M_Applying MFA to access cloud services- streamlined

A guide to using multi-factor authentication (MFA) to secure your cloud services.

Organisations access their data and services hosted in the cloud over an internet connection. If access control to that information is not secure, it is under threat from online criminals all over the world. In recent years, there has been an increasing number of attacks on cloud services, using techniques to steal user’s passwords to access their accounts. Microsoft reports that there are over 300 million fraudulent sign-in attempts to their cloud services every day. Most data breaches involve weak, default or stolen passwords.

The average person needs to remember 70-130 passwords, so it is hardly surprising that a 2019 Google survey found that 65% of people reuse the same password for multiple or all accounts. When people reuse the same password across numerous accounts, if just one of those accounts is breached, the password and user name will fall into the hands of cyber criminals and all the other accounts that share the same password become vulnerable.

Organisations are increasingly using cloud services as a way to remotely share access to their company files, and this frequently includes the personal data of customers.  Although the security in many cloud services is far superior to anything a small organisation can organise for themselves, if the access to those services is a password alone, this can introduce a significant vulnerability to the confidentiality, integrity, and availability of the organisational data.

It is now considered essential to have the extra step of multi-factor authentication (MFA) to configure access to all cloud services. MFA means that in addition to a password, account holders will be asked to prove their identity with one or more other ways. This could be a  a code sent to another device such as a text message to a mobile phone or a single use code generated by an authenticator app or physical token.

All cloud services are in scope for Cyber Essentials and multi-factor authentication is required for access to all cloud services.
What type of MFA is acceptable?
Multi-factor authentication requires the user to have two or more types of credentials before being able to access an account.

The NCSC recommends the following forms of MFA, in order of effectiveness:

• Using a physically separate extra factor - such as a FIDO2 key

• Using an authenticator app on a trusted device as an extra factor - such as Google Authenticator or Microsoft Authenticator

• Using an app-based code generator - an app is used to generate a one-time code

• Using a hardware-based code generator - a physical token is used to generate a code

• Using a message-based method - an email, SMS message or voice call

See the page at https://www.ncsc.gov.uk/collection/mfa-for-your-corporate-online-services/recommended-types-of-mfa for details.

MFA will not be necessary every time a user connects to a cloud service, however there will be crucial occasions when there is a need to check the extra factor to fully authenticate a user. These might include:

• Logging on to a service using a device that they have not used before. It may be necessary to opt in to the service remembering the device by selecting a ‘remember my device’ option.

• Logging onto a service that has a higher impact if it’s compromised, such as an email account or online banking.

• When performing high risk actions – such as changing a password or transferring money.

• When the authentication has been determined as high risk, such as the connection coming from a different part of the world than is normal for that user.

MFA is an extra barrier which creates a layer of security that is incredibly difficult for attackers to get past. When MFA is enabled, knowing or cracking the password won’t be enough. It is estimated that 99.9% of attacks can be blocked with MFA.