Microsoft Offers Better Security with System-Preferred Multi-Factor Authentication
To increase security, Microsoft has launched an authentication feature called system-preferred multi-factor authentication. This new feature enables the backend of Microsoft services such as Microsoft 365 or Azure to choose the best login method, including a second factor, instead of leaving it to the end user. However, the feature is not enabled by default. Administrators can only activate it by distributing the service to users via the Azure portal or the GraphAPI.
MFA is not always Safe
According to Microsoft, MFA is not always as secure as users think. In most cases, users prefer convenience over safety. For instance, users prefer using an SMS message to their phone even though access apps are safer. Unfortunately, SMS messages and voice calls are not safe because they are easily intercepted, leaving user accounts vulnerable to cyber-attacks.
Microsoft’s Recommended Multi-Factor Authentication Methods
If the administrator enables MFA election through the system, it automatically makes users use the most reliable authentication method available. Microsoft recommends a temporary access pass as the best followed by certificate-based authentication and FIDO2 security keys, with push notifications through Microsoft Authenticator coming fourth. Time-based one-time passwords (TOTP) are better than SMS and voice calls, which are the most insecure. Administrators can also restrict some authentication methods for their users.
What’s Next for Microsoft?
Microsoft is expected to activate the MFA feature for all tenants soon, although a specific timetable has not been announced. AD FS or a Network Policy Server (NPS) extension users are exempt from using the system-preferred MFA. In the long term, Microsoft plans to deactivate these passcodes, meaning administrators will have to disable them themselves to ensure that their users are safe.
