In a recent survey conducted by Talker Research for Forbes Advisor, 46 percent of Americans admitted to having a password stolen in the past year. More than two-thirds (68 percent) had to change their password across more than one account after it was compromised. In other words, Americans are not only using weak passwords but are reusing them across multiple accounts.
Sadly, poor password habits aren’t limited to American consumers. Users in organizations large and small — including those in the IT department — often fail to follow password best practices.
Various studies have shown that IT pros are among the worst offenders when it comes to using weak passwords. It’s also common for IT departments to share administrator-level passwords and neglect to change default passwords.
Because of these practices and escalating cyber threats, Microsoft will require multifactor authentication (MFA) for all Azure users starting in October 2024. The company is rolling out the requirement in phases to give customers time to prepare.
Why MFA Is Essential
MFA can help reduce the risk that a compromised password will lead to a security breach. MFA is a security mechanism that requires at least two authentication factors before allowing a user to log in to a system.
The four general categories of factors include:
- Knowledge factors, such as passwords or PINs
- Possession factors, such as fobs or mobile apps
- Inherence factors, such as fingerprints or facial recognition
- Behavioral factors, such as keystrokes or mouse movements.
MFA adds an extra security layer that is more difficult for hackers to crack than a password alone. This is critical for privileged accounts that could give a hacker administrator-level access to systems and data.
Phased Approach, Multiple Options
Phase 1 of the MFA rollout will encompass Azure portal, Microsoft Entra admin center and Intune admin center. Enforcement will be gradually implemented across all tenants worldwide. Phase 2, which will likely begin in January 2025, will include Azure Command Line Interface, Azure PowerShell, Azure mobile app and Infrastructure As Code tools. Organizations that need extra time due to technical barriers or the complexity of their environments should contact Microsoft to discuss a possible extension.
Organizations have multiple options for setting up MFA through Microsoft Entra (formerly Active Directory). They can use the Microsoft Authenticator app, FIDO2 security keys or certificate-based authentication. However, legacy MFA tools might not meet Microsoft’s requirements.
Creating a Sense of Urgency
Ultimately, organizations will gain several benefits from MFA. In addition to protecting their Azure accounts, they will become compliant with industry standards and regulations such as the General Data Protection Regulation (GDPR), Health Insurance Portability and Accountability Act (HIPAA) and Payment Card Industry Data Security Standard (PCI DSS).
Microsoft research shows that MFA can prevent more than 99 percent of account compromise attacks. Cerium can help you prepare for the new Microsoft requirement and develop a plan for implementing MFA across all systems, applications and services in your IT environment.
