Microsoft recommends MFA (Multi-Factor Authentication) as an important part of security. In the article O365 MFA vs Azure AD MFA | David McWee says “We, Microsoft, find that by enabling MFA on your accounts the your organization will reduce account compromise by OVER 99%!” Seems like a no-brainer, just turn it on.
Unfortunately, Microsoft doesn’t make it easy for your IT or VAR (Value Added Reseller) to tell if all user accounts are ACTUALLY using MFA. They have provided so many different ways to setup, deploy and require MFA that making sure ever user has it enforced is obfuscated. To obfuscate matters more, there are many more rules for hackers who would log into a PC they have stolen from you. The more immediate problem is not that your PC could be stolen, but that attackers from other countries can guess your password. But there is an easy way for users to test it.
MFA protects user accounts by making the user provide something they know (password) along with something they have (cell phone). If you can access your account from a browser or device you’ve never used without needing your cell phone’s text message or Authenticator app, then hackers from across the globe that guess your password will also have access to your account: this is to be avoided if possible.
Sure you have a difficult password to guess, but attackers can program robots to guess your password. The default O365 settings allow several tries between brief pauses. Attackers also phish for passwords through what looks like Office.com, but only exists to record your credentials. If your account really is protected by MFA, then the opportunity your account can get hacked is reduced by 99%. It’s a small cost for peace of mind.
So if your account lets you log into a new device or an incognito browser tab without prompting you for 6 digits from your phone, self report to your Admin. If they say, “Oh, its on”, show them that it’s not requiring MFA from a new device or browser. Evidence is, well, self evident.
