How multi-factor authentication empowers secure hybrid working

Side view close-up of a man typing on his phone while standing behind a Microsoft Surface Studio.As we increasingly work outside the office and across different devices, organisations are looking at cloud modernisation and resilient security strategies. To adapt to a complex modern environment, organisations need a strategy that embraces the mobile workforce and empowers productivity, all while protecting people, devices and data no matter where they’re located. Enabling identity-based security is key to adapting to the hybrid workplace. And multi-factor authentication (MFA) is one of the baseline components of any identity infrastructure.

Multi-factor authentication adds another layer of protection to the sign-in process. After all, if you only use a password to authenticate users, it leaves an insecure vector for attack. What if the password was weak? Or if it was exposed elsewhere? Are you sure that person signing in is really the user? When you require a second form of authentication that isn’t easy to obtain, you are building another layer of security.

Therefore, ensuring you use the right type of MFA service is of critical importance. Different MFA solutions can have a dramatic impact on cost, user experience and your resilience to service outages and attacks. In this post we’re going to look at some of these factors and make some recommendations to ensure your MFA solution enables your organisation, and your people, to be productive safely.

1.      Optimise security processes to bring down costs

Man in a collared shirt working on a server station inside a secure room. Coworkers and large monitors are in the background.A vulnerable entry point for cyber attackers is to use credential-based attacks to access networks and steal data or spread ransomware. However, multi-factor authentication stops 99.9 percent of credential-based attacks. That’s why MFA really is one of the most fundamental security measures. At Microsoft, we deploy MFA to protect our customers, our data, systems, and our business. Azure AD MFA is used across our consumer platforms like and Xbox, as well as thousands of other online services. In fact, its foundational to our five steps to secure your identity infrastructure.

Online retailer Asos uses Azure AD (including MFA) to protect identity as the new perimeter. By automating, provisioning and deprovisioning user accounts across its SaaS landscape, they have reduced costs and errors, all while improving productivity.

“Our service desk spends much less time setting up users and creating or deleting accounts, which gets our costs down,” says Mark Lewis, Infrastructure Architect at ASOS. “We made our lives easier by adopting Azure Active Directory—we’ve saved time and money, improved the employee experience, and enhanced the security of our entire SaaS ecosystem.”

Where cost may be a blocking factor, in Azure AD the options to use SMS and phone-based MFA are free. In the case where certain users might be specifically targeted, you can selectively upgrade people to P1 or P2 licensing models and nudge people towards using the Microsoft Authenticator app with a one-time-password or notification-based MFA.

These days, it’s easy to enable MFA for all with one click. However, you don’t have to take a single, big-bang approach. You can onboard users into MFA in batches that are digestible by your service desk. Typically, 10 percent of any given batch will need support, so the ability to onboard in batches has a dramatic impact on the cost of deploying MFA. For employees, using multi-factor authentication when paired with single sign-on can increase productivity as they can access everything they need without re-entering passwords.

And if there is still resistance, this is one of those measures which business leaders should by now expect. We’ve seen the reports of the cost and reputational damages that security breaches can have on organisations. Leaders should be challenging IT to ensure the safety of their customers, employees, systems and data. And MFA is one of the critical elements to delivering that.

2.      Balance security and productivity with multi-factor authentication

A woman working from home on a Teams callPre-cloud, security was ring-fenced around the data centre and the physical office, with the network perimeter as the main defence. Often, these featured early methods of MFA – such as one-time passcode fobs or smart cards. However, on-premise environments can be open to attack through misconfigured web and VPN services, lack of patching, as well as credential hygiene issues.

As organisations move to hybrid cloud-based environments, they can take advantage of existing Zero Trust capabilities with the knowledge that we will be investing a further $20 billion in our security solutions over the next five years to help defend against ransomware and other threats. With MFA in Azure AD you are consolidating your identity services into a strong and highly trusted environment. You’re not only increasing your resilience to ransomware and supply chain attacks, but also other outages that can occur on-premises.

