% of IT help desk tickets are reset passwords.   Recovering a compromised client account takes away one hour that could have been put into strategic business growth.

So, some of the pragmatic multi-factor authentication recommendations include  

• Planning things given the above and making sure you can monitor and maintain it perpetually is not a one-time task. Will the perpetual rollout scale?  
• Consider that clients may not understand MFA. Educate them. This will sugar the pill and ensure less future friction  
• Consider the support desk operations when the inevitable rollout or normal usage friction comes to bear. The use of automation to monitor and roll out can help save MSPs' costs and resources

How to Choose Best Office 365 MFA Vendors

For multi factor authentication vendor comparison, take a two-step approach of identifying the requirements and the parameters.  

Multi factor Authentication Requirements

Requirements of MFA solution can depend on your needs and focus. It can range from:  

1. Platforms supported by the MFA solution for both self and clients

2. MFA solution usability in desired countries  

3. Compatibility with Microsoft AD, Azure AD or any other required solutions  

4. Ability to support desired security policies, certifications or regulations etc.  

5. Ease of Use. Office 365 MFA isn't the best; it lacks some features, but it's built-in and relatively easy to roll out.  

Once MSPs document their requirements and have shortlisted a couple of security vendors that seem to fit their description, it is time to finalise the winner.  

Just because a potential vendor claims they offer comprehensive security services doesn't always mean they may be good at MFA. Before making the final choice, ask the following questions:

Parameters to Select the MFA Vendors  

Select the desired parameters by asking the following questions:

1. Does it offer flexible, risk-based authentication?  

2. Is it scalable with passive contextual authentication?  

3. Is it easy-to-use for your clients and employees to use and roll out?  

4. Does it allow you to mitigate the risks of a user opting out?  

5. Does the vendor own the MFA components or work with another vendor to provide that service?  

6. Are their prices competitive without jeopardising security?  

7. Do they provide proof of concept to support their claims?

Conclusion  

We all know that MFA is better than not using it regardless of its few flaws; however, the practical implementation can lead to challenges, headaches, costs and resource consumption on an ongoing basis as you scale. Make a plan and make it perpetually realistic. Automation to monitor and roll out can help a lot.  

Find MFA vendors who can implement it and strengthen the components that increase its attack surface.    

At Octiga, we ensure multi-factor authentication is applied as a part of comprehensive automated security best practices for Office 365. Our expert security professionals have worked with MSPs for years and understand the security nuances. So, if you are looking for a robust MFA solution along with tightening your overall client security for Office 365, book a quick session.