Topics

• Chris has some thoughts about MFA usage and deployment,
• Koos recently ran into some issues with Passkeys and wants to share a couple of do’s and don’t’s and also discuss future roadmap features.
  
  

MFA

Its almost 2025 - Is MFA still relevant today? Is MfA an unachievable utopia? The answers are definitely and no!

Seriously though, we’ve been talking about this for over a decade now - but it dawned on me recently that we always say “go enable MFA” and maybe we really should be saying “here’s how you enable MFA”. Believe it or not, I still see organizations that don’t have ANY MFA deployed - this happens for many reasons:

• Legal/political reasons
• Device restrictions

Its important to think of this as a process of continuous improvement and not ‘set and forget’ Where should you be? What does a MFA MVP look like? At a bare minimum, MFA should be enabled for all accounts in the tenant. In my opinion, I would go a little further than this - At a bare minimum, MFA should be enabled for all accounts in the tenant and all admin roles should be using phish-resistant MFA.

What do we mean by phish-resistant MFA?

• FIDO / WebAuth authentication
• Public key infrastructure (PKI)-based

These are things like FIDO2 tokens (Yubikey/Token2), Windows HfB, Passkeys, etc.

How should you configure MFA? Use Conditional Access - this requires at least Entra ID P1. If you don’t have at least P1, you can still deploy MFA via the ‘security defaults’ in M365, but you will lack granular control. Conditional Access is an important security tool so I’d encourage you to consider this during your next license cycle/true up.

You want to create at least 2 CA policies for MFA:

• One policy to apply MFA for all users in administrative roles. Scope this policy to the roles, not to users/groups
• One policy to MFA for all users. Scope this policy to ‘All users’

Once we you have these in place - your next step is to require phish-resistant MFA on the Admin roles. These align with the latest CIS benchmarks. If you’re not using Microsoft Authenticator - I’d strongly recommend moving toward that for as many users as possible. Avoid SMS where possible.

What about break glass accounts? For years we’ve been saying you should break glass accounts from MFA - this guidance in outdated. The recommendation now is to use FIDO2 tokens or similar for these. This also means that you need to consider your processes for using, storing and testing these.

Takeaways

• If you don’t have MFA deployed - don’t let perfect be the enemy of good. Start now and deploy where you can.
• Limit exclusions - look are service principals etc
• It is not all or nothing
• Security is not ‘set and forget’

MFA - Links

CISA - Implementing Phishing-Resistant MFA

Conditional Access authentication strength

Passkeys

AiTM

As more organizations embrace multi-factor authentication (MFA) to block most password-based attacks, threat actors are moving up the cyberattack-chain by bypassing MFA authentication altogether.

Adversary-in-the-middle (AiTM) attacks

• Involves attackers tricking users into clicking a link and completing MFA on the attacker’s behalf.
• Token theft is when an attacker steals tokens and makes a copy to get to the users’ resources without needing a username, password, or a successful MFA challenge.

What are passkeys?

A passkey is a strong, phishing-resistant authentication method based on World Wide Web Consortium’s (W3C) WebAuthN standard.

Passkeys solve the issue with phishing attacks because AiTM phishing is done by using a proxy server, which phishes the password and session cookie right after the user performs MFA. Which allows the attacker to use the session cookie for as long as the cookie is valid.

Evilginx is a demonstration of what adept attackers can do. It is the defender’s responsibility to take such attacks into consideration and find ways to protect their users against this type of phishing attacks.

Passkeys are a pair of cryptography keys generated by your device. And without the private key, the attacker cannot login on the users behalf, because accessing the private key is protected by using a PIN or biometric methods.

Passkeys provide passwordless logon, where each passkey is a unique digital key which cannot be reused. Therefore they cannot be abused in AiTM attacks.

Two types of passkeys

Two types of Passkeys; device-bound and syncable passkeys. Device-bound is more secure because the key is stored and bound to a physical device.

Passkeys popup on Github, Paypal and 1Password. These are examples of syncable passkeys.

Microsoft currently only offers device-bound passkeys. This can be a FIDO2 key, or recently with their Authenticator app on Mobile. At first I thought this was quite odd, because during the process of the latter you need to scan a QR code and open it with the Authenticator app. So how does this prevent an attacker to provide a phishing QR code through a proxy? Well, the authentication device you scan the QR with needs to be in close proximity of the device that generates the QR code. This is also why you need to have Bluetooth enabled on your smartphone for this to work. And since this is still a Passkey authentication where the private key is needed for the authentication, phishing the session cookie has no use for the attacker.

The challenges

The downside to all of this is support. And that’s why I wanted to bring this topic to today’s Podcast.

• Logging in from a desktop can be a bit awkward due to the QR code scanning process.
• Bluetooth restrictions may apply in your company?
• Break-the-Glass Storing physical keys in a safe require additional thoughts about the logistics of it
  • Take a look at OTP based MFA perhaps, but be aware of the additional dependency of “Entra ID MFA services”
• iOS 17 - only one password manager. –> iOS 18 solves this!
• Remote Desktop limitations
  • Especially on a Mac! :-( (no WebAuthN redirection)
  • Be careful with RDP from the Windows Store as well!

If you really need tight security where you want to check device compliance and risk status as well, you probably have a Virtual Desktop or equivalent solution setup of for externals. And there’s effectively no way to satisfy a Phishing-resistant MFA strength if they access this from a Mac…

Passkeys - Links

Enable Passkeys for your organization

Build resilience with credential management

Simulate your own AitM attack with Evilginx

Enable passkeys in Microsoft Authenticator (preview)

Microsoft Entra ID FIDO2 provisioning APIs (preview)

Community Project - Maester

What is Maester?

Maester is a PowerShell based test automation framework to help you stay in control of your Microsoft security configuration.

Maester is built on the Pester framework - the team has put in a lot of work to provide an ‘easy button’, but allows you to create your own tests. Maester helps you monitor your Microsoft 365 tenant by running a set of tests to ensure your configuration is in compliance with your security policies.

Currently provides built-in tests:

• Secure Cloud Business Applications (SCuBA) Security Configuration Baseline - CISA
• Entra ID Security Config Analyzer (EIDSCA) - mapped to the MITRE ATT&CK framework.
• Maester community tests (36)

Maester - Links

Maester

Introducing Maester

Follow us on your favorite podcast platform or check us out on YouTube