Unphishable mobile MFA through hardware keys
Passwords are a mess, MFA can be more of a stopgap than a solution to phishing and running your own public key infrastructure for certificates is a lot of work. The long-term goal is to move to passwordless credentials that can’t be phished.
“Passwords are a huge problem: A huge usability problem, and a huge management problem,” Alex Weinert, vice president of identity security at Microsoft, told TechRepublic. “There are different ways to get around the use of passwords, and the old fashioned way is to have a password anyway, but then back it up with something else.”
Unfortunately, due to social engineering, such a method is still insecure.
“Increasingly, we’re moving to phishing resistant credentials, because the problem with backing up a password with something else is that if someone guesses your password, they can trick you into approving the other part,” Weinert said.
SEE: Mobile device security policy (TechRepublic Premium)
The two multi-factor authentication options that count as phishing resistant are FIDO security keys, which includes built-in biometric options like Windows Hello, and personal identity verification and common access cards.
Jump to:
Updating certificates via ADFS is complicated and costly
Ironically, if you’re a security-aware organization in a regulated industry that already did the hard work of adopting the previous gold standard — smartcards that hold a security certificate and validate it against a certificate authority on your infrastructure — you might find yourself stuck running ADFS as you try to move to the new FIDO keys. This is especially true for companies with a BYOD policy.
Until recently, the only way to use PIV and CAC with Azure AD was to be running ADFS on your own infrastructure, federated with your certificate authority. Using ADFS as a server to sign SAML tokens means managing signing certificates.
“Managing certificates is hard, managing certificates securely is very hard and on-premises infrastructure is insanely hard to defend,” Weinert said. “If you’re going to do it, you want to be able to put a lot of resources into it.”
On-prem infrastructure is prone to attack
Not every organization has those resources available, and much of the push to move identity infrastructure to the cloud is because of how hard it is to keep it secure on your own servers. Weinert pointed to recent data breaches as an example.
“The breach is almost always coming from on-prem infrastructure,” he said. “In most environments, punching into the VPN is not that hard, because all I need is one user in that environment to click a bad link and get malware, and now I have command and control inside the VPN. From there, it’s relatively short work to do lateral movement into a server that is doing something important like validating certs or signing things.”
One recent attack put system level malware onto an ADFS server, allowing the attackers to wrap the process and intercept signatures, even though the organization was using an HSM. That was done by what Weinert calls a fairly sophisticated attacker.
“Now that they’ve done it, everybody will try,” he warned.
Mobile certificates and Azure AD
Windows Hello, FIDO tokens and passkeys give you the same strong authentication as server-based authentication without having to run a certificate infrastructure. Some organizations can’t make that move yet though.
“The long term goal is that we don’t have people managing their PKI at all, because it’s so much easier for them and it’s so much more secure” to have them managed in the cloud, Weinert said. “Running your own PKI is something that probably everyone wants to get away from, but nobody can get away from it instantly.”
Certificate-based authentication in Azure AD adds smartcard support to Azure AD, and now you can set a policy that requires phishing-resistant MFA for signing in to native and web-based apps on iOS and Android using FIDO security keys. This also works for the Microsoft Authenticator app on iOS and Android with a YubiKey for signing in to apps that aren’t using the latest version of the Microsoft Authentication Library.
Using hardware keys lets teams provision certificates to remote workers, BYOD and other unmanaged devices — without having to move away from your existing infrastructure until you’re ready. You also get more confidence that the certificate is protected, because it never leaves the hardware protection of the security key: If you provision certificates directly on devices, you have to trust the PIN on the device, and setting a stricter PIN policy can be a big hit to user productivity.
Good security improves productivity
As well as organizations getting better security, employees get a better experience because they don’t have to make sure their mobile device connects often enough to have an up-to-date certificate or deal with so many authentication prompts that they get MFA fatigue and just click yes on what might be a phishing attack. Using a certificate — on the phone or through a security key — means you don’t need to prompt the user at all.
Too many organizations think prompting users to sign in with MFA repeatedly every hour or two improves security. It does the opposite, Weinert warned.
“It’s counterproductive, and not just because it’s frustrating for the user,” he said. “Now you can’t use an interactive prompt as a security measure, because they’re going to say yes to it.”
He compared it to enforced password changes.
“At first glance it sounds like a good idea, but it’s actually the worst idea ever,” Weinert said. “Changing your password does nothing other than make it easier for an attacker to guess the next password or to guess the password you have now, because people are predictable.”
A hardware key is also more portable: If someone gets a new phone — or a first line worker signs on to a shared kiosk or gets issued a different device every day — they can use the token straight away.
Mobile Azure AD Certificate-Based Access is in public preview and initially it only works with YubiKey security keys that plug in to a USB port: Microsoft is planning to add NFC support, as well as more hardware providers.
It also fits in with other improvements in Azure AD you might find useful. If you already use a YubiKey to secure access to Active Directory and ADFS, the same certificate on the security key will now let you authenticate to resources protected by Azure AD like Azure Virtual Desktop.
Couple this with the new granular conditional access policies in Azure AD to choose which level of MFA is required for different apps. Now you can allow access to legacy applications that might not support FIDO with options like TOTP without having to allow that for all applications.
These are options that don’t force a false choice between productivity and security, Weinert notes.
“If you inhibit somebody’s productivity, as an organization or as a user, they will always choose productivity over security,” he said. “If you want people to have better security practices, what you need to do is actually make the secure way of doing things the productive way to do it.”