Microsoft Details Causes & Prevention of Recent Office 365 Multi-Factor Failure
Multi-factor authentication is meant to lock out cyber attackers. What happened instead last November 19 was that legitimate users of Microsoft Office 365 were locked out for hours from their accounts.
For 14 hours, between 4:39 UTC and 18:38 UTC last November 19, users of Microsoft Azure AD Multi-Factor Authentication (MFA) services were locked out from their accounts. These include users of Office 365, Azure, Dynamics and other services which use Azure Active Directory for authentication. The outage affected users in Europe, Asia and the Americas regions, including the U.S. Government and the U.K. Parliament.
According to Microsoft, the following 4 reasons contributed to the Azure AD Multi-Factor Authentication (MFA) service outage:
The first cause of the outage identified by Microsoft was the latency issue in the MFA frontend’s communication to its cache services. This issue started under high load once a particular traffic threshold was reached. This first cause, according to Microsoft, more likely triggered the second cause.
The second cause of the outage identified by Microsoft was a race condition in processing responses from the MFA backend server, leading to the recycles of the MFA frontend server processes, which then triggered additional latency and triggered the third cause of the outage.
The first two causes, according to Microsoft, were the result of an update introduced in some datacenters on 13 November 2018 and completed on 16 November 2018.
The third cause of the outage identified by Microsoft was the accumulation of processes on the MFA backend which resulted in resource exhaustion on the backend making it unable to process any further requests from the MFA frontend.
The fourth cause of the outage identified by Microsoft involved the “gaps” in telemetry and monitoring for the MFA services which resulted in the delay of the identification and understanding of the first three causes and caused delay in mitigating the problem.
Microsoft added that incident communications about the outage weren’t promptly sent to the Service Health blade in the management portal for all impacted customers.
Microsoft extended its apology to its customers and vowed to implement the following preventive measures to ensure that the outage won’t happen again:
. Review update deployment procedures to better identify similar issues during development and testing cycles (completion by Dec 2018)
. Review monitoring services to identify ways to reduce detection time and quickly restore service (completion by Dec 2018)
. Review containment process to avoid propagating an issue to other datacenters (completion by Jan 2019)
. Update communications process to the Service Health Dashboard and monitoring tools to detect publishing issues immediately during incidents (completion by Dec 2018)
Importance of Microsoft Azure AD Multi-Factor Authentication (MFA)
Multi-Factor Authentication, also known as MFA, is an added security measure to the username and password combination, preventing attackers to access an account despite knowing the username and password combination as an additional authentication method is required. Only after this additional authentication method is satisfied that a user can sign in.
Even a very complex username and password combination is no longer sufficient to ensure security. Users have the habit of reusing passwords in different accounts. Sophisticated phishing attacks and other social engineering attacks could expose these username and password combinations. Many of these stolen username and password combinations are sold online and some are even leaked online for free.
This additional authentication method on top of a username and password combination is essential in today’s connected business environment. Today’s corporate network is accessed using smartphones, tablets, personal computers and laptops.
Microsoft Office 365 uses multi-factor authentication to help provide an extra layer of security. Office 365 is Microsoft’s subscription service that offers desktop apps that people are familiar with, including Word, PowerPoint and Excel. It also has an extra online storage and cloud-connected features that allows collaboration on files in real time. You can also add your organization’s domain name to Office 365 to create domain-based email addresses.
Additional authentication method or second authentication factor in Microsoft Office 365includes call to phone, verification code from mobile app, notification through mobile app and text message to phone.
Call to Phone
In call to phone, an automated voice call is placed. To authenticate, the user answers the call and by pressing # in the phone keypad.
Verification Code from Mobile App
In verification code from mobile app, Microsoft Authenticator app generates a new verification code every 30 seconds. To authenticate, the user enters the verification code into the sign-in interface.
Notification through Mobile App
In notification through mobile app, a notification is sent to a registered phone or device. To authenticate, the user views the notification and selects “Approve”.
Text Message to Phone
In text message to phone, a text message containing a verification code is sent to a registered phone or device. To authenticate, the user is prompted to enter the verification code into the sign-in interface. This process is called “one-way SMS”. In a “two-way SMS”, the user must text back a particular code.
Aside from the additional layer of security, the following are the additional benefits of using a Microsoft Azure AD Multi-Factor Authentication (MFA):
It’s easy to use.
This MFA is easy for administrators to set up, use and monitor. On the part of the users, this MFA is easy to activate and use.
It’s scalable.
This MFA can be implemented for any number of users.
It’s reliable.
Even with the recent outage, Microsoft guarantees 99.9% availability of this multi-factor authentication.
When you have Microsoft Office 365, general IT and cybersecurity questions, our certified experts are a phone call away. Call GenX today at (416) 920-3000