One challenge that Managed Service Providers (MSPs) have faced over the years it the reluctance of their small business clients to implement Multi-Factor Authentication (MFA) because the perceived inconvenience outweighs the perceived risk of attack in the views of many SMB leaders. While security and technology professionals understand this is not the case, we continue to emphasize the risk conversation by highlighting the prevalence and negative effects of business email compromise (BEC) in hopes of encouraging the adoption of MFA solutions, thereby raising the bar for protection.
With providers like Microsoft enforcing the use of MFA, we have gained traction with many of the MFA detractors, but there is still tons of room to grow in this area. Like most technology, MFA has had to continually improve itself over the years while trying to keep up with bad actors finding ways around security. With basic MFA solutions like text-based SMS or Time-based One Time Passwords (TOTP), which often provides 6-digit codes to enter for access, hackers can use methods like man-in-the-middle (MitM), keyloggers, and SIM swapping to capture codes and bypass security.
But there is hope and it’s called Fast Identity Online 2 (FIDO2). Instead of just using a password or a code, FIDO2 creates a special digital key that’s unique to each site you use. This key stays safely on your device, like your phone or a small physical security key, and proves your identity without needing to type in codes, making it much harder for hackers to steal your information, even if they trick you with phishing links.
A few benefits of FIDO2 over traditional SMS:
Phishing Resistance: FIDO2 uses cryptographic key pairs to ensure authentication only with the legitimate service, eliminating the risk of phishing attacks present in SMS MFA where codes can be intercepted.
Stronger Security: Unlike SMS, which is vulnerable to interception and SIM swapping, FIDO2 utilizes hardware-backed security or biometric authentication for significantly higher protection against various attack vectors.
Enhanced Privacy: FIDO2 authentication enhances user privacy by not transmitting sensitive information like passwords or one-time codes over the network, unlike SMS, which sends codes in plain text and can be intercepted.
Considering the move from traditional SMS or TOTP secondary authentication to FIDO2 requires planning and potential implementation of solutions like Microsoft Authenticator, or even the purchase and distribution of physical keys that support FIDO2. But the work is worth the security improvement for our MSP clients!
For clients using M365, an additional step of that planning will include configuration of Conditional Access to enforce the use of FIDO2 as the required MFA solution. One challenge that can occur with a rollout can be ensuring that every user has been configured for every tenant that requires FIDO2. The good news is that MSPs who use SkyKick Security Manager can seamlessly rolling out the configuration of FIDO2 to individuals, groups, companies, or the complete client base, and at the same time monitor to ensure enforcement and see any gaps in MFA security.
The adoption of FIDO2 offers a more secure and convenient alternative to traditional SMS-based authentication methods. By leveraging cryptographic key pairs and hardware-backed security, FIDO2 enhances privacy, strengthens security, and provides resistance against phishing attacks. Managed Service Providers can play a crucial role in promoting the adoption of FIDO2 to improve the overall security posture of their clients and SkyKick can help. For more information on managing Conditional Access inside M365 through SkyKick SaaS Security, please check out our web page or book a live demo.
