[{"data":1,"prerenderedAt":1970},["ShallowReactive",2],{"application-flags":3,"navbar":7,"always-visible-banner":36,"navbar-about-highlight":108,"navbar-resource-highlight":182,"blog/how-to-set-up-multi-factor-authentication-for-microsoft-365":226},[4],{"name":5,"enabled":6},"maintenanceMode",false,[8],{"createdDate":9,"id":10,"name":11,"modelId":12,"published":13,"query":14,"data":15,"variations":20,"lastUpdated":21,"firstPublished":22,"testRatio":23,"createdBy":24,"lastUpdatedBy":25,"folders":26,"meta":27,"rev":35},1742208588866,"1c7a4e423bf54ac1a328bb4063459ef2","Banner","1c6207a5f24948ab82d4a0b17f251193","published",[],{"type":16,"url":17,"text":18,"link":19},"web-banner","https://pushsecurity.com/resources/browser-attacks-report","Get our latest report analyzing browser attack techniques in 2026",{},{},1774258294825,1742208637545,1,"CydmZnOWU1XuAaLhEDCoYNM4Z8W2","jKjF9r5jcvXU8tzZEfFQm31Iyvr2",[],{"kind":28,"lastPreviewUrl":29,"breakpoints":30,"hasAutosaves":34},"data","",{"xsmall":31,"small":32,"medium":33},320,640,768,true,"ga0kpxjhh76",{"createdDate":37,"id":38,"name":39,"modelId":40,"published":13,"stageModifiedSincePublish":6,"query":41,"data":42,"variations":97,"lastUpdated":98,"firstPublished":99,"testRatio":23,"createdBy":100,"lastUpdatedBy":101,"folders":102,"meta":103,"rev":107},1774965361051,"fd266d0172cc47429be7ad10f48c99ad","always visible banner","0678d178ec8b41efb8a23c09dba7874d",[],{"ctaText":43,"text":44,"url":29,"blocks":45,"state":93},"ewrererw","testrfesssssssssss",[46,73,81],{"@type":47,"@version":48,"id":49,"component":50,"responsiveStyles":63},"@builder.io/sdk:Element",2,"builder-ca12c06a52de41d7b8743da53118cd38",{"name":51,"tag":51,"options":52,"isRSC":62},"TopBannerContent",{"text":53,"ctaText":54,"url":55,"mainText":56,"cta":59},"New Webinar Series: Join John Hammond, Troy Hunt, and Matt Johansen for the State of Browser Attacks","Save Your Spot","https://pushsecurity.com/webinar/state-of-browser-security",{"content":57,"fontSize":58},"\u003Cp>Meet Push's browser security experts at BlackHat 2026.\u003C/p>","text-base",{"content":60,"fontSize":58,"url":61},"\u003Cp>Book a meeting →\u003C/p>","https://pushsecurity.com/events/blackhat-2026-meeting",null,{"large":64},{"display":65,"flexDirection":66,"position":67,"flexShrink":68,"boxSizing":69,"marginTop":70,"marginBottom":70,"fontSize":71,"fontWeight":72},"flex","column","relative","0","border-box",".56rem","1.125rem","700",{"@type":47,"@version":48,"id":74,"component":75,"responsiveStyles":79},"builder-a2e1f4b9f30b464bb814d7f5de5b0aa7",{"name":76,"options":77,"isRSC":62},"Custom Code",{"code":78,"scriptsClientOnly":6},"\u003Cstyle>\n  .top-banner.bg-web-orange{background:rgb(114, 79, 255);}\n\u003C/style>\n",{"large":80},{"display":65,"flexDirection":66,"position":67,"flexShrink":68,"boxSizing":69},{"id":82,"@type":47,"tagName":83,"properties":84,"responsiveStyles":88},"builder-pixel-o503s4fpvk","img",{"src":85,"aria-hidden":86,"alt":29,"role":87,"width":68,"height":68},"https://cdn.builder.io/api/v1/pixel?apiKey=f3a1111ff5be48cdbb123cd9f5795a05","true","presentation",{"large":89},{"height":68,"width":68,"display":90,"opacity":68,"overflow":91,"pointerEvents":92},"block","hidden","none",{"deviceSize":94,"location":95},"large",{"path":29,"query":96},{},{},1783541846936,1774968080803,"ST0tXQM8slWpFrmioqKHmENB2qe2","kYgMv6WsbvfmlOUYqR2SFwGzw6e2",[],{"kind":104,"lastPreviewUrl":105,"hasLinks":6,"breakpoints":106,"hasErrors":6,"hasAutosaves":6},"component","https://pushsecurity.com/?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CcreateProjects%2CsendPullRequests&builder.user.role.name=Designer&builder.user.role.id=creator&builder.cachebust=true&builder.preview=always-visible-banner&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.always-visible-banner=fd266d0172cc47429be7ad10f48c99ad&builder.overrides.fd266d0172cc47429be7ad10f48c99ad=fd266d0172cc47429be7ad10f48c99ad&builder.options.locale=Default",{"xsmall":31,"small":32,"medium":33},"kyujw1aptq",[109,145],{"createdDate":110,"id":111,"name":112,"modelId":113,"published":13,"stageModifiedSincePublish":6,"query":114,"data":115,"variations":138,"lastUpdated":139,"firstPublished":140,"testRatio":23,"createdBy":24,"lastUpdatedBy":24,"folders":141,"meta":142,"rev":144},1776247359804,"9136a8f18b3b4a6ba29b8653a99372b1","testimonial-inductive-automation","20d9eaa352304613b3d1a794b400703d",[],{"link":116,"type":117,"testimonialLink":118,"testimonial":119},{},"testimonial","/customer-stories/inductive-automation",{"@type":120,"id":121,"model":117,"value":122},"@builder.io/core:Reference","f028f2b685bb47cd8bf9e82a26dd5a79",{"query":123,"folders":124,"createdDate":125,"id":121,"name":126,"modelId":127,"published":13,"data":128,"variations":132,"lastUpdated":133,"firstPublished":134,"testRatio":23,"createdBy":100,"lastUpdatedBy":100,"meta":135,"rev":137},[],[],1735823466309,"We found Push to be more accurate when compared to competitors and the browser agent offered features that others couldn’t match.","42035571a56940ac98bff4544aa79aa5",{"author":129,"jobTitle":130,"quote":126,"image":131},"Jason Waits","\u003Cp>CISO at Inductive Automation\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Ff04c0c0689ce4a89ac0f0708d78c0a07",{},1735910703862,1735823501152,{"kind":28,"lastPreviewUrl":29,"breakpoints":136,"hasAutosaves":34},{"small":32,"medium":33},"e8bsg4qrgtu",{},1776247404986,1776247404973,[],{"breakpoints":143,"kind":28,"lastPreviewUrl":29,"hasAutosaves":6},{"xsmall":31,"small":32,"medium":33},"g9lqcuxphw7",{"createdDate":146,"id":147,"name":148,"modelId":113,"published":13,"meta":149,"stageModifiedSincePublish":6,"query":151,"data":152,"variations":178,"lastUpdated":179,"firstPublished":180,"testRatio":23,"createdBy":24,"lastUpdatedBy":24,"folders":181,"rev":144},1776255761419,"05a9322735fc427db12e2740e4302300","Report: 2026 Browser Attack Techniques",{"breakpoints":150,"kind":28,"lastPreviewUrl":29,"hasAutosaves":6},{"xsmall":31,"small":32,"medium":33},[],{"testimonial":153,"link":172,"type":175,"title":148,"description":176,"image":177},{"@type":120,"id":154,"model":117,"value":155},"192acbb1f9ca4cac918c0ec435a8bae3",{"query":156,"folders":157,"createdDate":158,"id":154,"name":159,"modelId":127,"published":13,"data":160,"variations":166,"lastUpdated":167,"firstPublished":168,"testRatio":23,"createdBy":100,"lastUpdatedBy":24,"meta":169,"rev":171},[],[],1728981467463,"Push does for identity what CrowdStrike did for the endpoint",{"video":161,"jobTitle":162,"author":163,"qoute":29,"quote":164,"image":165},"https://cdn.builder.io/o/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F8b30e8ca50064058bbaef0f3c6164575%2Fcompressed?apiKey=f3a1111ff5be48cdbb123cd9f5795a05&token=8b30e8ca50064058bbaef0f3c6164575&alt=media&optimized=true","\u003Cp>Deputy CISO at Microsoft\u003C/p>\u003Cp>Former LinkedIn, Slack, Palantir\u003C/p>","Geoff Belknap","Push does for identity what CrowdStrike did for the endpoint.","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F748f0ad0a5064a00a13f4721fcc8dea1",{},1742902158597,1728981782923,{"kind":28,"lastPreviewUrl":29,"breakpoints":170,"hasAutosaves":34},{"small":32,"medium":33},"ulhc0im1hfo",{"text":173,"url":174},"Download now","/resources/browser-attacks-report","resource","Learn about the latest techniques being used in the