Show
What is single-factor authentication (SFA), two-factor authentication (2FA), and multi-factor authentication (MFA), and why is more than one factor of authentication vital to security. First, here are the definitions: What is Single-factor Authentication (SFA)?Single-factor authentication is the simplest form of authentication method. With SFA, a person matches one credential to verify himself or herself online. The most popular example of this would be a password (credential) to a username. Most verification today uses this type of authentication method. What is Two-factor Authentication (2FA)?Two-factor authentication uses the same password/username combination, but with the addition of being asked to verify who a person is by using something only he or she owns, such as a mobile device. Putting it simply: it uses two factors to confirm an identity. What is Multi-factor Authentication (MFA)?Multi-factor authentication uses a combination of the following factors: something you know, something you have, and something you are. 2FA is a subset of MFA, and you can read more on the difference between the two in Chris Webber's blog, Two-Factor vs. Multi-Factor Authentication. For more definitions, check out our cybersecurity glossary. What are the Risks of Single-factor Authentication? Online sites can have users' passwords leaked by a cyber criminal. Although it doesn’t happen often, it can happen! Without an additional factor to your password to confirm your identity, all a malicious user needs is your password to gain access. Hopefully, it’s not a website that has additional personal information stored, such as your credit card information, home address, or other personal information used to identify you. Oftentimes, a user's password is simple so that it is easy to remember. Is there something wrong with that? Well, the more simple the password, the easier it is to crack or guess. A malicious user may guess your password because they know you personally or because they were able to find out certain things about you, such as your birthdate, favorite actor/actress, or pet’s name. A malicious user may also crack your password by using a bot to generate the right combination of letters/numbers to match your simple, secret identification method. In either example, it’s going to be a hassle to recover your account(s). Hopefully, your simple password is not being reused with other online entities. SFA is quickly becoming the CDs of security measures. It was great for the time, but it’s outdated. There is a growing number of products, websites, and apps that offer two-factor and multi-factor authentication. Whether it’s just two factors, or three or more — MFA, in general, is the way to make our accounts much much harder for attackers to break into -- the time to get familiar with these new security measures is now. Skip to main content This browser is no longer supported. Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
In this articleTo customize the end-user experience for Azure AD Multi-Factor Authentication, you can configure options for settings like account lockout thresholds or fraud alerts and notifications. Some settings are available directly in the Azure portal for Azure Active Directory (Azure AD), and some are in a separate Azure AD Multi-Factor Authentication portal. The following Azure AD Multi-Factor Authentication settings are available in the Azure portal:
Account lockoutTo prevent repeated MFA attempts as part of an attack, the account lockout settings let you specify how many failed attempts to allow before the account becomes locked out for a period of time. The account lockout settings are applied only when a PIN code is entered for the MFA prompt. The following settings are available:
To configure account lockout settings, complete these steps:
Block and unblock usersIf a user's device is lost or stolen, you can block Azure AD Multi-Factor Authentication attempts for the associated account. Any Azure AD Multi-Factor Authentication attempts for blocked users are automatically denied. Users remain blocked for 90 days from the time that they're blocked. For a video that explains how to do this, see how to block and unblock users in your tenant. Block a userTo block a user, complete the following steps. Watch a short video that describes this process.
Unblock a userTo unblock a user, complete the following steps:
Fraud alertThe fraud alert feature lets users report fraudulent attempts to access their resources. When an unknown and suspicious MFA prompt is received, users can report the fraud attempt by using the Microsoft Authenticator app or through their phone. The following fraud alert configuration options are available:
To enable and configure fraud alerts, complete the following steps:
View fraud reportsWhen a user reports fraud, the event shows up in the Sign-ins report (as a sign-in that was rejected by the user) and in the Audit logs.
