It happened again: Microsoft Azure Multi-Factor Authentication (MFA) went down. About a week ago, an MFA outage affected thousands of Azure and Office 365 users who were unable to access their accounts after they could no longer use their mobile device to deliver a required second layer of authentication to login. People complained for hours about how their services became inaccessible, how they couldn’t perform their normal day to day operations due to the outage – prohibiting them from doing their jobs. I say same on you, Microsoft, for putting your customers in this situation.
But also shame on you, Microsoft customers (and by extension IT service providers), for not being smarter about your reliance on MFA. Technology downtime should never impact the business in such a major way.
I can hear the outrage already:
“Wait, what? Some nerve you have, blaming US for an outage of a cloud service. We pay good money for something that is supposed to have 99.9% uptime!”
To be honest, I am not blaming MFA customers for the outage. I am blaming them for being completely put out of work due to something as simple as two-factor authentication downtime. Too many times I see people using MFA as an on/off switch without a clear plan or design when MFA is actually needed. Mike Tyson once said, “Everyone has a plan and then they get punched in the face.” Well consider this outage your proverbial punch in the face. If you were unable to work due to a second security layer failure you clearly have not done your due diligence about two things:
- What is the plan when MFA goes offline? Although we expect constant uptime it’s a fact of life and technology that things always fail at some point. So what’s the plan for when that happens? While reputable service providers should have their own plan in place for downtime, customers should always have a backup for the backup plan. Working with cloud services is not an excuse to be lazy or to forget crucial things like unexpected outage plans in service design.
- How important is it for us to require MFA to ALWAYS be enabled? Is MFA indeed an on/off switch, or can we just deploy MFA where it is really necessary?
The reality is that MFA is not always needed. Simply put, too many people look at MFA as an on/off switch because they don’t know how to configure MFA properly or maybe are (dare I say it?) too lazy to deploy it thoughtfully.
When you already work in a controlled environment like in your office, on a laptop or desktop with the necessary security measures like a device management suite, what is the added value of MFA? Security measures need to be in place to protect your end-users and devices in unsafe environments, where the risk of being hacked or your users and devices being compromised is the highest. If you consider your own office an unsafe place, you might have potentially bigger problems than MFA. Like with the use of super complex password and a frequent request to change passwords, unbalanced security measures can lead to end-user to actively circumvent your efforts. When that happens, your security plan (even if you have one) goes out the door anyway.
Microsoft Azure has a service for those specific cases. It is the exact same service you have been using for your MFA: Azure Active Directory, which includes a feature called “conditional access.” It allows you to define the different scenarios where you actually do require MFA and where you don’t. It can help you to be selective in the usage of MFA and allow people to work ‘normally’ in a safe environment. It gives your end-users confidence that they are being take care of and when indeed the request for MFA comes up, they also get the mental note that they are currently in a unsafe environment and should behave in a more secure way than they normally would when they are in the office.
So, back to original statement, would this have helped 100% against the MFA outage? No, but if people were working in a secure environment they wouldn’t have been impacted by the MFA since there was no need for MFA. Like I said, consider this outage your wake-up. Having a security plan is one thing; having balanced security plan, with attention to end-user convenience as well as possibility that certain services can and will go offline might be even a better approach.