wild.","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F7b4a5ebf81d64e8c9d7fc35f6c96c4a9",{},1776255810913,1776255810900,[],[183,205],{"createdDate":184,"id":185,"name":148,"modelId":186,"published":13,"meta":187,"stageModifiedSincePublish":6,"query":189,"data":190,"variations":200,"lastUpdated":201,"firstPublished":202,"testRatio":23,"createdBy":24,"lastUpdatedBy":24,"folders":203,"rev":204},1776256900280,"1f429607996e4e5fae8fe3f9b9610e55","4829faa81e7c4ee8bd2d000e160e8d3c",{"breakpoints":188,"kind":28,"lastPreviewUrl":29,"hasAutosaves":6},{"xsmall":31,"small":32,"medium":33},[],{"testimonial":191,"link":199,"type":175,"title":148,"description":176,"image":177},{"@type":120,"id":154,"model":117,"value":192},{"query":193,"folders":194,"createdDate":158,"id":154,"name":159,"modelId":127,"published":13,"data":195,"variations":196,"lastUpdated":167,"firstPublished":168,"testRatio":23,"createdBy":100,"lastUpdatedBy":24,"meta":197,"rev":171},[],[],{"video":161,"jobTitle":162,"author":163,"qoute":29,"quote":164,"image":165},{},{"kind":28,"lastPreviewUrl":29,"breakpoints":198,"hasAutosaves":34},{"small":32,"medium":33},{"text":173,"url":174},{},1776256937553,1776256937540,[],"xggsv10v1q9",{"createdDate":206,"id":207,"name":208,"modelId":186,"published":13,"stageModifiedSincePublish":6,"query":209,"data":210,"variations":220,"lastUpdated":221,"firstPublished":222,"testRatio":23,"createdBy":24,"lastUpdatedBy":24,"folders":223,"meta":224,"rev":204},1776256949234,"ce043785b71b4ece98eac811ecf4ba10","inductive-automation",[],{"link":211,"type":117,"testimonial":212,"testimonialLink":118},{},{"@type":120,"id":121,"model":117,"value":213},{"query":214,"folders":215,"createdDate":125,"id":121,"name":126,"modelId":127,"published":13,"data":216,"variations":217,"lastUpdated":133,"firstPublished":134,"testRatio":23,"createdBy":100,"lastUpdatedBy":100,"meta":218,"rev":137},[],[],{"author":129,"jobTitle":130,"quote":126,"image":131},{},{"kind":28,"lastPreviewUrl":29,"breakpoints":219,"hasAutosaves":34},{"small":32,"medium":33},{},1776256974140,1776256974130,[],{"breakpoints":225,"kind":28,"lastPreviewUrl":29,"hasAutosaves":6},{"xsmall":31,"small":32,"medium":33},{"id":227,"title":228,"authorsCollection":229,"content":237,"extension":740,"faqItemsCollection":741,"faqTitle":62,"featured":6,"hashTags":743,"meta":746,"metaTitle":747,"ogImage":62,"publishedDate":748,"relatedBlogPostsCollection":749,"slug":1946,"stem":1947,"subtitle":62,"summary":1948,"synopsis":1959,"sys":1960,"tagsCollection":1963,"__hash__":1969},"blog/blog/how-to-set-up-multi-factor-authentication-for-microsoft-365.json","How to set up Multi-Factor Authentication for Microsoft 365",{"items":230},[231],{"fullName":232,"firstName":233,"jobTitle":234,"profilePicture":235},"Andy Waugh","Andy","VP Product",{"url":236},"https://images.ctfassets.net/y1cdw1ablpvd/3Rf76rJn6S9inMb4dUnAIJ/0a787f8141d05b95300e2fe77c4493fa/DSC_6868.jpg",{"json":238,"links":735},{"nodeType":239,"data":240,"content":241},"document",{},[242,251,258,293,301,309,316,323,330,337,344,351,371,378,385,392,398,405,480,487,510,528,534,540,583,589,624,641,648,654,718],{"nodeType":243,"data":244,"content":245},"paragraph",{},[246],{"nodeType":247,"value":248,"marks":249,"data":250},"text","Microsoft often has lots of flexibility but it can be hard or time-consuming to figure out all the options and make an informed decision. This post summarises your options for using MFA in Microsoft 365, helps you quickly eliminate some, and gives you the information you need to consider what’s left.",[],{},{"nodeType":243,"data":252,"content":253},{},[254],{"nodeType":247,"value":255,"marks":256,"data":257},"At a high level, you’ve got three choices:",[],{},{"nodeType":259,"data":260,"content":261},"unordered-list",{},[262,273,283],{"nodeType":263,"data":264,"content":265},"list-item",{},[266],{"nodeType":243,"data":267,"content":268},{},[269],{"nodeType":247,"value":270,"marks":271,"data":272},"Security Defaults",[],{},{"nodeType":263,"data":274,"content":275},{},[276],{"nodeType":243,"data":277,"content":278},{},[279],{"nodeType":247,"value":280,"marks":281,"data":282},"Conditional Access",[],{},{"nodeType":263,"data":284,"content":285},{},[286],{"nodeType":243,"data":287,"content":288},{},[289],{"nodeType":247,"value":290,"marks":291,"data":292},"Legacy MFA (also referred to as “per-user MFA”)",[],{},{"nodeType":294,"data":295,"content":296},"heading-1",{},[297],{"nodeType":247,"value":298,"marks":299,"data":300},"Some quick decisions",[],{},{"nodeType":302,"data":303,"content":304},"heading-2",{},[305],{"nodeType":247,"value":306,"marks":307,"data":308},"Do you have Azure AD Premium licenses?",[],{},{"nodeType":243,"data":310,"content":311},{},[312],{"nodeType":247,"value":313,"marks":314,"data":315},"If everyone has Azure AD Premium P1 or higher licenses, you should use Conditional Access. Conditional Access allows you to deploy MFA with full flexibility, from simply mandating it in all situations, to convenience features like exceptions for things like certain IP ranges, apps, or break-glass accounts. A simple setup doesn’t take long but if you’re really looking for quick and easy, you can still use Security Defaults.",[],{},{"nodeType":302,"data":317,"content":318},{},[319],{"nodeType":247,"value":320,"marks":321,"data":322},"Can you deploy to everyone?",[],{},{"nodeType":243,"data":324,"content":325},{},[326],{"nodeType":247,"value":327,"marks":328,"data":329},"If you don’t have Azure AD Premium P1 licenses, but you are comfortable deploying MFA to everyone, you should use Security Defaults. Security Defaults is intended to be the easy-to-deploy MFA option, available to all, regardless of license. Configuration is simply an on/off switch and some very sensible and useful defaults are configured for you but they can’t be changed and no one can be excluded.",[],{},{"nodeType":302,"data":331,"content":332},{},[333],{"nodeType":247,"value":334,"marks":335,"data":336},"Neither applicable?",[],{},{"nodeType":243,"data":338,"content":339},{},[340],{"nodeType":247,"value":341,"marks":342,"data":343},"If you’ve answered no to both questions, your only remaining option is to use Legacy MFA. As the name suggests, this is not an option Microsoft is endorsing or actively developing - their tools and new features are focused purely on Conditional Access or Security Defaults. However, if neither are an option for you, you should at least ensure MFA is configured on your sensitive accounts, like administrators, and per-user MFA can be used to achieve that, regardless of license.",[],{},{"nodeType":302,"data":345,"content":346},{},[347],{"nodeType":247,"value":348,"marks":349,"data":350},"Can I do this if I'm using on-premise AD?",[],{},{"nodeType":243,"data":352,"content":353},{},[354,358,367],{"nodeType":247,"value":355,"marks":356,"data":357},"These options will turn on MFA for users that exist in Azure AD, for logins to Azure AD. If you have on-premise AD and you want to start using Azure AD, you need to first look at something like ",[],{},{"nodeType":359,"data":360,"content":362},"hyperlink",{"uri":361},"https://docs.microsoft.com/en-us/azure/active-directory/hybrid/whatis-azure-ad-connect",[363],{"nodeType":247,"value":364,"marks":365,"data":366},"Azure AD Connect",[],{},{"nodeType":247,"value":368,"marks":369,"data":370}," to sync your users and start your journey in “hybrid” AD.",[],{},{"nodeType":302,"data":372,"content":373},{},[374],{"nodeType":247,"value":375,"marks":376,"data":377},"One last thing…",[],{},{"nodeType":243,"data":379,"content":380},{},[381],{"nodeType":247,"value":382,"marks":383,"data":384},"Regardless of which option you choose, you need to look into disabling “Legacy authentication”. Unrelated to “Legacy MFA”, legacy authentication is just the original way apps authenticated to Azure AD. However, it