Applying MFA to access cloud services

A guide to using multi-factor authentication (MFA) to secure your cloud services.

Organisations access their data and services hosted in the cloud over an internet connection. If access control to that information is not secure, it is under threat from online criminals all over the world. In recent years, there has been an increasing number of attacks on cloud services, using techniques to steal user’s passwords to access their accounts. Microsoft reports that there are over 300 million fraudulent sign-in attempts to their cloud services every day. Most data breaches involve weak, default or stolen passwords. The average person needs to remember 70-130 passwords, so it is hardly surprising that a 2019 Google survey found that 65% of people reuse the same password for multiple or all accounts. When people reuse the same password across numerous accounts, if just one of those accounts is breached, the password and user name will fall into the hands of cyber criminals and all the other accounts that share the same password become vulnerable.

Organisations are increasingly using cloud services as a way to remotely share access to their company files, and this frequently includes the personal data of customers.  Although the security in many cloud services is far superior to anything a small organisation can organise for themselves, if the access to those services is a password alone, this can introduce a significant vulnerability to the confidentiality, integrity, and availability of the organisational data.

It is now considered essential to have the extra step of multi-factor authentication (MFA) to configure access to all cloud services. MFA means that in addition to a password, account holders will be asked to prove their identity with one or more other ways. This could be a  a code sent to another device such as a text message to a mobile phone or a single use code generated by an authenticator app or physical token.

All cloud services are in scope for Cyber Essentials and multi-factor authentication is required for access to all cloud services.
What type of MFA is acceptable?
Multi-factor authentication requires the user to have two or more types of credentials before being able to access an account.

There are four types of additional factor that may be considered for businesses:

A trusted device: MFA techniques that use a trusted device can rely on the knowledge that a user possesses a specific device (e.g a company computer) to prove they are who they say they are. Organisations can configure cloud services to only accept authentication attempts from within their trusted enterprise networks. This ensures that users can only authenticate if they are either directly connected to that trusted network or have remote access to it over a virtual private network (VPN). In addition, or as an alternative to using a VPN, remote workers would be able to access online services only on trusted devices that are managed by the organisation. (See guidance about VPNs.)

An application: An authenticator app generates a single-use password that changes every minute. Alternatively, an app can receive push notifications that prompts the user to confirm or deny that they are currently trying to log in to a named service.

A physically separate token: These techniques use the knowledge that a user has a *physical security token, which proves they are who they say they are. Some types will require the user to unlock them before use, others just require proof of possession.
*Examples of physically separate tokens are FIDOuniversal2nd factor authenticators such as YubiKey, Smartcards that are unlocked by a PIN code, and devices such as RSA tokens and chip-and-PIN card readers which generate a single-use code each time a user logs in.

A known trusted account: These techniques send codes to a registered email address or phone number.
The service sends an SMS message containing a single-use code or makes a voice call in which a single-use code is read out to the phone number registered for that user. An SMS message is not the most secure type of MFA, but still offers a huge advantage over not using any MFA. Alternatively, the service will email a single-use code to an email address registered for that user. A code for the user to type in is preferrable to a clickable link, as it is difficult for a user to distinguish between a legitimate email and a phishing email.

MFA will not be necessary every time a user connects to a cloud service, however there will be crucial occasions when there is a need to check the extra factor to fully authenticate a user. These might include:
* Logging on to a service using a device that they have not used before. It may be necessary to opt in to the service remembering the device by selecting a ‘remember my device’ option.
* Logging onto a service that has a higher impact if it’s compromised, such as an email account or online banking.
* When performing high risk actions – such as changing a password or transferring money.
* When the authentication has been determined as high risk, such as the connection coming from a different part of the world than is normal for that user.

MFA is an extra barrier which creates a layer of security that is incredibly difficult for attackers to get past. When MFA is enabled, knowing or cracking the password won’t be enough. It is estimated that 99.9% of attacks can be blocked with MFA.