Part III – Where to setup your MFA: In cloud or on-premises Server
In part 1, we discussed the applications or websites that you are trying to secure with MFA. In part 2, we discussed the location of users. Here we will discuss the features of MFA available in both the option.
- What are you trying to secure?
- Where are your users?
- What are the features that you require?
The selection of MFA option also depends on the features that you might require for the purposes of security. There are several ways you can secure your authentication access. The methods include phone call, SMS verification, mobile app notification including many others. You can choose an MFA verification method which is as per your convenience. Though most of the MFA features co-exist both in cloud and Server, there a few exceptions that we will talk about.
Look at the table below.
|Mobile app notification as a second factor|
|Mobile app verification code as a second factor|
|Phone call as second factor|
|One-way SMS as second factor|
|Two-way SMS as second factor|
|Hardware Tokens as second factor|
|Apps passwords for Office 365 clients that don’t support MFA|
|Admin control over authentication method|
|Custom greetings for phone calls|
|Customizable caller ID for phone calls|
|Remember MFA for trusted devices|
Mobile app notification
You will need to install Azure MFA app for notification and code verification via mobile app method. You will receive notification/verification code on your app when you’re logging in. This feature is available in MFA cloud as well as the Server.
The phone call as a second factor authentication is available in both MFA in the cloud and Server. You will get a call on your registered number, be it landline or cellular. Authentication will be given only when you type the correct code spoken by the voice during a phone call. You only need to make sure that your phone numbers are correct in your user account settings.
One-way and two-way SMS
Through one-way SMS method, you will get a verification code via text message. This feature is available in both MFA in the cloud as well as MFA Server. The two-way SMS method – where you need to reply the code via text message – is not available in MFA cloud, and is soon going to be discontinued in the MFA Server as well.
Of course, there is no verification via hardware tokens for MFA in the cloud, but they are available for MFA Server. OATH TOTP (time-based) tokens are available for the Azure MFA Server. A few examples of hardware tokens for MFA Server are Gemalto IDProve, Safenet OATH tokens, and Deepnet Security SafeId.
Office 365 clients that don’t support MFA
There are a few clients (Example: Mozilla Thunderbird) that do not support MFA in Office 365. To secure them too, the best option is to have application passwords. The app passwords for MFA non-supporting Office 365 clients can be secured in MFA cloud, but not in the MFA Server.
Admin controls over authentication methods
Admin can manage, edit, and control the authentication methods for each user. The admin controls are available in both the options.
Each user has a unique PIN that they must enter the phone verification (if selected). PIN mode isn’t available with cloud-based MFA yet though. It’s currently only available in MFA Server.
If any doubtful activity is detected, the system will alarm your IT team and even block suspicious users. The Fraud Alert is an important feature for security, which is available in both MFA in the cloud as well as MFA Server.
MFA Reports include blocked user history, usage and fraud alerts, usage for on-premises components, bypassed user history, and server components. Available in MFA in the cloud as well as MFA Server.
When you allow one-time bypass, there will be no verification for a certain time-out period so that user can bypass the MFA for that time. This is to ensure balance between security and productivity, because going through the verification process all the time may become irritating sometimes. One-time bypass is available only for MFA Server and not for MFA in the cloud.
Remember MFA for trusted devices
One of the configurable features of Azure Multi-Factor Authentication is providing your users the option to mark their devices as trusted. Users can opt out of two-step verification for a configurable number of days on the devices marked as trusted.
After a successful Multi Factor Authentication, successive attempts by the same user within the specified cache seconds will directly succeed without an MFA verification via call, text or push notification. This feature can be configured for all applications, specific applications, or specific applications from the same IP address. The cache feature is available only in the MFA Server.
Hope this clears the basic idea about setting up your Azure MFA that depends on your custom requirements. Make a checklist of the points that are important to you. Compare the scenarios for every question and check if MFA can be implemented in the cloud or in the Server. There can be more complex scenarios than the few mentioned above. If you need to discuss your predicaments and get solutions for them, you can have a word with our expert. We will guide you in selecting the right MFA solution for you.
If you are thinking to implement any MFA to secure your applications or websites, feel free to have a chat with our expert. Contact Apps4Rent now.