doesn’t support MFA so leaving it on makes turning on MFA a bit redundant since there will still be a single-factor route into your tenant.",[],{},{"nodeType":243,"data":386,"content":387},{},[388],{"nodeType":247,"value":389,"marks":390,"data":391},"Now that you know which options are available to you let’s explore them in some more detail taking a look at the key features and things you need to think about.",[],{},{"nodeType":294,"data":393,"content":394},{},[395],{"nodeType":247,"value":270,"marks":396,"data":397},[],{},{"nodeType":243,"data":399,"content":400},{},[401],{"nodeType":247,"value":402,"marks":403,"data":404},"Key points:",[],{},{"nodeType":259,"data":406,"content":407},{},[408,418,428,450,460,470],{"nodeType":263,"data":409,"content":410},{},[411],{"nodeType":243,"data":412,"content":413},{},[414],{"nodeType":247,"value":415,"marks":416,"data":417},"Requires no license - available to all.",[],{},{"nodeType":263,"data":419,"content":420},{},[421],{"nodeType":243,"data":422,"content":423},{},[424],{"nodeType":247,"value":425,"marks":426,"data":427},"Once enabled, all users will have to register within 14 days of their next login.",[],{},{"nodeType":263,"data":429,"content":430},{},[431],{"nodeType":243,"data":432,"content":433},{},[434,438,446],{"nodeType":247,"value":435,"marks":436,"data":437},"Users must register using an “Authenticator” app (",[],{},{"nodeType":359,"data":439,"content":441},{"uri":440},"/blog/which-mfa-methods-should-you-use/",[442],{"nodeType":247,"value":443,"marks":444,"data":445},"learn more about MFA methods here",[],{},{"nodeType":247,"value":447,"marks":448,"data":449},")",[],{},{"nodeType":263,"data":451,"content":452},{},[453],{"nodeType":243,"data":454,"content":455},{},[456],{"nodeType":247,"value":457,"marks":458,"data":459},"Once registered, users will be prompted for MFA “as necessary” (i.e. not every time).",[],{},{"nodeType":263,"data":461,"content":462},{},[463],{"nodeType":243,"data":464,"content":465},{},[466],{"nodeType":247,"value":467,"marks":468,"data":469},"Admins will be prompted every time.",[],{},{"nodeType":263,"data":471,"content":472},{},[473],{"nodeType":243,"data":474,"content":475},{},[476],{"nodeType":247,"value":477,"marks":478,"data":479},"Legacy authentication is turned off",[],{},{"nodeType":243,"data":481,"content":482},{},[483],{"nodeType":247,"value":484,"marks":485,"data":486},"Key questions:",[],{},{"nodeType":259,"data":488,"content":489},{},[490,500],{"nodeType":263,"data":491,"content":492},{},[493],{"nodeType":243,"data":494,"content":495},{},[496],{"nodeType":247,"value":497,"marks":498,"data":499},"Can you enable it for all accounts? Remember, Security Defaults is applied to all accounts that use Azure AD.",[],{},{"nodeType":263,"data":501,"content":502},{},[503],{"nodeType":243,"data":504,"content":505},{},[506],{"nodeType":247,"value":507,"marks":508,"data":509},"Do all users have access to a mobile device? Users will be required to register for the authenticator MFA method, which requires a mobile device. ",[],{},{"nodeType":243,"data":511,"content":512},{},[513,517,525],{"nodeType":247,"value":514,"marks":515,"data":516},"Read more here: ",[],{},{"nodeType":359,"data":518,"content":520},{"uri":519},"https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/concept-fundamentals-security-defaults",[521],{"nodeType":247,"value":522,"marks":523,"data":524},"What is Security Defaults?",[],{},{"nodeType":247,"value":29,"marks":526,"data":527},[],{},{"nodeType":294,"data":529,"content":530},{},[531],{"nodeType":247,"value":280,"marks":532,"data":533},[],{},{"nodeType":243,"data":535,"content":536},{},[537],{"nodeType":247,"value":402,"marks":538,"data":539},[],{},{"nodeType":259,"data":541,"content":542},{},[543,553,563,573],{"nodeType":263,"data":544,"content":545},{},[546],{"nodeType":243,"data":547,"content":548},{},[549],{"nodeType":247,"value":550,"marks":551,"data":552},"Requires Azure AD Premium P1 licenses",[],{},{"nodeType":263,"data":554,"content":555},{},[556],{"nodeType":243,"data":557,"content":558},{},[559],{"nodeType":247,"value":560,"marks":561,"data":562},"Allows you to create a set of conditions under which users should be allowed access. For example, you can control which users a policy applies to, which apps they are trying to access, how often they should be prompted, where they are logging in from, and which type of device they are permitted to use.",[],{},{"nodeType":263,"data":564,"content":565},{},[566],{"nodeType":243,"data":567,"content":568},{},[569],{"nodeType":247,"value":570,"marks":571,"data":572},"Policies can be put into audit mode first to allow you to ensure they won’t be disruptive.",[],{},{"nodeType":263,"data":574,"content":575},{},[576],{"nodeType":243,"data":577,"content":578},{},[579],{"nodeType":247,"value":580,"marks":581,"data":582},"Legacy authentication should be disabled, but you must do this yourself.",[],{},{"nodeType":243,"data":584,"content":585},{},[586],{"nodeType":247,"value":484,"marks":587,"data":588},[],{},{"nodeType":259,"data":590,"content":591},{},[592,602],{"nodeType":263,"data":593,"content":594},{},[595],{"nodeType":243,"data":596,"content":597},{},[598],{"nodeType":247,"value":599,"marks":600,"data":601},"Does everyone have the requisite license?",[],{},{"nodeType":263,"data":603,"content":604},{},[605],{"nodeType":243,"data":606,"content":607},{},[608,612,620],{"nodeType":247,"value":609,"marks":610,"data":611},"What should your policies look like? Microsoft has a ",[],{},{"nodeType":359,"data":613,"content":615},{"uri":614},"https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/concept-conditional-access-policy-common",[616],{"nodeType":247,"value":617,"marks":618,"data":619},"sensible set of base policies",[],{},{"nodeType":247,"value":621,"marks":622,"data":623},"; implementing the first four policies listed would replicate Security Defaults.",[],{},{"nodeType":243,"data":625,"content":626},{},[627,630,638],{"nodeType":247,"value":514,"marks":628,"data":629},[],{},{"nodeType":359,"data":631,"content":633},{"uri":632},"https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/overview",[634],{"nodeType":247,"value":635,"marks":636,"data":637},"What is Conditional Access?",[],{},{"nodeType":247,"value":29,"marks":639,"data":640},[],{},{"nodeType":294,"data":642,"content":643},{},[644],{"nodeType":247,"value":645,"marks":646,"data":647},"Legacy MFA",[],{},{"nodeType":243,"data":649,"content":650},{},[651],{"nodeType":247,"value":402,"marks":652,"data":653},[],{},{"nodeType":259,"data":655,"content":656},{},[657,666,676,686,708],{"nodeType":263,"data":658,"content":659},{},[660],{"nodeType":243,"data":661,"content":662},{},[663],{"nodeType":247,"value":415,"marks":664,"data":665},[],{},{"nodeType":263,"data":667,"content":668},{},[669],{"nodeType":243,"data":670,"content":671},{},[672],{"nodeType":247,"value":673,"marks":674,"data":675},"You can configure MFA enforcement per user, and you can specify which methods can be used.",[],{},{"nodeType":263,"data":677,"content":678},{},[679],{"nodeType":243,"data":680,"content":681},{},[682],{"nodeType":247,"value":683,"marks":684,"data":685},"Users are prompted for MFA on every login.",[],{},{"nodeType":263,"data":687,"content":688},{},[689],{"nodeType":243,"data":690,"content":691},{},[692,696,704],{"nodeType":247,"value":693,"marks":694,"data":695},"Management tooling is well...legacy. Only available via a legacy portal that is quite clunky. You can still configure ",[],{},{"nodeType":359,"data":697,"content":699},{"uri":698},"https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-userstates#change-state-using-powershell",[700],{"nodeType":247,"value":701,"marks":702,"data":703},"via PowerShell",[],{},{"nodeType":247,"value":705,"marks":706,"data":707}," though.",[],{},{"nodeType":263,"data":709,"content":710},{},[711],{"nodeType":243,"data":712,"content":713},{},[714],{"nodeType":247,"value":715,"marks":716,"data":717},"Not recommended by Microsoft or being actively developed.",[],{},{"nodeType":243,"data":719,"content":720},{},[721,724,732],{"nodeType":247,"value":514,"marks":722,"data":723},[],{},{"nodeType":359,"data":725,"content":727},{"uri":726},"https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-userstates",[728],{"nodeType":247,"value":729,"marks":730,"data":731},"How to enable per-user MFA",[],{},{"nodeType":247,"value":29,"marks":733,"data":734},[],{},{"entries":736},{"hyperlink":737,"block":738,"inline":739},[],[],[],"json",{"items":742},[],[744,745],"MFA","Microsoft365",{},"How to set up MFA for Microsoft O365","2021-03-15T00:00:00.000+01:00",{"items":750},[751,1194],{"__typename":752,"sys":753,"content":755,"title":1171,"synopsis":1172,"hashTags":1173,"publishedDate":748,"slug":1175,"tagsCollection":1176,"authorsCollection":1186},"BlogPosts",{"id":754},"5Zy1Kj162pY69NT6001gAa",{"json":756},{"data":757,"content":758,"nodeType":239},{},[759,766,772,781,787,794,801,938,944,950,957,964,971,978,985,992,999,1006,1013,1033,1040,1047,1152],{"data":760,"content":761,"nodeType":243},{},[762],{"data":763,"marks":764,"value":765,"nodeType":247},{},[],"Multi-Factor Authentication (MFA) - also known as 2 Step Verification (2SV), or 2 Factor Authentication (2FA) - is an additional step when users login to a service in addition to their username and password. Common implementations are things like SMS security codes, or login confirmations on smartphones.",{"data":767,"content":768,"nodeType":243},{},[769],{"data":770,"marks":771,"value":29,"nodeType":247},{},[],{"data":773,"content":779,"nodeType":780},{"target":774},{"sys":775},{"id":776,"type":777,"linkType":778},"3VqrRPLsLo8yynXCUeigZA","Link","Entry",[],"embedded-entry-block",{"data":782,"content":783,"nodeType":243},{},[784],{"data":785,"marks":786,"value":29,"nodeType":247},{},[],{"data":788,"content":789,"nodeType":294},{},[790],{"data":791,"marks":792,"value":793,"nodeType":247},{},[],"MFA is a security control everyone can agree on",{"data":795,"content":796,"nodeType":243},{},[797],{"data":798,"marks":799,"value":800,"nodeType":247},{},[],"Security people find it notoriously difficult to agree on what the most important security controls are, but there is broad agreement on the value of MFA. This has been accepted and adopted by some big names who are pushing MFA hard because they know it works:",{"data":802,"content":803,"nodeType":259},{},[804,834,861,889,916],{"data":805,"content":806,"nodeType":263},{},[807],{"data":808,"content":809,"nodeType":243},{},[810,816,820,830],{"data":811,"marks":812,"value":815,"nodeType":247},{},[813],{"type":814},"bold","Microsoft",{"data":817,"marks":818,"value":819,"nodeType":247},{},[],": “",{"data":821,"content":823,"nodeType":359},{"uri":822},"https://www.microsoft.com/security/blog/2019/08/20/one-simple-action-you-can-take-to-prevent-99-9-percent-of-account-attacks/",[824],{"data":825,"marks":826,"value":829,"nodeType":247},{},[827],{"type":828},"underline","One simple action you can take to prevent 99.9 percent of attacks on your accounts",{"data":831,"marks":832,"value":833,"nodeType":247},{},[],"”",{"data":835,"content":836,"nodeType":263},{},[837],{"data":838,"content":839,"nodeType":243},{},[840,845,849,858],{"data":841,"marks":842,"value":844,"nodeType":247},{},[843],{"type":814},"AWS",{"data":846,"marks":847,"value":848,"nodeType":247},{},[],": “MFA is the best way to protect accounts from inappropriate access” - ",{"data":850,"content":852,"nodeType":359},{"uri":851},"https://aws.amazon.com/blogs/security/top-10-security-items-to-improve-in-your-aws-account/",[853],{"data":854,"marks":855,"value":857,"nodeType":247},{},[856],{"type":828},"Top 10 security items to improve in your AWS account",{"data":859,"marks":860,"value":29,"nodeType":247},{},[],{"data":862,"content":863,"nodeType":263},{},[864],{"data":865,"content":866,"nodeType":243},{},[867,872,876,885],{"data":868,"marks":869,"value":871,"nodeType":247},{},[870],{"type":814},"Google",{"data":873,"marks":874,"value":875,"nodeType":247},{},[],": “On-device prompts helped prevent 100% of automated bots, 99% of bulk phishing attacks and 90% of targeted attacks.\" - ",{"data":877,"content":879,"nodeType":359},{"uri":878},"https://security.googleblog.com/2019/05/new-research-how-effective-is-basic.html",[880],{"data":881,"marks":882,"value":884,"nodeType":247},{},[883],{"type":828},"New research: How effective is basic account hygiene at preventing hijacking",{"data":886,"marks":887,"value":888,"nodeType":247},{},[]," ",{"data":890,"content":891,"nodeType":263},{},[892],{"data":893,"content":894,"nodeType":243},{},[895,900,904,913],{"data":896,"marks":897,"value":899,"nodeType":247},{},[898],{"type":814},"UK National Cyber Security Centre",{"data":901,"marks":902,"value":903,"nodeType":247},{},[]," (NCSC): “One of the most effective ways of providing additional protection to a password protected account is to use MFA.” - ",{"data":905,"content":907,"nodeType":359},{"uri":906},"https://www.ncsc.gov.uk/collection/passwords/updating-your-approach",[908],{"data":909,"marks":910,"value":912,"nodeType":247},{},[911],{"type":828},"Password policy: updating your approach",{"data":914,"marks":915,"value":888,"nodeType":247},{},[],{"data":917,"content":918,"nodeType":263},{},[919],{"data":920,"content":921,"nodeType":243},{},[922,926,935],{"data":923,"marks":924,"value":925,"nodeType":247},{},[],"and even Obama: “The President is calling on Americans to move beyond just the password to leverage multiple factors of authentication when logging-in to online accounts.” - ",{"data":927,"content":929,"nodeType":359},{"uri":928},"https://obamawhitehouse.archives.gov/the-press-office/2016/02/09/fact-sheet-cybersecurity-national-action-plan",[930],{"data":931,"marks":932,"value":934,"nodeType":247},{},[933],{"type":828},"FACT SHEET: Cybersecurity National Action Plan | whitehouse.gov",{"data":936,"marks":937,"value":888,"nodeType":247},{},[],{"data":939,"content":943,"nodeType":780},{"target":940},{"sys":941},{"id":942,"type":777,"linkType":778},"2P5lUU0cEsFy424iV8sNJD",[],{"data":945,"content":946,"nodeType":243},{},[947],{"data":948,"marks":949,"value":29,"nodeType":247},{},[],{"data":951,"content":952,"nodeType":294},{},[953],{"data":954,"marks":955,"value":956,"nodeType":247},{},[],"MFA prevents the most common attacks against SMEs",{"data":958,"content":959,"nodeType":243},{},[960],{"data":961,"marks":962,"value":963,"nodeType":247},{},[],"To understand why MFA is a good idea, it helps to understand what you are defending your business against. A number of the most common attacks SMEs will face, including business email compromise and ransomware attacks typically start with the compromise of a single employee’s password. This can happen in many ways - but most often because an employee has used the same password on another website (which got compromised) or because they have been tricked by a phishing attack.",{"data":965,"content":966,"nodeType":243},{},[967],{"data":968,"marks":969,"value":970,"nodeType":247},{},[],"It’s easy to blame employees, or imagine that employee training is the answer. This is probably a mistake because if the