NotificationsYou can configure Azure AD to send email notifications when users report fraud alerts. These notifications are typically sent to identity administrators, because the user's account credentials are likely compromised. The following example shows what a fraud alert notification email looks like: To configure fraud alert notifications:
OATH tokensAzure AD supports the use of OATH TOTP SHA-1 tokens that refresh codes every 30 or 60 seconds. You can purchase these tokens from the vendor of your choice. OATH TOTP hardware tokens typically come with a secret key, or seed, pre-programmed in the token. You need to input these keys into Azure AD as described in the following steps. Secret keys are limited to 128 characters, which might not be compatible with all tokens. The secret key can contain only the characters a-z or A-Z and digits 1-7. It must be encoded in Base32. Programmable OATH TOTP hardware tokens that can be reseeded can also be set up with Azure AD in the software token setup flow. OATH hardware tokens are supported as part of a public preview. For more information about previews, see Supplemental Terms of Use for Microsoft Azure Previews. After you acquire tokens, you need to upload them in a comma-separated values (CSV) file format. Include the UPN, serial number, secret key, time interval, manufacturer, and model, as shown in this example:
Note Be sure to include the header row in your CSV file. An administrator can sign in to the Azure portal, go to Azure Active Directory > Security > Multifactor authentication > OATH tokens, and upload the CSV file. Depending on the size of the CSV file, it might take a few minutes to process. Select Refresh to get the status. If there are any errors in the file, you can download a CSV file that lists them. The field names in the downloaded CSV file are different from those in the uploaded version. After any errors are addressed, the administrator can activate each key by selecting Activate for the token and entering the OTP displayed in the token. Users can have a combination of up to five OATH hardware tokens or authenticator applications, such as the Microsoft Authenticator app, configured for use at any time. Phone call settingsIf users receive phone calls for MFA prompts, you can configure their experience, such as caller ID or the voice greeting they hear. In the United States, if you haven't configured MFA caller ID, voice calls from Microsoft come from the following number. Uses with spam filters should exclude this number.
Note When Azure AD Multi-Factor Authentication calls are placed through the public telephone network, sometimes the calls are routed through a carrier that doesn't support caller ID. Because of this, caller ID isn't guaranteed, even though Azure AD Multi-Factor Authentication always sends it. This applies both to phone calls and text messages provided by Azure AD Multi-Factor Authentication. If you need to validate that a text message is from Azure AD Multi-Factor Authentication, see What SMS short codes are used for sending messages?. To configure your own caller ID number, complete the following steps:
Custom voice messagesYou can use your own recordings or greetings for Azure AD Multi-Factor Authentication. These messages can be used in addition to the default Microsoft recordings or to replace them. Before you begin, be aware of the following restrictions:
Custom message language behaviorWhen a custom voice message is played to the user, the language of the message depends on the following factors:
For example, if there's only one custom message, and it's in German:
Custom voice message defaultsYou can use the following sample scripts to create your own custom messages. These phrases are the defaults if you don't configure your own custom messages.
Set up a custom messageTo use your own custom messages, complete the following steps:
MFA service settingsSettings for app passwords, trusted IPs, verification options, and remembering multi-factor authentication on trusted devices are available in the service settings. This is a legacy portal. It isn't part of the regular Azure AD portal. You can access service settings from the Azure portal by going to Azure Active Directory > Security > Multifactor authentication > Getting started > Configure > Additional cloud-based MFA settings. A window or tab opens with additional service settings options. Trusted IPsThe trusted IPs feature of Azure AD Multi-Factor Authentication bypasses multi-factor authentication prompts for users who sign in from a defined IP address range. You can set trusted IP ranges for your on-premises environments. When users are in one of these locations, there's no Azure AD Multi-Factor Authentication prompt. The trusted IPs feature requires Azure AD Premium P1 edition. Note The trusted IPs can include private IP ranges only when you use MFA Server. For cloud-based Azure AD Multi-Factor Authentication, you can use only public IP address ranges. IPv6 ranges are supported only in the Named locations (preview) interface. If your organization uses the NPS extension to provide MFA to on-premises applications, the source IP address will always appear to be the NPS server that the authentication attempt flows through.
