Like cleaning out your garage, the death of passwords is lots of talk, and little action. The stakes are higher than ever, with more than 4 out of 5 of data breaches leveraging stolen or weak credentials. Multi-factor authentication (MFA) can reduce the effectiveness of stolen credentials, but as long as the password is still at play, MFA will only have a band-aiding effect on the overall security problem. Removing the password altogether, even with MFA, is a better alternative for high-risk cloud applications like Office 365 (O365).
For its 120 million active users, O365 is the home of business-critical data. Almost a fifth of this data resides in OneDrive and SharePoint. It includes everything from financial records to social security numbers and protected health information. To protect O365, you need to understand all of its various attack vectors. Fortunately, the most common attacks share a strategy – exploit the weakest link! For many organizations, this happens to be their employees, specifically those with vulnerable credentials.
There are almost 2 billion usernames and passwords traded on black-market forums, all of which are testable against O365 with different variations. While there are security measures against brute-force attacks, attackers can circumvent them with some creativity. Senior employees at Fortune 2000 companies were the recent target of attacks originating from instances hosted on cloud service platforms. Attackers concealed their username guesses with a slow and low strategy – pacing the attacks over a few months, and with multiple IPs, to avoid lockouts or detection. With the username confirmed, they attempted authentication with one shot at the password – they likely had a good idea of what it was.
Not all attacks need that level of sophistication to succeed. The classic phishing email can take the form of an automated email alert from Microsoft, or a document to review from a colleague. Typically, it will ruse the user to enter their credentials on a malicious web page, made to look like the O365 login page. Despite security parameters such as Microsoft’s reputation based filtering, malicious emails are slipping through. In fact, a recent analysis of 10.7 million inbound emails found that the O365 email service allowed 34,077 phishing emails, and 3,900 malware attachments. They may represent a small percentage of the total emails delivered, but that does not take away from the risk, or inconvenience, they pose. After all, it only takes a single email to compromise security. Password phishing and malware keyloggers are designed specifically to steal credentials, so taking away the password is an effective barrier.
Whether the foothold is via brute-force, or the more common phishing attempt, getting access to just one account can lead to more advanced attacks. Compromised accounts are the best way to launch these attacks since little emphasis is placed on monitoring internal emails. A recent study revealed that more than two-thirds of organizations have at least one compromised account each month.
Credential-based attacks are preventable with MFA. That is not to say there will not be other vulnerabilities to exploit. Take the combination of passwords and SMS codes for MFA. The first factor is inherently vulnerable. As for SMS codes, with some determination hackers can bypass wireless carriers, and intercept or redirect the codes. At one point, the National Institute for Standards and Technology (NIST) called for SMS deprecations, but later softened the recommendation in their Digital Authentication Guidelines.
You do not need a password, or SMS codes, to achieve MFA in O365. Specops Authentication for O365 brings us a little bit closer to the password-less reality. Designed to increase security, the solution replaces the password with high trust identity providers (Duo Security and Symantec VIP), authenticator apps (Google and Microsoft Authenticator), and even a biometric option using the fingerprint reader feature embedded in most smartphones.
Naturally, with any third-party solution, one has to consider where their data is going. Going password-less sounds great, but not if it creates a bigger attack surface. Specops Authentication is installed inside your Active Directory, and keeps user data on-premises. Group Policy drives permissions, removing the need to duplicate or map your directory to additional systems.
If you are a security conscious O365 administrator, you may have already considered MFA as a means to secure the authentication process. Now you can do so without requiring the password as the first authentication factor. Replacing the O365 password with high trust identity providers improves authentication security.