Multi factor authentication is probably the single most vital thing a SysAdmin can enable to improve the security of accounts under their control. Adding that extra layer of security is often enough to protect accounts even when the password is compromised.
But it’s not infallible.
By default, Microsoft configures users to use the authentication prompt from the app, which lets users approve or deny a login with a single click. Easy. But what if they’re not paying attention? Users are busy people, they don’t have time for this cyber security stuff. After a while they get so used to clicking approve that it becomes second nature. Prompt comes up, approve, prompt gone. Move on.
All well and good, until it’s not.
So what can you do to improve this? I suggest moving high value users to one-time passcodes instead. It’s slightly less convenient, they have to open the app and type in the code, but it means that even if someone has their password and is trying to login, they can’t accidently approve the login.
- Once logged into Microsoft 365, click your profile picture (top right), click view account, then click Security Info.
- It will say ‘Default sign-in method: Microsoft Authenticator – notification’. Click change.
- Select ‘Authenticator app or hardware token – code’ from the dropdown list and click confirm.
From now on, if multi-factor authentication is required, you will be asked to input the code.
Don’t get me wrong, one-time passcodes are not 100% secure either. But they make the user have to do something that requires thought, and takes away the potential for someone to approve a malicious login without thinking.
SysAdmin Tales 
Leave a Reply