Note: The entire cloud area, especially security, is constantly evolving and changing. The information is valid at the time of writing the article. It also updates information from some older articles on this website.
A practical description of the registration of authentication methods and their use for account sign-in can be found in the article Multi-Factor Authentication (MFA) authentication method registration and login.
Introduction to Multifactor Authentication (MFA)
Microsoft Documentation
- Authentication Methods
- Authentication Strength
- Passwordless Authentication
- Multifactor Authentication
- Passwordless strategy
Directory Services (Identity and Access Management Services)
- Active Directory Domain Services (AD DS) - internal/on-premises directory service for companies, uses Forest and Domain
- Microsoft Entra ID (formerly Azure AD) - Microsoft's cloud directory service for companies, uses Tenant
We can use a hybrid solution, where local domain accounts are replicated to the cloud directory. It is essentially the same account. However, depending on where we authenticate, we have different authentication options available. Even for services within the local network, authentication in Microsoft Entra ID is possible (under certain conditions).
In the cloud, Microsoft Entra Multifactor Authentication (MFA) and Conditional Access Policies are supported, allowing the definition of parameters for various accesses (sign-ins).
User Authentication
- Authentication - verifying identity, confirming that the person is who they claim to be
- Authorization - permissions, verifying that the person has the right to perform the action they are attempting
Modern Authentication
Modern Authentication is an identity management method that offers more secure user authentication and authorization. The term modern authentication encompasses a combination of authentication and authorization methods between the client and server. It includes authentication methods (such as multifactor authentication, smart card authentication), authorization (Open Authorization (OAuth)), and conditional access policies (Conditional Access Policies, Mobile Application Management).
Legacy Authentication refers to long-used protocols like Kerberos, NTLM, CHAP, etc., which generally do not work well over the internet. Basic Authentication is often used, which is very simple (uses plaintext username and password, only encoded with base64, so it must be combined with SSL), but has many vulnerabilities.
Modern authentication is a group of protocols designed to increase the security of cloud resources. For example, Security Assertion Markup Language (SAML), WS-Federation, OAuth. Their goal is to move away from the username/password method and instead use token-based claims. During authentication, a token is generated for access, specifying what accesses the requester has. Tokens are time-limited and can be revoked.
In Microsoft services, we can identify the type of authentication by the appearance of the sign-in dialog. The first image is Basic Authentication, the second is Modern Authentication.
Note: Sign-in using MFA is only available with modern authentication.
What is MFA?
Multifactor Authentication (MFA) is an authentication method where two or more different (independent) factors are used. In practice, two-factor authentication (2FA) is most commonly used, but in recent years the term MFA has been predominantly used.
User authentication factors are:
- Knowledge factor - something the user knows, such as a username and password, PIN
- Possession factor - something the user has, such as a mobile phone, security key, smart card, certificate, TPM chip
- Inherent factor - something the user is, such as biometric data (fingerprint, iris or retina scan, facial recognition, etc.)
Why use MFA?
According to many security studies (Verizon, Forrester, and others), the majority (over 80%) of data breaches or organization intrusions are related to compromised privileged login credentials. If only a password is used for sign-in, its theft or cracking allows the attacker access to the victim's systems.
Therefore, it is now a global standard to use multifactor authentication. We use it for banking access and for many private accounts (such as Google, Apple, Microsoft).
Authentication Methods
Authentication methods are various ways a user can authenticate. The list of MFA authentication methods is continuously developed and changed by Microsoft. Some methods are phased out and new ones are created according to security trends.