last few decades have taught us anything it is that 1) humans are bad at passwords, and 2) they have near boundless creativity when it comes to tricking people.",{"data":972,"content":973,"nodeType":243},{},[974],{"data":975,"marks":976,"value":977,"nodeType":247},{},[],"Instead the data shows you should not rely on passwords for your security. This takes users off the hook, and closes the door on the most common starting point for the most common attacks.",{"data":979,"content":980,"nodeType":294},{},[981],{"data":982,"marks":983,"value":984,"nodeType":247},{},[],"MFA isn’t perfect (but it’s very good)",{"data":986,"content":987,"nodeType":243},{},[988],{"data":989,"marks":990,"value":991,"nodeType":247},{},[],"You might come across nay-sayers that will point out reasons MFA could be bypassed, or why it won’t stop certain attacks - and it’s true, MFA isn't a silver bullet and doesn’t protect against everything, but don’t let this dissuade you! As you can see from all the references at the top of this page, MFA is really good at stopping some of the most common, and consequential attacks out there today. Arguing that it isn’t worth doing because it isn’t perfect is like arguing that there is no point putting a lock on your front door because someone might drive a tank through it - it’s not wrong, it just misses the point.",{"data":993,"content":994,"nodeType":294},{},[995],{"data":996,"marks":997,"value":998,"nodeType":247},{},[],"Start with cloud services",{"data":1000,"content":1001,"nodeType":243},{},[1002],{"data":1003,"marks":1004,"value":1005,"nodeType":247},{},[],"It’s possible to protect almost any type of system using MFA, but the cost and effort might differ wildly. We recommend that you start with cloud services because they are accessible from anywhere in the world, making password compromise a one-step affair for attackers. ",{"data":1007,"content":1008,"nodeType":243},{},[1009],{"data":1010,"marks":1011,"value":1012,"nodeType":247},{},[],"Also, most cloud services make it easy to adopt MFA without buying any third-party software or devices - it’s a bit of a no-brainer. This is where you will get the greatest bang-for-buck (although MFA is often free or already included in your license - so the buck here is your time). ",{"data":1014,"content":1015,"nodeType":243},{},[1016,1020,1029],{"data":1017,"marks":1018,"value":1019,"nodeType":247},{},[],"You can check out ",{"data":1021,"content":1023,"nodeType":359},{"uri":1022},"https://2fa.directory/",[1024],{"data":1025,"marks":1026,"value":1028,"nodeType":247},{},[1027],{"type":828},"Two Factor Auth (2FA)",{"data":1030,"marks":1031,"value":1032,"nodeType":247},{},[]," to see which services support MFA.",{"data":1034,"content":1035,"nodeType":294},{},[1036],{"data":1037,"marks":1038,"value":1039,"nodeType":247},{},[],"Success is all about user experience - and users might even thank you for it (no, really)",{"data":1041,"content":1042,"nodeType":243},{},[1043],{"data":1044,"marks":1045,"value":1046,"nodeType":247},{},[],"Being mindful that MFA has a direct impact on the user experience is key to making it a success. Thankfully, the MFA user experience on cloud services is better today than it’s ever been, and with most users already using MFA somewhere in their personal lives it's less of an ask than it used to be. That said, here are some things you can do to make it a success:",{"data":1048,"content":1049,"nodeType":259},{},[1050,1077,1092,1122,1137],{"data":1051,"content":1052,"nodeType":263},{},[1053],{"data":1054,"content":1055,"nodeType":243},{},[1056,1061,1065,1073],{"data":1057,"marks":1058,"value":1060,"nodeType":247},{},[1059],{"type":814},"Sweeten the pot for users",{"data":1062,"marks":1063,"value":1064,"nodeType":247},{},[]," - once you have MFA in place you might disable some of the most hated password policies like regular password expiry. This is actually recommended by modern password policies anyway. (Don't believe us? ",{"data":1066,"content":1068,"nodeType":359},{"uri":1067},"https://www.ncsc.gov.uk/collection/passwords/updating-your-approach#PasswordGuidance:UpdatingYourApproach-Don'tenforceregularpasswordexpiry",[1069],{"data":1070,"marks":1071,"value":1072,"nodeType":247},{},[],"Read this password guidance",{"data":1074,"marks":1075,"value":1076,"nodeType":247},{},[]," from NCSC).",{"data":1078,"content":1079,"nodeType":263},{},[1080],{"data":1081,"content":1082,"nodeType":243},{},[1083,1088],{"data":1084,"marks":1085,"value":1087,"nodeType":247},{},[1086],{"type":814},"Minimise MFA prompts",{"data":1089,"marks":1090,"value":1091,"nodeType":247},{},[]," - these days most platforms allow you to ask for MFA prompts only when users login from new systems or browsers. This provides a much better user experience and has almost no impact on security.",{"data":1093,"content":1094,"nodeType":263},{},[1095],{"data":1096,"content":1097,"nodeType":243},{},[1098,1103,1107,1118],{"data":1099,"marks":1100,"value":1102,"nodeType":247},{},[1101],{"type":814},"Choose an easy to use MFA method",{"data":1104,"marks":1105,"value":1106,"nodeType":247},{},[]," - getting MFA codes from a phone call isn’t very easy to use, where clicking a button on your mobile, or pressing the fingerprint reader on your laptop is far less irritating. A bit of thought here goes a long way. ",{"data":1108,"content":1112,"nodeType":1117},{"target":1109},{"sys":1110},{"id":1111,"type":777,"linkType":778},"73JjdrO5GKRzYum97MqJ9q",[1113],{"data":1114,"marks":1115,"value":1116,"nodeType":247},{},[],"See our blog post","entry-hyperlink",{"data":1119,"marks":1120,"value":1121,"nodeType":247},{},[]," on which MFA methods you should use.",{"data":1123,"content":1124,"nodeType":263},{},[1125],{"data":1126,"content":1127,"nodeType":243},{},[1128,1133],{"data":1129,"marks":1130,"value":1132,"nodeType":247},{},[1131],{"type":814},"Make sure your IT support team is ready for all scenarios",{"data":1134,"marks":1135,"value":1136,"nodeType":247},{},[]," - ensuring that IT support knows exactly what to do in emergencies or when users are locked out is critical to a good user experience. This is not hard to do, but you definitely don’t want to do it for the first time when the user in question is the CEO, and it’s 20 minutes before his big presentation in a country half way across the world - this is how good security dies!",{"data":1138,"content":1139,"nodeType":263},{},[1140],{"data":1141,"content":1142,"nodeType":243},{},[1143,1148],{"data":1144,"marks":1145,"value":1147,"nodeType":247},{},[1146],{"type":814},"Nothing wrong with taking it slow",{"data":1149,"marks":1150,"value":1151,"nodeType":247},{},[]," - too much change too fast tends to ruffle feathers, and rolling out MFA over months rather than weeks can give your IT support team time to scale up their experience and iron out issues before you roll-out to everyone. You might even choose to enable it only for critical most-attacked users such as administrators or finance teams at first. Make sure your security team doesn’t lose focus and never quite gets it finished!",{"data":1153,"content":1154,"nodeType":243},{},[1155,1159,1167],{"data":1156,"marks":1157,"value":1158,"nodeType":247},{},[],"If you found this useful and are thinking about rolling out MFA, you might consider taking a look at ",{"data":1160,"content":1162,"nodeType":359},{"uri":1161},"https://pushsecurity.com",[1163],{"data":1164,"marks":1165,"value":1166,"nodeType":247},{},[],"Push Security",{"data":1168,"marks":1169,"value":1170,"nodeType":247},{},[]," - our entire reason for being is to take the grunt work