Multi-Factor Authentication 2020

This is a public service announcement: PASSWORDS ARE EVIL, THEY MUST BE STOPPED!

For years, passwords have been a prime vulnerability used by hackers to compromise organisations and the stats to demonstrate the significance of this are demonstrated weekly. Today it’s news that 99.9% of compromised accounts in Azure AD don’t have MFA. Last week it was another organisation getting wiped out because – well passwords. There are websites that document a sorry list of tales of how passwords have exposed some of the largest, most trusted organisations on Earth. At a cost of untold millions. I used to work at one of them.

Hello, my name is Gavin, and I have too many passwords.

And I’ll put good money on the same being true for you. It’s fine, we all have the same problem; You’re amongst friends here. Our brains simply aren’t designed to handle them. A small minority of us might use password managers, which are a way of patching over (but not solving) the problem. But it’s far more common to find people who simply use the same password (or some variation) across all their sites and services, which makes them terribly susceptible to credential stuffing. I’ll even include a link to https://haveibeenpwned.com/ right here so you can see at a glance how many times your credentials have been compromised. And no matter how many times security pros might evangelise pass-phases or some other form complexity, the average user will never use them.

Passwords are a lot like alcohol; As a society, we know they’re bad. We know if they were released as a ‘new thing’ today they wouldn’t be adopted. Yet here we all are, still using them. It’s a curious situation.

Microsoft, NCSC and NIST are now universally backing an approach to completely scale back old-school, ineffective and in some cases totally counter-productive password policies. Instead the guidance is focus on MFA and other measures like those found in Conditional Access and Azure AD Identity Protection. Those frameworks also mention hardware-backed certificates but more on those and passwordless authentication another time.

We need to make secure sign-in is a seamless and obvious experience. So before I get to passwordless (soon) we need to have a chat about MFA first. You see, not all MFA options were created equal. On a sliding scale, some MFA options are more prone to attack, some options represent a sweet spot of great usability and excellent security, while others go a little step further for those that need it. And of course, if you’re not using MFA today – well, now is the time:

None of these options cost the Earth, which is what passwords are more than likely to do if you carry on with nothing – it’s that simple. More advanced licenses open up additional features but at a minimum even the free plan includes MFA using the mobile app. More details here.

MFA – The Options

Phone & SMS: Worst.

Phone and SMS options are the most common form of MFA because it’s the default. And people frequently simply aren’t aware better options exist. And hey, some MFA is always going to be better than no MFA. Just beware, I could likely phone your mobile provider right now having done a modicum of research about you have a replacement SIM sent to me. If I really want your identity, I’ll get your phone calls and SMS messages. Maybe best not to have Phone and SMS enabled for privileged or high-value users.

OTP: Not much better.

One-Time Passcodes (OTP). This is better than Phone or SMS in that it’s not susceptible to a relatively simple SIM swap. But it’s not perfect. You’re typing that code on the same device that you just typed in your username and password. This is called in-line MFA. This is susceptible to two kinds of attack:

  • You could have a keylogger tied into something sophisticated enough to swipe your identity while the OTP is valid.
  • Phishing or social engineering. People give that code out. And people are very open to suggestion given the right set of circumstances. Security-minded people might think they’re not so fallible, but that’s not the majority of us.

So maybe OTP were good back in the on-premises days, but in the connected world where your credential is likely used to sign-in to public services your attacker may have access to, maybe not so much. Still, some MFA is better than no MFA.

Hardware-backed certificates: FTW!

These come in various flavours, you’ll probably be very familiar with using your face or finger to unlock your phone? This is the same tech. A certificate in your device is unlocked through some gesture – PIN or biometric, and with the cert you’re able to seamlessly authenticate.

– Microsoft Authenticator App

If you don’t have this installed, stop reading and go get it!

The app uses mobile hardware and software to provide a very strong form of MFA through app notifications. Yes, it also supports OTP for other identity platforms integration – but that’s more for backwards compatibility, we’ve discussed the pitfalls of OTP. The best feature is you need to have physical ownership of the device and the ability to unlock it in order to approve a notification of an authentication attempt for Azure AD. A particularly nifty feature is where you can complete a sign-in to Azure AD through selecting a number on your phone that’s presented by the sign-in interface on your PC. Literally passwordless. 🔥 HOT OFF THE PRESS: As we posted news has arrived that you can now also view your accounts activity, update your security including updating your password from within the app. So it’s just getting better and better.