Trusted IP bypass works only from inside the company intranet. If you select the All Federated Users option and a user signs in from outside the company intranet, the user has to authenticate by using multi-factor authentication. The process is the same even if the user presents an AD FS claim. User experience inside the corporate networkWhen the trusted IPs feature is disabled, multi-factor authentication is required for browser flows. App passwords are required for older rich-client applications. When trusted IPs are used, multi-factor authentication isn't required for browser flows. App passwords aren't required for older rich-client applications if the user hasn't created an app password. After an app password is in use, the password is required. User experience outside the corporate networkRegardless of whether trusted IPs are defined, multi-factor authentication is required for browser flows. App passwords are required for older rich-client applications. Enable named locations by using Conditional AccessYou can use Conditional Access rules to define named locations by using the following steps:
Enable the trusted IPs feature by using Conditional AccessTo enable trusted IPs by using Conditional Access policies, complete the following steps:
Enable the trusted IPs feature by using service settingsIf you don't want to use Conditional Access policies to enable trusted IPs, you can configure the service settings for Azure AD Multi-Factor Authentication by using the following steps:
Verification methodsYou can choose the verification methods that are available for your users in the service settings portal. When your users enroll their accounts for Azure AD Multi-Factor Authentication, they choose their preferred verification method from the options that you've enabled. Guidance for the user enrollment process is provided in Set up my account for multi-factor authentication. The following verification methods are available:
For more information, see What authentication and verification methods are available in Azure AD?. Enable and disable verification methodsTo enable or disable verification methods, complete the following steps:
Remember multi-factor authenticationThe remember multi-factor authentication feature lets users bypass subsequent verifications for a specified number of days, after they've successfully signed in to a device by using MFA. To enhance usability and minimize the number of times a user has to perform MFA on a given device, select a duration of 90 days or more. Important If an account or device is compromised, remembering MFA for trusted devices can affect security. If a corporate account becomes compromised or a trusted device is lost or stolen, you should Revoke MFA Sessions. The revoke action revokes the trusted status from all devices, and the user is required to perform multi-factor authentication again. You can also instruct your users to restore the original MFA status on their own devices as noted in Manage your settings for multi-factor authentication. How the feature worksThe remember multi-factor authentication feature sets a persistent cookie on the browser when a user selects the Don't ask again for X days option at sign-in. The user isn't prompted again for MFA from that browser until the cookie expires. If the user opens a different browser on the same device or clears the cookies, they're prompted again to verify. The Don't ask again for X days option isn't shown on non-browser applications, regardless of whether the app supports modern authentication. These apps use refresh tokens that provide new access tokens every hour. When a refresh token is validated, Azure AD checks that the last multi-factor authentication occurred within the specified number of days. The feature reduces the number of authentications on web apps, which normally prompt every time. The feature can increase the number of authentications for modern authentication clients that normally prompt every 180 days, if a lower duration is configured. It might also increase the number of authentications when combined with Conditional Access policies. Important The remember multi-factor authentication feature isn't compatible with the keep me signed in feature of AD FS, when users perform multi-factor authentication for AD FS through MFA Server or a third-party multi-factor authentication solution. If your users select keep me signed in on AD FS and also mark their device as trusted for MFA, the user isn't automatically verified after the remember multi-factor authentication number of days expires. Azure AD requests a fresh multi-factor authentication, but AD FS returns a token with the original MFA claim and date, rather than performing multi-factor authentication again. This reaction sets off a verification loop between Azure AD and AD FS. The remember multi-factor authentication feature isn't compatible with B2B users and won't be visible for B2B users when they sign in to the invited tenants. Enable remember multi-factor authenticationTo enable and configure the option to allow users to remember their MFA status and bypass prompts, complete the following steps:
Mark a device as trustedAfter you enable the remember multi-factor authentication feature, users can mark a device as trusted when they sign in by selecting Don't ask again. Next stepsTo learn more, see What authentication and verification methods are available in Azure Active Directory? FeedbackSubmit and view feedback for What is 2 way authentication method?Two-factor authentication methods rely on a user providing a password as the first factor and a second, different factor -- usually either a security token or a biometric factor, such as a fingerprint or facial scan.
What is second level authentication?Two-factor authentication (2FA) is a security system that requires two separate, distinct forms of identification in order to access something. The first factor is a password and the second commonly includes a text with a code sent to your smartphone, or biometrics using your fingerprint, face, or retina.
Which is a two step authentication that uses a device in addition to the password used to authenticate a user?SMS 2FA. SMS two-factor authentication validates the identity of a user by texting a security code to their mobile device. The user then enters the code into the website or application to which they're authenticating.
What is twoTwo-factor authentication (2FA) is an identity and access management security method that requires two forms of identification to access resources and data. 2FA gives businesses the ability to monitor and help safeguard their most vulnerable information and networks.
|