As we’ve mentioned before, we strongly encourage all users to enable MFA/2FA on all services that offer it, especially Microsoft 365. It’s a fantastic way to dramatically reduce brute force attacks on your email accounts!
Microsoft has always allowed for SMS and voice calls as valid MFA factors, but that is changed as of 9/15. As of today, Microsoft will begin slowly rolling out enforcement of the MS Authenticator app for Microsoft 365 tenants. Users currently using SMS or voice calls will have the option to skip setting up MS Authenticator, up to 3 times, after which you will be forced to configure MS Authenticator to continue using your account.
This is a strong move and is actually good for 90% of users, as SMS is a fairly weak MFA factor compared to MS Authenticator. But it’s also going to be a headache for the other 10% of users.
The good news is that your organization can opt out of this completely. So really your options are: 1) Allow the rollout to hit your org, and have us help the 10% of users that have a problem or 2) Have us disable this rollout option completely.
One of you replied to this update with a great question that I’d like to share with everyone:
Good points about these authenticators. I have a question for you. I see many folks pushing their own authenticators, such as Google, Zoho, Quickbooks, now MSoft, etc. It gets crazy with all these MFA apps :-). Isn’t there a standard one that could be used for all apps?”
That’s a great question! Most authenticator apps produce a simple 6 digit code: Google Authenticator, LastPass Authenticator, etc. But simple 6 digit code generators are all interchangeable. Even Microsoft Authenticator can produce simple 6 digit codes, so all of those types of codes can be consolidated to a single generator app. But some authenticators (including MS Authenticator), can do so many more secure forms of MFA.
The issue is that people are starting to get what’s been called “MFA fatigue,” where they’re just inundated with 6 digit codes and SMS messages, so they can be tricked into giving those codes to someone else (usually through social engineering). Microsoft Authenticator (used with Microsoft 365 MFA) will not ask for a code. Instead, the web page will display a two digit code, and the MS Auth app on your phone will pop up and say, “someone is trying to log in from location xxx; is this you?” You click yes, then it asks for the two digit code displayed on the web page. Tyle the number in on your phone app and it will update the webpage on your computer. Pretty cool.
YubiCo offers a similar app that can, of course, do 6 digit codes, but also store hardware keys (YubiKeys), so other MFA vendors are definitely starting to evolve beyond simple 6 digit codes. So I think it would be best to choose the authenticator app that offers a “sophisticated” option (like MS push to app or Yubikey hardware) that works best for whatever technology stack you use, and then also just use that same app for simple 6 digit codes.
Your security is one of our top concerns, so if you’d like further information, please reach out to our team and we’d be happy to help figure out what works best for your and your business. Please feel free to give us a call at (858) 880-0355 x 2 or submit a query support ticket here.