out of doing this kind of thing.","Multi-Factor Authentication is the top security control for most small and medium-sized businesses","Why Multi-Factor Authentication (MFA aka 2FA) is so useful for small and medium-sized businesses, and how to deploy it successfully.",[744,1174],"Guidance","multi-factor-authentication-is-the-top-security-control-for-most-small-and",{"items":1177},[1178,1182],{"sys":1179,"name":1181},{"id":1180},"1gZi8NrRy2v9OqPV7C4dwD","Risk management",{"sys":1183,"name":1185},{"id":1184},"3pjES4THCIfSAwhGdNwBcy","Browser security",{"items":1187},[1188],{"fullName":1189,"firstName":1190,"jobTitle":1191,"profilePicture":1192},"Jacques Louw","Jacques","Co-founder / CRO",{"url":1193},"https://images.ctfassets.net/y1cdw1ablpvd/39m8bektV23lnCRcEq0G8h/2a08f6276a50744f1a4b499b273f6bb2/Push_Founders_at_Cahoots_October_28_2022_by_Doug_Coombe-21.jpg",{"__typename":752,"sys":1195,"content":1196,"title":1932,"synopsis":1933,"hashTags":1934,"publishedDate":748,"slug":1935,"tagsCollection":1936,"authorsCollection":1942},{"id":1111},{"json":1197},{"data":1198,"content":1199,"nodeType":239},{},[1200,1216,1223,1266,1273,1318,1325,1688,1694,1700,1707,1714,1721,1727,1734,1741,1748,1755,1762,1769,1776,1783,1802,1809,1816,1823,1830,1837,1867,1874,1881,1888,1895,1902,1909,1913,1920,1926],{"data":1201,"content":1202,"nodeType":243},{},[1203,1207,1212],{"data":1204,"marks":1205,"value":1206,"nodeType":247},{},[],"Before we start, ",{"data":1208,"marks":1209,"value":1211,"nodeType":247},{},[1210],{"type":814},"MFA with any method is better than no MFA at all",{"data":1213,"marks":1214,"value":1215,"nodeType":247},{},[],". Although some methods are better than others, they're all leagues ahead of passwords alone. If, for whatever reason, you can only implement MFA using a weaker second factor, you should still do it. You can always improve later and you'll have made a significant improvement even with the weaker second factor.",{"data":1217,"content":1218,"nodeType":243},{},[1219],{"data":1220,"marks":1221,"value":1222,"nodeType":247},{},[],"So, how can one factor be better than others? Here's how we think about it:",{"data":1224,"content":1225,"nodeType":259},{},[1226,1236,1246,1256],{"data":1227,"content":1228,"nodeType":263},{},[1229],{"data":1230,"content":1231,"nodeType":243},{},[1232],{"data":1233,"marks":1234,"value":1235,"nodeType":247},{},[],"User experience: how easy is it to use?",{"data":1237,"content":1238,"nodeType":263},{},[1239],{"data":1240,"content":1241,"nodeType":243},{},[1242],{"data":1243,"marks":1244,"value":1245,"nodeType":247},{},[],"Security: how easy is it for someone to compromise?",{"data":1247,"content":1248,"nodeType":263},{},[1249],{"data":1250,"content":1251,"nodeType":243},{},[1252],{"data":1253,"marks":1254,"value":1255,"nodeType":247},{},[],"Cost: do you need to upgrade your SaaS license, or buy physical bits?",{"data":1257,"content":1258,"nodeType":263},{},[1259],{"data":1260,"content":1261,"nodeType":243},{},[1262],{"data":1263,"marks":1264,"value":1265,"nodeType":247},{},[],"Support: how widely can it be used?",{"data":1267,"content":1268,"nodeType":302},{},[1269],{"data":1270,"marks":1271,"value":1272,"nodeType":247},{},[],"Just want the answers? ",{"data":1274,"content":1275,"nodeType":259},{},[1276,1286,1308],{"data":1277,"content":1278,"nodeType":263},{},[1279],{"data":1280,"content":1281,"nodeType":243},{},[1282],{"data":1283,"marks":1284,"value":1285,"nodeType":247},{},[],"Using an app on your phone, like Microsoft or Google Authenticator, to receive notifications or use a one-time password are the top all-round options today - they're free, intuitive for users, relatively easy to set up, and widely supported. ",{"data":1287,"content":1288,"nodeType":263},{},[1289],{"data":1290,"content":1291,"nodeType":243},{},[1292,1296,1304],{"data":1293,"marks":1294,"value":1295,"nodeType":247},{},[],"The gold standard is a FIDO2-capable security key, like the ",{"data":1297,"content":1299,"nodeType":359},{"uri":1298},"https://www.yubico.com/products/yubikey-5-overview/",[1300],{"data":1301,"marks":1302,"value":1303,"nodeType":247},{},[],"YubiKey 5 series",{"data":1305,"marks":1306,"value":1307,"nodeType":247},{},[],", or a security key built-in to your device, like Touch ID  - it's the most secure, provides the best user experience, but has an upfront cost as each user will need a key or a compatible device. The main drawback today is they aren't supported on all platforms yet so might not be an option everywhere.",{"data":1309,"content":1310,"nodeType":263},{},[1311],{"data":1312,"content":1313,"nodeType":243},{},[1314],{"data":1315,"marks":1316,"value":1317,"nodeType":247},{},[],"Factors that rely on your phone number, such as SMS and phone calls should be avoided if possible as they are the least secure and provide the worst user experience.",{"data":1319,"content":1320,"nodeType":243},{},[1321],{"data":1322,"marks":1323,"value":1324,"nodeType":247},{},[],"Here's a summary:",{"data":1326,"content":1327,"nodeType":1687},{},[1328,1383,1436,1486,1538,1587,1638],{"data":1329,"content":1330,"nodeType":1382},{},[1331,1342,1352,1362,1372],{"data":1332,"content":1333,"nodeType":1341},{},[1334],{"data":1335,"content":1336,"nodeType":243},{},[1337],{"data":1338,"marks":1339,"value":1340,"nodeType":247},{},[],"Method","table-header-cell",{"data":1343,"content":1344,"nodeType":1341},{},[1345],{"data":1346,"content":1347,"nodeType":243},{},[1348],{"data":1349,"marks":1350,"value":1351,"nodeType":247},{},[],"User experience",{"data":1353,"content":1354,"nodeType":1341},{},[1355],{"data":1356,"content":1357,"nodeType":243},{},[1358],{"data":1359,"marks":1360,"value":1361,"nodeType":247},{},[],"Security",{"data":1363,"content":1364,"nodeType":1341},{},[1365],{"data":1366,"content":1367,"nodeType":243},{},[1368],{"data":1369,"marks":1370,"value":1371,"nodeType":247},{},[],"Cost",{"data":1373,"content":1374,"nodeType":1341},{},[1375],{"data":1376,"content":1377,"nodeType":243},{},[1378],{"data":1379,"marks":1380,"value":1381,"nodeType":247},{},[],"Support","table-row",{"data":1384,"content":1385,"nodeType":1382},{},[1386,1397,1407,1416,1426],{"data":1387,"content":1388,"nodeType":1396},{},[1389],{"data":1390,"content":1391,"nodeType":243},{},[1392],{"data":1393,"marks":1394,"value":1395,"nodeType":247},{},[],"App Notification","table-cell",{"data":1398,"content":1399,"nodeType":1396},{},[1400],{"data":1401,"content":1402,"nodeType":243},{},[1403],{"data":1404,"marks":1405,"value":1406,"nodeType":247},{},[],"Good",{"data":1408,"content":1409,"nodeType":1396},{},[1410],{"data":1411,"content":1412,"nodeType":243},{},[1413],{"data":1414,"marks":1415,"value":1406,"nodeType":247},{},[],{"data":1417,"content":1418,"nodeType":1396},{},[1419],{"data":1420,"content":1421,"nodeType":243},{},[1422],{"data":1423,"marks":1424,"value":1425,"nodeType":247},{},[],"Free",{"data":1427,"content":1428,"nodeType":1396},{},[1429],{"data":1430,"content":1431,"nodeType":243},{},[1432],{"data":1433,"marks":1434,"value":1435,"nodeType":247},{},[],"Widely supported",{"data":1437,"content":1438,"nodeType":1382},{},[1439,1449,1459,1468,1477],{"data":1440,"content":1441,"nodeType":1396},{},[1442],{"data":1443,"content":1444,"nodeType":243},{},[1445],{"data":1446,"marks":1447,"value":1448,"nodeType":247},{},[],"App