Presented by Specops Software

Office 365 has the highest adoption rate of any SaaS application, making it a prime target for attacks. Unfortunately, its multi-factor authentication (MFA) is not being utilized at the same pace as the application’s adoption.

Microsoft does offer phone-based MFA as part of an Office 365 license or through a premium Azure AD plan. However, the reality is that only 20 percent of organizations use MFA for admins and users.

Sensitive information is stored in Microsoft Office 365 documents such as business plans, financial forecasts, personnel data, and even passwords. Microsoft explains that 10 million attacks to Office 365 accounts happen daily.

How many of these accounts rely on a single point of vulnerability — the password? Attackers take advantage of low-hanging fruit, such as users’ limited IT security awareness and accounts with single factor authentication. In Microsoft’s most recent Security Intelligence report, they found that phishing attacks were being used as the primary attack method for Office 365.

Earlier this year, millions of Office 365 accounts were targeted with passwords stolen through a phishing email attack leveraging Microsoft Office files. Once passwords are accessed, attackers can leverage multiple methods to worm their way into other accounts across the organization. For example, it was reported that a brute force login method was used to attack a number of high level employee accounts across multiple Office 365 enterprise customers. The attackers were able to get into many of these accounts simply by trying iterations of usernames and passwords obtained from leaked lists and phishing attacks.

The MFA resistance

With such a high risk factor, the low uptake of Office 365 MFA is surprising. To get to the bottom of this, we implemented a global survey to gauge IT administrators’ experience with Office 365 implementations using tools and components provided by Microsoft.

Essentially, two-factor authentication (2fa) requires the use of something you know (for example, a password or pin) as the first factor, plus one additional factor which can fall into the something you have or something you are category. Most authentication vendors offer the something you have as a second factor for Office 365.

Microsoft offers two-factor authentication (2fa) for free with an Office 365 license or through a premium Azure AD plan, or through a pay-as-you-use type of model. When we asked respondents why they were not using MFA to protect the Office 365 login, the majority of respondents pointed to the potential negative impact on the user experience as the primary reason. Other reasons included set up complexity, separate billing/pricing/ licensing, and a lack of MFA options which can also have a negative impact on the user experience.

Adding additional factors to the authentication process will inherently impact the user login experience by adding time and potential disruption if the authentication factor fails. The survey looked at which MFA options were being offered to end users. The majority of respondents stated that they were using SMS verification as the second factor. This is not surprising as this method is very accessible and familiar to users.

The problem with SMS verification is that text messages can be intercepted. In fact, Reddit was breached back in June due to their employees’ use of two-factor authentication with SMS verification, as the second factor. The use of phone-based factors to protect Office 365 resources — such as SMSs — do not add much protection.

Balancing security and usability

Just a username and password during authentication will leave your organization vulnerable. First, this is because the Office 365 username is pretty simple to crack — it typically consists of a first and last name followed by the organization’s email domain. Second, users reuse passwords or simply use very weak passwords.

Implementing MFA for Office 365 really should be a priority but finding the right balance between security and usability is key. Security does not have to be compromised to minimize impact on the user experience if utilizing an MFA platform that can ensure choice. Solutions that only offer phone-based options as the second factor can result in users being locked out in the event that they do not have their device on hand and of course phone-based options such as voice calls or SMS verification do very little to boost security. If the user’s password is compromised or generally weak/guessable, a hacker can easily get into the account by employing call or SMS interception methods.

This means it’s important to explore options beyond what Microsoft provides and look for solutions that can:

  • Provide users with failover alternatives
  • Support more than just phone-based options as the second factor
  • Replace passwords as the first factor with stronger forms of authentication

Specops Authentication for Office 365, and its dynamic multi-factor authentication engine, provides the ability to pick from more than 15 forms of authentication to ensure that users are accessing Office 365 resources with the most secure and accessible set of authentication factors. This choice, including the ability to provide users with failover options, enables IT departments to not only secure Office 365 login but also ensure that users can authenticate successfully if one factor fails. Additionally the solution can replace passwords with stronger forms of authentication if desired.

Marcus Kaber is CEO at Specops Software.

Sponsored posts are content produced by a company that is either paying for the post or has a business relationship with VentureBeat, and they’re always clearly marked. Content produced by our editorial team is never influenced by advertisers or sponsors in any way. For more information, contact