Forum Discussion
Solved
O365 MFA Mobile App Security Concern
We have implemented MFA in a broad section of test users. MFA was on the deployment plan, but it's getting fast tracked to mitigate an all out barrage of phishing attacks recently that specifically t...
- I agree that if a user is tricked into giving away their password, it is likely that the same user could also be duped into happily pressing a button on their phone, especially if the memo from IT says "you will soon receive a pop-up box on your phone, don't worry, that's just us, please authorize that." Sigh.
Here are some things that may help you:
1) In the MFA service settings page, uncheck the option for "Notification through mobile app" leaving only "text message to phone" or "Verification code from mobile app"
https://account.activedirectory.windowsazure.com/UserManagement/MfaSettings.aspx
2) Consider investing in an Azure AD Premium P1 license as this provides an additional conditional access feature where you can block users who are not domain joined, or are not enrolled in Intune... You can also implement IP Fencing rules to block countries that you don't do business with. For example, a lot of phishing is originating from IP addresses associated with Nigeria, so you could block all IP's from logging in from that country.
3) Simulate phishing attacks then follow up with user training
Well, there is no protection against oblivious users. But you definitely have a point here, and it's more and more relevant nowadays with the shift towards passwordless auth. Personally, I don't think that using MFA as primary auth is in any way more secure than password. Sure, it's convenient, no doubt about it. But without proper user education and additional controls, it's right there in the same boat as Password123.