code",{"data":1450,"content":1451,"nodeType":1396},{},[1452],{"data":1453,"content":1454,"nodeType":243},{},[1455],{"data":1456,"marks":1457,"value":1458,"nodeType":247},{},[],"Moderate",{"data":1460,"content":1461,"nodeType":1396},{},[1462],{"data":1463,"content":1464,"nodeType":243},{},[1465],{"data":1466,"marks":1467,"value":1406,"nodeType":247},{},[],{"data":1469,"content":1470,"nodeType":1396},{},[1471],{"data":1472,"content":1473,"nodeType":243},{},[1474],{"data":1475,"marks":1476,"value":1425,"nodeType":247},{},[],{"data":1478,"content":1479,"nodeType":1396},{},[1480],{"data":1481,"content":1482,"nodeType":243},{},[1483],{"data":1484,"marks":1485,"value":1435,"nodeType":247},{},[],{"data":1487,"content":1488,"nodeType":1382},{},[1489,1499,1509,1518,1528],{"data":1490,"content":1491,"nodeType":1396},{},[1492],{"data":1493,"content":1494,"nodeType":243},{},[1495],{"data":1496,"marks":1497,"value":1498,"nodeType":247},{},[],"Security key (external)",{"data":1500,"content":1501,"nodeType":1396},{},[1502],{"data":1503,"content":1504,"nodeType":243},{},[1505],{"data":1506,"marks":1507,"value":1508,"nodeType":247},{},[],"Best",{"data":1510,"content":1511,"nodeType":1396},{},[1512],{"data":1513,"content":1514,"nodeType":243},{},[1515],{"data":1516,"marks":1517,"value":1508,"nodeType":247},{},[],{"data":1519,"content":1520,"nodeType":1396},{},[1521],{"data":1522,"content":1523,"nodeType":243},{},[1524],{"data":1525,"marks":1526,"value":1527,"nodeType":247},{},[],"Expensive",{"data":1529,"content":1530,"nodeType":1396},{},[1531],{"data":1532,"content":1533,"nodeType":243},{},[1534],{"data":1535,"marks":1536,"value":1537,"nodeType":247},{},[],"Some platforms",{"data":1539,"content":1540,"nodeType":1382},{},[1541,1551,1560,1569,1578],{"data":1542,"content":1543,"nodeType":1396},{},[1544],{"data":1545,"content":1546,"nodeType":243},{},[1547],{"data":1548,"marks":1549,"value":1550,"nodeType":247},{},[],"Security key (internal)",{"data":1552,"content":1553,"nodeType":1396},{},[1554],{"data":1555,"content":1556,"nodeType":243},{},[1557],{"data":1558,"marks":1559,"value":1508,"nodeType":247},{},[],{"data":1561,"content":1562,"nodeType":1396},{},[1563],{"data":1564,"content":1565,"nodeType":243},{},[1566],{"data":1567,"marks":1568,"value":1508,"nodeType":247},{},[],{"data":1570,"content":1571,"nodeType":1396},{},[1572],{"data":1573,"content":1574,"nodeType":243},{},[1575],{"data":1576,"marks":1577,"value":1425,"nodeType":247},{},[],{"data":1579,"content":1580,"nodeType":1396},{},[1581],{"data":1582,"content":1583,"nodeType":243},{},[1584],{"data":1585,"marks":1586,"value":1537,"nodeType":247},{},[],{"data":1588,"content":1589,"nodeType":1382},{},[1590,1600,1610,1619,1629],{"data":1591,"content":1592,"nodeType":1396},{},[1593],{"data":1594,"content":1595,"nodeType":243},{},[1596],{"data":1597,"marks":1598,"value":1599,"nodeType":247},{},[],"SMS",{"data":1601,"content":1602,"nodeType":1396},{},[1603],{"data":1604,"content":1605,"nodeType":243},{},[1606],{"data":1607,"marks":1608,"value":1609,"nodeType":247},{},[],"Poor",{"data":1611,"content":1612,"nodeType":1396},{},[1613],{"data":1614,"content":1615,"nodeType":243},{},[1616],{"data":1617,"marks":1618,"value":1609,"nodeType":247},{},[],{"data":1620,"content":1621,"nodeType":1396},{},[1622],{"data":1623,"content":1624,"nodeType":243},{},[1625],{"data":1626,"marks":1627,"value":1628,"nodeType":247},{},[],"Cheap",{"data":1630,"content":1631,"nodeType":1396},{},[1632],{"data":1633,"content":1634,"nodeType":243},{},[1635],{"data":1636,"marks":1637,"value":1435,"nodeType":247},{},[],{"data":1639,"content":1640,"nodeType":1382},{},[1641,1651,1660,1669,1678],{"data":1642,"content":1643,"nodeType":1396},{},[1644],{"data":1645,"content":1646,"nodeType":243},{},[1647],{"data":1648,"marks":1649,"value":1650,"nodeType":247},{},[],"Phone call",{"data":1652,"content":1653,"nodeType":1396},{},[1654],{"data":1655,"content":1656,"nodeType":243},{},[1657],{"data":1658,"marks":1659,"value":1609,"nodeType":247},{},[],{"data":1661,"content":1662,"nodeType":1396},{},[1663],{"data":1664,"content":1665,"nodeType":243},{},[1666],{"data":1667,"marks":1668,"value":1609,"nodeType":247},{},[],{"data":1670,"content":1671,"nodeType":1396},{},[1672],{"data":1673,"content":1674,"nodeType":243},{},[1675],{"data":1676,"marks":1677,"value":1628,"nodeType":247},{},[],{"data":1679,"content":1680,"nodeType":1396},{},[1681],{"data":1682,"content":1683,"nodeType":243},{},[1684],{"data":1685,"marks":1686,"value":1435,"nodeType":247},{},[],"table",{"data":1689,"content":1693,"nodeType":780},{"target":1690},{"sys":1691},{"id":1692,"type":777,"linkType":778},"7rgrP5FFAKG63lscwhAsW1",[],{"data":1695,"content":1696,"nodeType":302},{},[1697],{"data":1698,"marks":1699,"value":1395,"nodeType":247},{},[],{"data":1701,"content":1702,"nodeType":243},{},[1703],{"data":1704,"marks":1705,"value":1706,"nodeType":247},{},[],"One of the most common methods today is the app notification. Using an app on your phone, like Microsoft Authenticator, to receive a push notification when you login.",{"data":1708,"content":1709,"nodeType":243},{},[1710],{"data":1711,"marks":1712,"value":1713,"nodeType":247},{},[],"Free, easy to use, and secure - this is a good choice if your users all have devices to install the app on and will reliably have a network connection to receive the notification.",{"data":1715,"content":1716,"nodeType":243},{},[1717],{"data":1718,"marks":1719,"value":1720,"nodeType":247},{},[],"Your challenges with using this method will be getting the app setup on everyone's device, getting everyone enrolled, and making sure users understand to only hit approve when they actually performed a login (seriously).",{"data":1722,"content":1726,"nodeType":780},{"target":1723},{"sys":1724},{"id":1725,"type":777,"linkType":778},"4ybLnYAdHltdWCluLbr4di",[],{"data":1728,"content":1729,"nodeType":302},{},[1730],{"data":1731,"marks":1732,"value":1733,"nodeType":247},{},[],"App Code",{"data":1735,"content":1736,"nodeType":243},{},[1737],{"data":1738,"marks":1739,"value":1740,"nodeType":247},{},[],"The early days of MFA looked like RSA tokens; those devices you used to have to carry on a key chain with a code that changed every minute. Those devices worked by having a \"seed\" value that both the device and the server knew which changed predictably. So long as that seed value stayed safe, this provided a convenient second factor for users that was difficult to compromise.",{"data":1742,"content":1743,"nodeType":243},{},[1744],{"data":1745,"marks":1746,"value":1747,"nodeType":247},{},[],"Today, this approach is more common via an app, where the app provides a code that changes every minute, but the concept is exactly the same.",{"data":1749,"content":1750,"nodeType":243},{},[1751],{"data":1752,"marks":1753,"value":1754,"nodeType":247},{},[],"This approach uses what is officially called One Time Passwords (OTP) but is often just referred to as an app code. It has some advantages, such as not needing signal after setup which can be handy if that's a concern. ",{"data":1756,"content":1757,"nodeType":243},{},[1758],{"data":1759,"marks":1760,"value":1761,"nodeType":247},{},[],"However, as was true of the RSA tokens of the past, if the seed value is compromised all future values can be predicted. The odds of this happening in practice are exceptionally low so this remains a good choice.",{"data":1763,"content":1764,"nodeType":243},{},[1765],{"data":1766,"marks":1767,"value":1768,"nodeType":247},{},[],"Your challenges with using this method will again be mostly in rolling it out to all users and getting everyone setup.",{"data":1770,"content":1771,"nodeType":302},{},[1772],{"data":1773,"marks":1774,"value":1775,"nodeType":247},{},[],"Text message / phone call",{"data":1777,"content":1778,"nodeType":243},{},[1779],{"data":1780,"marks":1781,"value":1782,"nodeType":247},{},[],"As