I want to discuss what I heard when I was listening to Daniel Miessler’s podcast, where he mentioned the research of CoreView who found that 78% of Microsoft admins & 98% of Microsoft 365 users don’t use 2 factor authentication.
At work, I brought up the fact that I would be enabling 2FA on everyone’s account. The “ohh but whyyy” really made me realize I made the right decision. While I think some admins don’t enable 2FA is due to a level of laziness, there is also the complexity behind the scenes of enabling 2FA. Here I want to talk briefly about the admin decision making process of why they might not enable it and why this is such a bad idea.
I don’t think this will be a particularly organized blog as there are so many vectors, just bear with me as a splurge my ideas. Here we go:
Lots of Words
Microsoft knows how to write words. Not documentation. If you look at any technical documentation, they will go through how they made that product and the technical ideas behind how its set up, but looking for a 1, 2, 3 setup document is rare to come by and many just give up and try to set it up themselves by trial and error.
Hard to Access
Getting to 2FA to enable as an admin is hard. It’s not well placed and unless you know what you’re looking for it’s very confusing. It’s not required when you create an account and isn’t prominently placed like it is the best security feature to enable. It’s at the bottom of the users panel and takes you to another confusing set of pages with multiple actions you can take with all user accounts, so you have to find the user and enable it. Also, each new account created needs to have these additional steps done each time, and if you forget, you might as well not have 2FA on any account because it is the most beneficial when you enable on all accounts in the tenant. If you were a business owner with limited technical skills, this is a huge turn off. It just wouldn’t happen.
Difficult to Deploy
If you have to deploy, you should follow their deployment guide which is about as interesting and easy to read as tea leaves. This goes back to the “Lots of Words” with no meaning or action to take. Someone technically savvy might be able to figure it out, but again, a complete turn off for any small business owners who know enough to be dangerous, but isn’t going to spend the time to read and decipher the tea leaves.
Walking the User Through It
Either being an MSP or a business owner, now you have to walk the user through getting it set up. That’s a lot of time you now have to take out of your day to help them set it up. The best way is enable it and hope the end user knows enough to follow the steps and do what it says. The easiest way is leave it off (as 78% of admins do). As an admin or even small business owner, since you decided to turn it on, now you have to walk the less tech savvy how to set it up. It’s not user friendly. Again there’s lots of words, and not the next, next, next finish people want. Also, their recommended walk-through uses the least secure and least easy method to sign in. Since they use the text message/phone call method it will take a lot more steps to sign in each time instead of the simpler push notification setup that is multiple steps deeper in the 2FA system.
Accessing After the Fact
For a user to access it after the fact, to maybe change it or set up other options, it’s buried so deep in the system no one would find it unless they are looking for it. I swear I spent more time than most trying to look for it for this blog (about 1 minute) and couldn’t find it. I gave up. Most people would spend 30 seconds looking for it.
Setting Up More Secure Method
As I said, the more secure method is using a rolling code or push notification through an app on your phone, they aren’t as susceptible to mobile phone phishing, or sim swapping attacks. This method is hard to set up and takes several minutes to set up successfully. Most people don’t care about it that much.
Conclusion
As I said, it wasn’t a particularly organized blog, and I’ll post a follow up later to help flesh out these ideas. This is one reason why 2FA isn’t very popular and why we will continue to get hacked. Passwords are only so good, and unfortunately the further we get without enabling 2FA the more accounts will be breached. The tsunami is coming. Are you prepared?
Comentarios