Currently, the following MFA methods are available (from strongest to weakest):
FIDO2 security key
- A hardware security key that uses an asymmetric key pair, data is protected by a PIN or biometrics, recommended by CISA, more in the article Sign-in with FIDO2 security keyWindows Hello for Business
- Uses an asymmetric key pair tied to a specific computer (ideally TPM) and protected by a local PIN or biometrics, more in the article Windows Hello for Business - introductionCertificate-based authentication (CBA)
- A new option to use an X.509 certificate for sign-in, for example, on a smart card (protected by a PIN), certificates also work with an asymmetric key pairMicrosoft Authenticator (Phone Sign-in)
- The Microsoft Authenticator app supports passwordless sign-in using an asymmetric key pair protected by a PIN or biometrics, a message appears to enter a number from the sign-in dialog, this method is labeled as Phone Sign-inMicrosoft Authenticator (Push Notification)
- Another option using Microsoft Authenticator, a notification (message) appears on the phone, which the user approves by matching numbers (entering two digits from the sign-in dialog)OATH Token
- HW tokens are still in preview, SW tokens are used, generating an OATH verification code (works offline), mobile apps like Microsoft Authenticator and Authenticator Lite, Google Authenticator, and others are usedMobile Phone
- Register a phone number and use SMS to receive a verification code, or voice call (Voice), which is received and confirmed (key#
)
Microsoft Authenticator Enhancing Notification Security
Microsoft continuously enhances security within its Microsoft Authenticator app. The Push Notification method previously involved just clicking the Approve button.
To prevent accidental approvals and MFA Fatigue attacks, it was changed to number matching at the beginning of 2023. The sign-in dialog displays two digits that need to be entered in the Microsoft Authenticator app. This is similar to the approval method in Phone Sign-in. This solution is also recommended by the CISA (Cybersecurity & Infrastructure Security Agency).
Additionally, the option to display more context to users in the request in the Microsoft Authenticator app was added. This includes the application name the user is signing into and the geographical location based on the IP address of the device they are signing in from.
Using Phone - SMS and Voice
Security experts have long considered authentication using SMS or voice to be insufficient. At the end of 2023, Microsoft adjusted the registration campaign to encourage (force) users to use a more secure method (currently the Microsoft Authenticator app).
SMS and voice use the public telephone network (PSTN), where there are attacks on SIM swapping and eavesdropping over public networks. We cannot be sure that the SMS reached the intended recipient due to redirection or interception of SMS messages. Messages are limited, unencrypted, not 100% reliable, regulated, and susceptible to social engineering. Therefore, it is recommended to switch to a more secure method using an app on a mobile phone.
Categories of Authentication Methods
Authentication methods are divided into several categories based on authentication strength and security:
Single-Factor Authentication
- If we do not use MFA and have only one authentication factor, mainly username and password or, for example, certificate alone (without PIN protection)MFA with password
- Traditional MFA, username and password plus another factor, including SMS, voice call, SW or HW OATH token, Authenticator with Push Notification and a somewhat special case Temporary Access PassPasswordless MFA
- No password is entered, only the username, and then a private key (asymmetric cryptography) is used, which is unlocked with a local PIN or biometrics. This includes Microsoft Authenticator Phone Sign-in and all Phishing-resistant MFAPhishing-resistant MFA
- Passwordless authentication requiring interaction between the authentication method and the sign-in interface (the key is used on the device where we are signing in). This includes FIDO2 security key, Windows Hello for Business, and certificate-based authentication
Note: Categories are listed from weakest to strongest in terms of security. Methods from a higher category meet the conditions of lower ones.
Multifactor Authentication (MFA) with Password
Standard MFA sign-in means identifying your account by its username (email, domain determines Tenant) and entering a password. Then, something we have is used. Most commonly, a verification code is used, but it can also be approval of the sign-in on a specific device.
Microsoft supports the standard Open Authentication (OATH) Time-based One Time Password (TOTP), which generates a 6 to 8 digit code every 30 seconds. SW or HW OATH tokens can be used for generation. Typically, various mobile apps like Microsoft Authenticator are used as Software OATH Tokens. For registering an authentication app, a Secret Key (or Seed) is generated in Microsoft Entra ID, which is entered into the app (usually by scanning a QR code). This is then used to generate OTP. The app does not need an internet connection.
Multifactor Authentication (MFA) without Password
Passwordless MFA does not use a password for sign-in (it is neither entered nor sent over the internet). Instead, an asymmetric key pair is generated (on the device) during method registration. The public key is stored (registered) to the user's account in Microsoft Entra ID. The private key is stored on the device, ideally using a cryptographic chip. On computers, the Trusted Platform Module (TPM) is used, a standalone device is the FIDO2 security key, and for certificates, a smart card. Alternatively, it is stored in a mobile device in the Microsoft Authenticator app.
Sign-in credentials are thus tied to a specific device (computer, phone, FIDO2 key, smart card). That is, something we have. Access to them must be protected by a PIN or biometrics. That is, something we know or are.
During MFA sign-in, a specific device is used, where access to the private cryptographic key is unlocked (PIN, biometrics). This key signs data received from Microsoft Entra ID (nonce
). Microsoft Entra ID verifies the signature using the public key, then verifies the returned nonce
and signs in the user (obtains a Primary Refresh Token (PRT) with MFA claim).
No form of password or private key is sent over the network. PIN or biometric data are used only locally and are tied to a single specific device. For these reasons, a PIN is more secure than a password, which is transmitted over the network and stored on the server. The requirements for a PIN can be lower.
Phishing-resistant Multifactor Authentication (MFA)
Some MFA methods are labeled as phishing-resistant. These methods are designed to prevent the disclosure of authentication secrets to a website or application posing as a legitimate system.
Such a method must meet several conditions. Elimination of shared secrets (password), instead using asymmetric cryptography and a strong trust relationship through cryptographic registration. Responding only to valid requests from known and trusted parties. User intent is required, involving the user both to initiate and authorize the sign-in action.
In practice, these are passwordless MFA methods, where we sign in on a device where we physically have the private key connected. This includes Windows Hello for Business, which works only on a specific computer, FIDO2 security key, which must be connected to the device and touched during sign-in, or a smart card with a certificate. This does not include methods where we can approve a sign-in happening elsewhere, such as all options using the Microsoft Authenticator app.
Attacks on MFA
Phishing attack on MFA typically occurs when an attacker sends a fraudulent email. The victim clicks on a link that leads to a fake system posing as legitimate. Here, a copy of the MS sign-in dialog is presented, but the entered credentials are received by the attacker. At that moment, the attacker signs in to the legitimate service. The victim receives, for example, an SMS, approves the sign-in, or uses OTP. The correct credentials are handed over to the attacker, who signs in instead of the victim. This is a Man-in-the-middle (MITM) attack.
Another attack is called MFA Fatigue and involves flooding the victim with verification requests (Push Notification). These requests frustrate the user to the point where they might ignore standard security measures and eventually approve any verification requests. The defense against this is using number matching.
Authentication Frequency and Session Lifetime
Securing a user account with MFA is not intended to constantly prompt the user for sign-in, requiring authentication each time. This would be inconvenient, and users might enter their credentials without thinking, even on malicious sites. User authentication on a specific device or in a particular application has a defined session lifetime. For example, for Office applications, the default is 90 days. Browsers do not have persistent cookies. Only after the session expires (or a password change, session revocation, etc.) is a new authentication required. Behavior can be influenced by configuration and special properties.
On managed devices that are registered or joined to Microsoft Entra ID, SSO (Single Sign-On) or Seamless SSO can be used. Devices that are Microsoft Entra Joined or Microsoft Entra Hybrid Joined obtain Primary Refresh Tokens (PRT), allowing SSO between applications. Thus, signing in to one application works as signing in to others.
On mobile devices, the Microsoft Authenticator app is used as an intermediary for other Microsoft Entra ID applications. On devices that do not have an identity in Microsoft Entra ID (are not registered), each application has its own OAuth Refresh Token, so it authenticates separately.
Using Conditional Access Policies, we can enforce re-authentication after a shorter period. We set the sign-in frequency within session controls.
There are no comments yet.