Microsoft has confirmed that it will introduce mandatory Multi-Factor Authentication (MFA) for its Cloud Solution Provider (CSP) programme and other partners.
A Microsoft spokesperson told Computer Business Review that: “We are introducing new mandatory security requirements for the partners participating in the Cloud Solution Provider (CSP) program, Control Panel Vendors, and Advisor partners.”
” This includes enforcing multi-factor authentication for all users in the partner tenants and adopting secure application model for their API integration with Microsoft.”
Microsoft expects the policy change will be rolled out over the coming months. They say that they have informed partners of the changes and will begin enforcement soon.
CSPs are licence partners and resellers who help organisations set up and operate their Office365 and Azure accounts, among other Microsoft services.
Typically, when companies buy licenses from partners who are reselling Microsoft products, those partners are granted administrative privileges as these are required to setup the company’s administrator accounts.
A subsequent risk: if the account of an admin at the CSP is compromised, this may lead to a threat actor gaining full access to all of its data files and communications, due to a lack of security layers such as MFA.
Microsoft Multi-Factor Authentication Follows Others
Multi-factor authentication/two-factor authentication (2FA) are increasing being made mandatory by organisations as they try to counteract the prevalence of phishing attacks and automated bot networks orchestrating credential stuffing attacks.
The use of MFA is highly recommended by organisations including the National Cyber Security Centre (NCSC), which notes: “The bad guys have got really good at compromising passwords and they have a lot of tools at their disposal.”
“Using a separate password for every service protects you against some of these, but not all, and it’s impossible for someone to do this across all their passwords without help of some kind. Multi-factor authentication (MFA), on the other hand, buys a lot of additional security for relatively little pain, and this is always going to be a good thing.”
In 2017 Google pushed all of its employees to use 2FA security methods and issued nearly all of its employees with USB-based 2FA keys. These keys replaced one-time codes and password security as the norm at Google. These security measures appear to have been highly successful as Google stated last year that none of its employees, numbering above 85,000 at the time, had fallen victim to a phishing attack.
Arnar Birgisson Software Engineer & Christiaan Brand, Product Manager commented in a security blog that: “At Google, we automatically block the overwhelming majority of malicious sign-in attempts (even if an attacker has your username or password), but an additional layer of protection can be helpful.”
“While any form of 2SV, like SMS text message codes and push notifications, improves the security of your account, sophisticated attackers can skirt around them by targeting you with a fake sign-in page to steal your credentials.”