MFA gained popularity, receiving a code via text message (SMS), or sometimes a phone call, quickly became the de-facto method. Before everyone had smartphones and therefore the ability to install apps, using text messages or phone calls was the only way to implement MFA without having to provision RSA tokens for everyone in the team.",{"data":1784,"content":1785,"nodeType":243},{},[1786,1790,1798],{"data":1787,"marks":1788,"value":1789,"nodeType":247},{},[],"The major downside to using these methods is their reliance on the security of the phone number. If attackers really want to target an account, and they know the phone number used for MFA, they can try something called ",{"data":1791,"content":1793,"nodeType":359},{"uri":1792},"https://en.wikipedia.org/wiki/SIM_swap_scam",[1794],{"data":1795,"marks":1796,"value":1797,"nodeType":247},{},[],"SIM-swapping",{"data":1799,"marks":1800,"value":1801,"nodeType":247},{},[]," to hijack the phone number, and hence nullify the MFA.",{"data":1803,"content":1804,"nodeType":243},{},[1805],{"data":1806,"marks":1807,"value":1808,"nodeType":247},{},[],"The most important thing to note in that scenario is how targeted it is. With no MFA, any attacker on the Internet can simply guess passwords on an account - the cost is extremely low. To bypass SMS or phone call MFA using SIM swapping has a significantly higher cost. The attack is definitely practical, but would only happen when you're specifically targeted.",{"data":1810,"content":1811,"nodeType":243},{},[1812],{"data":1813,"marks":1814,"value":1815,"nodeType":247},{},[],"Additionally, the user experience isn't as good. Firstly, the user must have mobile signal to receive the SMS or call. Secondly, there can often be a delay in delivery, due to the less-reliable mobile network. Finally, there is almost always a usage cost associated with these methods, since it costs money to send SMSs or make phone calls.",{"data":1817,"content":1818,"nodeType":243},{},[1819],{"data":1820,"marks":1821,"value":1822,"nodeType":247},{},[],"Because of this, SMS or phone calls are often considered least desirable MFA methods today.",{"data":1824,"content":1825,"nodeType":302},{},[1826],{"data":1827,"marks":1828,"value":1829,"nodeType":247},{},[],"Security keys",{"data":1831,"content":1832,"nodeType":243},{},[1833],{"data":1834,"marks":1835,"value":1836,"nodeType":247},{},[],"FIDO2 is the name for a set of authentication protocols and standards developed by a consortium of tech companies to be the future of authentication. FIDO2 solves a lot of the problems we've dealt with in the past: it's secure, usable, impossible to spoof.",{"data":1838,"content":1839,"nodeType":243},{},[1840,1844,1852,1856,1863],{"data":1841,"marks":1842,"value":1843,"nodeType":247},{},[],"Without digging into the weeds of how that works (",{"data":1845,"content":1847,"nodeType":359},{"uri":1846},"https://fidoalliance.org/fido2/",[1848],{"data":1849,"marks":1850,"value":1851,"nodeType":247},{},[],"the official page from the FIDO alliance is worth a read if you're interested",{"data":1853,"marks":1854,"value":1855,"nodeType":247},{},[],"), you will need what's commonly referred to as a \"security key\" to make use of it. This is a small physical device, often plugged into your USB port - modern devices that understand FIDO2, like the ",{"data":1857,"content":1858,"nodeType":359},{"uri":1298},[1859],{"data":1860,"marks":1861,"value":1862,"nodeType":247},{},[],"YubiKey 5 Series",{"data":1864,"marks":1865,"value":1866,"nodeType":247},{},[],", are preferable. Once setup, you simply touch the key on login and the magic of cryptography ensures a high degree of security.",{"data":1868,"content":1869,"nodeType":243},{},[1870],{"data":1871,"marks":1872,"value":1873,"nodeType":247},{},[],"In fact, this approach is so secure, it is the basis of a \"passwordless\" revolution, where this strong factor of authentication can feasibly be used as a single-factor of authentication, and users don't even need to remember passwords anymore. Though in its infancy at the moment, expect to hear more about that in the coming years.",{"data":1875,"content":1876,"nodeType":243},{},[1877],{"data":1878,"marks":1879,"value":1880,"nodeType":247},{},[],"The primary drawback of this method is the cost, with devices typically costing around $50 each. Also, although you can expect them to be supported on major platforms, they aren't supported as widely as other methods just yet.",{"data":1882,"content":1883,"nodeType":243},{},[1884],{"data":1885,"marks":1886,"value":1887,"nodeType":247},{},[],"If you are unable to justify their cost for all users, a common implementation is to use security keys for high privilege accounts.",{"data":1889,"content":1890,"nodeType":302},{},[1891],{"data":1892,"marks":1893,"value":1894,"nodeType":247},{},[],"Built-in security keys",{"data":1896,"content":1897,"nodeType":243},{},[1898],{"data":1899,"marks":1900,"value":1901,"nodeType":247},{},[],"Many modern mobile devices like laptops, tablets and phones have built-in security keys (e.g. Apple TouchId,  Android phones, and Windows Hello). These have many of the advantages of stand-alone security keys, but without the cost!",{"data":1903,"content":1904,"nodeType":243},{},[1905],{"data":1906,"marks":1907,"value":1908,"nodeType":247},{},[],"Support for these keys is a fairly recent development and is still ongoing but opens up an exciting future where users will increasingly be able to very easily add a second factor, or even go passwordless, in a secure way, without much effort or thought.",{"data":1910,"content":1911,"nodeType":1912},{},[],"hr",{"data":1914,"content":1915,"nodeType":243},{},[1916],{"data":1917,"marks":1918,"value":1919,"nodeType":247},{},[],"In conclusion there are multiple options you can choose from to fit almost any scenario you have. While some options are better than others, even the worst option is still a massive improvement on passwords alone. In the end, the best MFA method is the one you can start rolling out today, you can always improve down the line.",{"data":1921,"content":1925,"nodeType":780},{"target":1922},{"sys":1923},{"id":1924,"type":777,"linkType":778},"2y0INxqAi594O7rCAVKhTI",[],{"data":1927,"content":1928,"nodeType":243},{},[1929],{"data":1930,"marks":1931,"value":29,"nodeType":247},{},[],"Which MFA methods should you use?","SMS, Authenticator apps, Security Keys, and more! We compare them from a user experience, security, cost, and security aspect.",[744],"which-mfa-methods-should-you-use",{"items":1937},[1938,1940],{"sys":1939,"name":1181},{"id":1180},{"sys":1941,"name":1185},{"id":1184},{"items":1943},[1944],{"fullName":232,"firstName":233,"jobTitle":234,"profilePicture":1945},{"url":236},"how-to-set-up-multi-factor-authentication-for-microsoft-365","blog/how-to-set-up-multi-factor-authentication-for-microsoft-365",{"json":1949},{"data":1950,"content":1951,"nodeType":239},{},[1952],{"data":1953,"content":1954,"nodeType":243},{},[1955],{"data":1956,"marks":1957,"value":1958,"nodeType":247},{},[],"Understand which MFA solutions are available for Microsoft 365 and which is the right choice for your tenant.","Conditional Access, Security Defaults, or Legacy? Figuring out how to deploy MFA in Microsoft 365 can be complex. This post summarises your options.",{"id":1961,"publishedAt":1962},"4mmRSzpyYVed9NMTjePYm6","2025-02-06T20:40:06.132Z",{"items":1964},[1965,1967],{"sys":1966,"name":1181},{"id":1180},{"sys":1968,"name":1185},{"id":1184},"ZFOFH5GjNMF20Wb3AS2tlGRBwBymSKsVLNX8PW5GRLA",1784196725115]