Friday, May 29, 2015

Microsoft Azure MFA authentication options

Microsoft Azure MFA and the equivalent for the on-premise installation is coming with 3 options for user verification:

- MFA service calls the user's phone
- MFA service sends a text message (aka SMS)
- Use of a MFA app on you mobile phone

So which option should we allow users to use and why?

Thought #1: The most generic and reliable option, and the option which can even be used with a landline phone is the option to give the user a call.

Thought #2: Send a text is more silent as option 1 and typically all cellphones can receive text messages while landline phones can't. If you are a global organisation and have users in different countries with different wireless providers you will may encounter that text messages sometimes need a long time before they arrive and sometimes they just silently disappear. So that needs to be considered.

Thought #3: The only solution which does not require a wireless signal to receive a call or text is the MFA app. But it requires a smart phone. I am very often in data centers and the cell phone reception is usually bad there, not just because of the noise. So I prefer using the app.


In general users should not be trained like a Pavlov's dogs to just accept phone calls without listening anymore because the get 500 calls per day. so use MFA wisely.

In conclusion all methods have pros and cons, but might for end users the phone call verification is the best, it can be for admins the smart phone app.

No comments: