Security standards vary widely between businesses, admins, and end-users. For many, whose businesses possess highly sensitive data, strong authentication (commonly referred to as strong auth) methods are critical to secure valuable assets.  

Strong auth provides a powerful level of security many find necessary in a tumultuous digital landscape. Metaphorically speaking, leveraging strong authentication is the equivalent to securing your resources behind a bank vault as opposed to securing them with a padlock, as with legacy authentication methods.

But what exactly is strong auth, and how can your business take advantage of the benefits? In the article below, we aim to answer these questions.

 

What is Strong Auth?

Strong authentication is a strategy made available to Microsoft 365 users in Azure AD. It provides distinct levels of authentication security within conditional access grant access options.

There are three main components that provide options for strong authentication to your environment.

  1. MFA (Multi-Factor Authentication) – this is a security augmentation strategy that uses a layered approach in the authentication process. The idea of Multi-Factor Authentication is that a user must verify their identity by using two or more methods before they are granted access into an environment.

  2. Passwordless AuthenticationPasswordless authentication can take a variety of forms. Whether it be a FIDO2 key used to authenticate, biometrics, or single sign-on, each is dictated by conditional access policies and provides a modern method of securing users and identities. Passwordless technology eliminates one of the most primary attack vectors, vulnerable passwords, and positions groups for a higher security posture.

  3. Phish Resistant MFA – this particular method uses the above two components of strong auth to prevent attacks via social engineering like man-in-the-middle attacks. Phishing continues to be one of the most common methods of attack as it targets the most vulnerable security liabilities in most organizations- human errors.

These three components work collectively to make strong auth effective. For example, if a bad actor makes an attempt on your environment from a location that is across the world from your business and employees, these strong auth features provide the checks and balances to prevent their entrance to an environment by requiring more than a simple user ID and password to gain access. Think of them as extra layers tiers of security a bad actor would have to overcome in order to get what they want – your data.

 

Who needs Strong Auth?

Although strong auth provides advanced security measures to access resources, in many cases, it may not be necessary for everyone in your business. If you’ve already established role-based access controls, many identities will already not have access to the most sensitive data in your business in the first place. Strong auth becomes especially necessary for privileged access users, like your global administrators. These individuals hold the key to what makes your environment tick and therefore must be safeguarded with force. Additionally, many groups require their global admins to log in from a distinct IP or Windows 365 devices as the jumpbox to access critical infrastructure.

 

Authentication Strengths

If you’re pursuing strong authentication for your business, you’ll want to evaluate authentication strengths for your users.  Authentication strengths use a varietal combination of methods to determine steps a user or identity must bypass to receive access to resources.

Determining the authentication strength your admins and users will need is a critical component of strong auth. As you can imagine, this can vary significantly based on an individual’s need to access sensitive resources. For example, an end-user in your marketing department will have very different needs from those of a global admin or IT team member. Therefore, their authentication strength should reflect the disparity.

Authentication strength is established in (you guessed it)  the conditional access policies of Azure AD. They allow your IT leads to select the exact composite of authentication methods each group of users will need to access specific corners of your environment.

Built-in authentication strengths and combinations provided in Azure AD include the following:

MFA Strength:

Here we can select one or more of the below authentication methods:

  • FIDO2 Key

  • Windows Hello for Business

  • Cert-based authentication

  • The Microsoft authentication smartphone sign-in app

  • Temporary access passes

  • SMS. Voice, Software OATH tokens or Hardware OATH tokens

  • Federated Single Factor + Something you Have

  • Federated Multi-Factor

Passwordless MFA strength

  • FIDO2 security keys

  • Windows Hello for Business

  • Cert-based authentication

  • The Microsoft authentication smartphone sign-in app

Phish-resistant MFA strength

  • FIDO2 Key

  • Windows Hello for Business

  • Cert-based authentication

For a deeper dive into the complexities and combinations of authentication strength, I’d recommend checking out this guide provided by Microsoft.

 

Are you ready for strong auth?

Many components of strong auth are determined largely on your business’ position in the modern endpoint management journey. If your business still relies on on-prem infrastructure you may run into some roadblocks. Simply put, the best way to position your group to leverage strong auth is to embrace a cloud-first environment. A cloud-first environment comes with benefits far beyond simply strong auth. Feel free to check out the other benefits here: How to Achieve Success with Modern Endpoint Management — Mobile Mentor (mobile-mentor.com)

 

Conclusion:

If your business is looking to secure identities in the most effective manner possible, you should start considering the adoption of strong auth. The benefits of implementing it are substantial and will add the layer of security your team needs to operate confidently without concerns of compromised authentication.


 

Hugo Salazar

Hugo is our Modern Work & Security Engineer in the US, based out of Southern California. Starting his IT career for MSPs Hugo developed his skills working for an array of clients ranging from non-profits and financial organizations. Hugo honed his MDM skills during his tenure at a global REIT.