For Durham University, they used MFA and Azure AD to ensure their staff and students could keep learning remotely. They use single sign-on to access everything they need whilst keeping their intellectual property secure. “By migrating to Azure AD, we’ve moved the responsibility of high availability to Microsoft, who, let’s face it, are scaled to do a better job than we could. Our services are much more resilient.” Says Craig Churchward, Technical Specialist for Windows Platform.

You can also maximise your ability to take advantage of new features as they are delivered, without any concerns for integration and support across vendors. Additionally, older platforms often involve backend server infrastructure, physical tokens and the man-hours needed to issue, replace and troubleshoot those tokens. With Azure AD MFA, users no longer need physical tokens. Additionally, there’s no server infrastructure to maintain. Your IT and security teams can focus on high-value tasks.

3.      Multi-factor authentication empowers secure hybrid working

An employee experience empowers workers. A man works from home on a Teams call.A core tenant of Zero Trust is to never trust – always verify. Regardless of where the request originates or what resource it accesses, it is always fully authenticated, authorised, and encrypted before granting access. This helps build secure hybrid working. It makes it easier for employees to connect from anywhere, on different devices while protecting organisational data.

MFA and Conditional Access are key to Rabobank’s mobility strategy. “We require multi-factor authentication for mobile access today and have Conditional Access policies set up to require new device enrollments to happen on the corporate network. Most importantly, people can enroll and get access quickly—which is good, because we didn’t want to create this digital workplace and slow people down with security,” says Abe Boersma, Global Head of Workplace Services.

Identity is now recognised as one of the core services we use to secure the enterprise. Your identity stack, including your MFA service, is a key component of Microsoft’s security control plane. You can discover more in the guidance found in the Microsoft Cybersecurity Reference Architectures (MCRA) and Enterprise Admin Model.

4.      Build a strong security culture

A human-first security culture will help employees stay productive and secure in the hybrid workplace. One factor of this to have a strong password policy. At Microsoft, we see over 10 million username/password pair attacks every day. Build your strategy on updated password policy guidance from NIST, NCSC and Microsoft. Using technology such as Windows Hello for Business, the Microsoft Authenticator app and FIDO2 tokens alongside MFA will help to reduce successful credential attacks You can find out more about passwordless tech from Microsoft Security Team member, Alex Weinert in his blog; Your Pa$$word doesn’t matter.

If passwords are going to be with you for the foreseeable future, Azure AD Password Protection helps users select passwords that are not commonly known and Azure AD Self-Service Password reset will minimise the operational cost of passwords.

5.      Close the door on insecure legacies

From our research, we’ve seen most opportunistic attacks target legacy authentication protocols that bypass MFA. But there is an effective control to prevent this. Disabling legacy authentication and enabling MFA is one of the most impactful things you can do to prevent credentials from being compromised. Microsoft provides the tools to you accomplish this. In new Azure tenants, legacy authentication protocols are disabled by default, but many existing tenants still have this enabled.

Building a secure hybrid workforce

Multi Factor Authentication is becoming increasing important for an organisation’s cybersecurity. To stay resilient, organisations need to ensure employees can securely and easily access their work across devices, no matter where they are. MFA helps achieve this. Also, by modernising MFA organisations can increase resilience to attacks and service outages. They can also improve agility in adopting new features while supporting legacy systems.

Find out more

Build a modern security strategy

Security and mobility

Discover MFA

Resources to empower your development team

Secure Azure Active Directory users with Multi Factor Authentication

Manage identity and access in Azure Active Directory 

How Multi Factor Authentication provides secure access to resources

About the author

Gavin works within the Customer Success team at Microsoft. His aim is to make customers more productive, more secure, and ultimately more successful through features like Azure AD. Having seen what modern ransomware attacks can do up close, Gavin is passionate about helping keep an organisation’s customers, staff, systems and data safe. He is also a keen cyclist (on and off road), husband and father to three young children. You can catch him on Twitter @gvnshtn and on LinkedIn.