1

Hi Guys,

So recently we have had some accounts compromised and as a result id like to use MFA to further secure it.

HOWEVER

I think this is going to cause a real upset with users for a few reasons.

*when logging into the o365 portal it will request a code or call or the use of the authentication app each time

*People are not happy about having to use their mobiles etc

Outlook on their machine is fine as i can use an app password it it wont ask them for this once setup unless there is an issue etc.

So my question is, do you guys use this, how do you use this, is there a better way or should i say a less frustrating way. . . . . .

BTW our users login to the portal to access share point stuff / intranet bla bla bla so this requirement will always be there. I will admit it does my head in too but as a techie im just used to it.

Any help / Advice greatly appreciated.

6 Spice ups
2

I haven’t had many people upset with using their phones, most are happy you’re not forcing more hardware on them. Just have a backup option for those that really want or need (some people still don’t have phones that support apps).

1 Spice up
3

How did the accounts get compromised? What do you mean “compromised”? Hacked? Someone besides the actual user sending and receiving email? Were they accessed internally or externally. Were the passwords guessed or otherwise too weak? Why not just improve passwords and skip the rest of the rigmarole?

4

MFA will send a text with a code that is needed after a user enters their password via the portal

applications will require the use of an ‘App Password’ (Outlook, Skype, OneDrive)

This App password is auto generated through the O365 portal, and you get one look at it and thats it. If you forget it you need to create another one

if they use email on a cell phone this will need to use the app password as well.

It can be a pain. Most users I’ve did this for hated it.

5

We get them to download the Authenticator app.

An alternative is to use something like a yubi key which we may use for our more challenged users

6

Every time I try to push this my clients come back with “Why can’t it be simple like my bank - use a new device, they text me at the number they have on file and I get a code and done.”

I don’t have an answer for them.

7

I feel your pain, however if you want security you just have to explain the alternative is the possibility of rapidly spreading Malware with-n their domain. I have seen companies that have had repeated attacks over a one year period bringing down their domains time and again until they stepped up their security. One of the ways they did it was to implement MFA. The users even after a year still say I didn’t have to do this before. You just have to take a breath and explain again why it needs to be this way.

Good Luck

2 Spice ups
8

We had the same issue this year.

The execs asked for MFA to be rolled out across the 900-1000 users.

It was a nightmare to rollout because our users can’t read instructions and forgot to save their “app” password during setup.

We found a setting that allows computers to be remembered for 30days before prompting for another code or phone call which might help you.

9

Our CFO had his PC compromised. It was a huge eye opener.
I have eight different departments spread across two locations. I took it one department at a time. I explained to them that I needed their help to secure our network.
I visited each department with my laptop and showed them how painless it was to log in. I explained briefly why it was important to have a second form of authentication.
I only have a few users that don’t receive their code by text and they are content to have their desk phone ring.
In short, explain the reasons behind it and demonstrate the ease.

Hope this helps

2 Spice ups
10

We thought about it but it just wouldn’t fly here. Most of our users don’t have a company cell phone. Some of them don’t have personal cell phones or direct dial numbers. None of them know how to follow instructions.

We do have KnowBe4 as our security awareness training provider to help with at least educating them on not giving up their passwords AND even though the new trend is to believe that changing passwords regularly is counter-productive we have them do that because I think it’s a load of crap. Sure a few of them write down their passwords but then you need physical access to that paper AND those people would still write it down even if they never had to change it.

MFA is just too much for the average computer illiterate user.

11

I just started to explore this feature as well. One problem I have is to manage app passwords.I have not done a full deployment yet - Just in testing stage right now. I do not like the idea the users have to use app passwords on their Outlook clients. So I was thinking…would it be cool if Two-Factor-Authentication can be disabled inside the network and if anyone wants to retrieve their emails through the internet browsers or mobile devices outside of our network then 2FA would be enabled. Well…you can! Use “Trusted IP Address”. I entered my external ip address in my Azure Office 365 account and now I’m able to use my regular corporate password to sign into my Outlook client and able go to portal.office.com without prompting me for 2FA within my network. I’m still testing at the moment because I have not enable “Modern Authentication” yet. I will plan this over the weekend and see how it goes. My worry is it might have users to re-sign into their Outlook clients and their mobile devices. You can learn more about “Trusted Ip Address” from the link below.

@damjo