But beyond the app is…

🥁🥁🥁

– Windows Hello

This is awesome. No mucking around, seamless, self-service, no shared secrets getting in the way. You look at your PC, you access your stuff. Don’t have a Windows Hello compatible biometric device? Fine, use a PIN if you have to. Your secret isn’t shared when you sign-in to access resources. The PIN or biometric are only ever used to unlock a certificate on your device stored within something super secure called a Trust Protection Module or ‘TPM’ which is a separate piece of silicon to the CPU or other typical PC components. This represents the pinnacle of ease of use and security for the vast majority of users. But you may want to consider the FIDO2 tokens in addition to Windows Hello…

– FIDO2 – down, boy!

  • You may be someone who roams between many different devices. In these cases a FIDO2 token removes the need to register against each device, the cred roams with the key. Simple.
  • The device may be used by more than ten people. The >10:1 scenario or ‘promiscuous devices’! TPM chips, the hardware which enables Windows Hello, have a storage limit. If the device falls into the >10:1 scenario you’ll want to give users of that device a FIDO2 token. Those users can also roam with those keys so it’s not a wasted expense, those people will have an additional layer of security. So start dishing out FIDO2 tokens and the >10:1 scenario is managed. But don’t make this an enterprise-wide decision. Make it selective.
  • You have super secret things you want to add that little bit extra assurance to. With a FIDO2 token there’s an additional element of ‘something you have’ in addition to the device sat in front of you. Windows Hello is already strong (the cred Windows Hello cred is tied to the endpoint device), but FIDO2 is that little bit stronger by virtue of being stored on a physically separate device.
  • Need to go super-ultra-mega strength? For an extra few dollars, some FIDO2 tokens have fingerprint reader built-in. So now you’ve thrown the kitchen sink at the problem and the only way of getting more secure is by going full secret agent with lasers mounted to sharks.

The really cool thing about FIDO2 tokens is, they’re commodity off-the-shelf items. You don’t have to buy them in trays, with an expensive back-end infrastructure, software agents and endless engineer hours with face-to-face enrollment and troubleshooting. They’re supported in Windows 10 out of the box. Fully self-service. They come in a huge range of form-factors with different interfaces and features. You pick the one that suits. You might need a small software agent for the biometric keys but only while you get the fingerprint set up – you don’t even need to do that on the device you’ll use day-to-day necessarily. 

And the really awesome thing; Many attacks against high-value individuals (think C-suite) start with social accounts. FIDO2 keys support multiple protocols including FIDO U2F which to the average person means Facebook, Google, Twitter and the like. You can safeguard both personal and work accounts from the same key. You could also have another backup key tucked away somewhere for safe keeping. They’re not expensive.

Quality of life

Some secret sauce; When you sign in to a device using Windows Hello (with or without a FIDO2 token), you actually receive a security token that includes an MFA claim. So these methods of sign-in are technically classed as MFA. Which makes sense! There’s the thing you have (the computers TPM chip or FIDO2 token) and something you know (PIN) or are (biometric). So when you sign in to resources, you are already signalling that you have performed MFA and you won’t get notified so much. The only instances where you may still need one of the other options above is where you come across some Conditional Access policy with sign-in persistence disabled (so it requires a fresh sign-in) e.g. self-service forms for updating security info or resetting your password. But for daily use and interacting with common business applications, Windows Hello and optionally FIDO2 tokens makes life much easier. And if you get all your apps integrated into Azure AD, completely passwordless!

Wrap up

So that’s my round up of what’s out there for MFA today. There’s more on the periphery – MFA plumbs into Conditional Access and ‘Passwordless’ in particular which we’ll go into more another time. But hopefully that’s a nice overview of the options open to you, and how you might be more selective about what types of MFA you could open or shut based upon classifications of work persona – more on those in the Passwordless series to come.

Gavin Ashton

📣 For more daily insights, catch me on the socials @ Twitter and Linkedin.

About the author