Our IT Teams work hard to keep us and our data secure. While it would be easy if we could leave data security up to our friends in IT, it is everyone’s responsibility to protect the security of our online systems. With the ever-present threat of viruses, malware, and phishing attacks it is a challenge that is hard keep up with, but there are things we can do to help reduce the risk.
One of the biggest threats is a compromised user account where a nefarious actor gains access to the system using a user’s credentials. This could be phishing/social engineering attacks, stolen/reused passwords, compromised system logging keystrokes, or numerous other methods. It is hard to keep the data secure behind locked doors when someone has stolen the keys.
One of the most effective means to prevent this is to implement multi-factor authentication (MFA). According to some sources up to 99.9% of data breaches happen on accounts that do not have multi-factor authentication enabled.
MFA adds a step to the login process where you must provide an additional piece of information to verify that it is you. If someone has your username and password, they still won’t be able to login because they won’t have that additional authentication requirement.
Typically, MFA system rely on one or more “something”:
- Something You Know
- PIN Numbers
- Mothers Maden Name
- Favorite superhero
- Something You Have
- Registered Cell Phone number
- Registered Authentication Application
- Hardware key
- Something You Are
- Face ID
- Fingerprint
- Iris Scan
The challenge with the first form is that if I know it, anyone can know it. Social engineering and phishing attacks all target the “something you know”. If you look at my social media posts, see a lot of Batman memes, you can guess who my favorite superhero is.
The “something you have” category is much better, but it requires that you have something that is yours and easy to secure. Cell phones are common. Here text messages and authenticator apps are the main tools.
A common attack is to get someone’s bank password, call and pretend to be an agent of the bank and ask the user to read a confirmation number from their texts or ask them to press the authenticate button on their phone. What they are doing is asking you complete your MFA! Once you read them that code or press that button, they have access to all your banking information.
The “something you are” is great, if you have the hardware to support it. Many cell phones and computers have facial recognition or fingerprint recognition. This requires special hardware and not all systems can utilize these forms of identification.
Two of the most popular MFA methods, Text and Authentication App, both rely on registering a user’s cell phone. This adds a device, and a distraction to a user’s workday. The distractions can be compounded with poor cellular or Wi-Fi network coverage, dead batteries, or unscheduled phone or app updates all hampering your ability to complete an MFA challenge.
To make ITs life more difficult, my unscientific research (a few surveys posted online) indicate that nearly 75% of MFA systems are using personal phones for authentication. This means that our IT teams must support authenticator apps across several different hardware and software platforms.
Another “something you have” option is using Fast IDentity Online 2 (FIDO2) keys. This is a hardware device that plugs into a USB port or communicates through Near-Field Communication (NFC).
Hardware keys are very fast and can reduce the friction logging into our SaaS environments. The users don’t have to enter a username and password, then wait for a “ding” on a phone, or type in another code, they just press a button.
I have been using a FIDO2 key for a while now and it has been an improvement to my workday. A single key works for my Microsoft Entra ID, GitHub, Password Vault, and many other resources. Logging into my resources is much faster and doesn’t require fiddling with my phone.
There are several manufacturers of FIDO2 keys, I currently use Yubico (not a sponsor). FIDO2 is a standard and many different brands support that standard. There are keys in all different shapes, sizes and price ranges.
Our Dynamics systems contain some of the most important data for our businesses and customers. Securing that data is of the utmost importance. Implementing a system at the cost of productivity is an uphill battle that may end up making our systems less secure as users push back. I encourage you to take a look at all of your MFA options and choose one or more that best suit your users’ needs and secure your systems.
Configure the MFA registration policy – Microsoft Entra ID Protection | Microsoft Learn
Aardvark Labs 
Leave a comment