Microsoft’s multifactor authentication ranking – the good, the bad and the passwordless

Microsoft’s multifactor authentication ranking – the good, the bad and the passwordless

As organisations handle more data, accessible from ever more locations and endpoints, it’s imperative that you secure your assets. Microsoft‘s multifactor authentication ranking can help you understand which types of protection are most effective. In this blog, Daniel Seal, Technical Architect, talks through your business multifactor authentication options, from bad to best.  

For organisations and business, multifactor authentication (MFA) has massively increased security for organisations needing to secure the identities that exist within their organisation; this in turn has led to more methods of circumventing these protections.

As passwords are easy to compromise, Microsoft has been looking into providing secure authentication options to move towards more passwordless access and in future entirely eliminate passwords.

The message from Microsoft is that not all MFA is created equal. There are many different vulnerabilities and types of attacks which can compromise identities. Microsoft has listed the methods of authentication out, ranking them from what is considered bad to the best:

Microsoft’s multifactor authentication methods ranking (source: Plan an Azure Active Directory Multi-Factor Authentication deployment)

Microsoft’s multifactor authentication methods ranking (source: Plan an Azure Active Directory Multi-Factor Authentication deployment)

 

Bad – passwords only 

Passwords on their own are an incredibly weak form of authentication. Currently across all organisations it’s typical for passwords to be the only factor of authentication. The trouble with passwords is that people use the same one for multiple services, work and personal, meaning that just one compromised account or password could lead to that users’ credentials being hacked across these. Users may have a compromised account and may not even know it, meaning they still use these passwords for new services. 

Some organisations ask users to change their passwords frequently. In a perfect world, this would mean that each time a password changed, it’d be unique, but users are human and want to make their lives easier. As such, they use simple and predictable variations on passwords they have used before. They also use the same core words across their work and personal lives. Users may also write down or insecurely store passwords as it becomes troublesome to remember the new password after a few iterations.  

The need to type in a password frequently across different services also means that attackers have more opportunity to compromise the password for use in an attack later or intercept this request on the device.  

To prevent against the vulnerabilities of using just a password, another factor of authentication must be introduced. 

 

Good – password and SMS/voice 

Only 22% to 27% of Azure Active Directory accounts have enabled Azure MFA at all, and it is estimated that only 10% of enterprise customers are using it.  

All security guidance agrees that regardless of the method, any MFA is better than passwords on their own. In fact, once multifactor is in place the rate of compromise of accounts using any type of MFA is less than 0.1%. 

However, both SMS and voice do not use encryption to transmit the request, meaning any interception will expose the credential. There is also a performance impact of relying on the telecoms providers to process the request.  

SMS and voice can only carry a limited amount of information for a user. This doesn’t show the full context of why the code has been sent to a user and can be the subject of ‘hammering’ attacks. This is improved upon with the Microsoft Authenticator app.  

SMS also has a vulnerability of SIM swapping, where an attacker can gain access to a replacement SIM and intercept the messages.  

 

Better – password and token/push notifications 

A better approach is to use Microsoft Authenticator, Software Tokens and soon, Hardware Tokens. Authenticator is the most popular of these options and has a few key benefits over SMS/phone. 

Authenticators are tied to the device registered, rather than the SIM, which means they are not susceptible to SIM swap attacks. However, the simple approve/deny prompt instead of SMS introduces a new threat: MFA fatigue. 

Recently identified as an attack path, MFA fatigue is where a compromised account (Password/User) keeps being prompted for approval till the user hits approve. 

Microsoft is introduced measures to combat MFA fatigue, while giving more context to users in the Authenticator app, such as number and location/application matching. 

Meta description: screenshot of number matching feature in Microsoft authenticator

 

Instead of the typical approve/deny message, users are prompted to match the number presented at login, meaning anyone trying to compromise an account would need to contact the user to type the number in. This feature will be enabled by default on 27th February 2023, so users should be aware that this will be changing if they currently use Authenticator.  

Location/application 

Along with number matching, Microsoft are also introducing location/application matching.

Screenshot of location/application matching feature on mobile

This tells the user the application, and where the request is coming from.   

Best – passwordless 

There are two main methods for compromising MFA; real-time phishing attacks and channel jacking. 

Real-time phishing involves a machine in the middle approach, by bringing a user to an attacker-controlled (or compromised) machine and relaying that request to again access.  

Channel jacking involves taking over the communication channel used by the authentication method, being email, text, push notifications or voice calls.  

The best methods of authentication are designed to protect against both real-time phishing and channel jacking, and to even eliminate the worst part of security: passwords.  

With passwordless options, the major vulnerability for is ’shoulder surfing’, and this usually involves losing a device that the user will notice is missing. 

The three main passwordless phish-resistant options are Windows Hello for Business, smart cards and FIDO2 keys. These methods use a mutually validated process to exchange keys at registration. The identity provider remembers a public key (no secret stored) which it uses to validate that it’s seeing the same token that was registered. Importantly, both registration and use are bound to the hardware that the login is being attempted from. 

This generally means that the attacker needs to steal the PC, the FIDO2 Key, the smart card or a combination of all of them, depending on how conditional access is configured. They must also know the associated unlock code or biometric associated with these methods. 

Even though it’s called passwordless, all the technologies listed include multiple factors to authenticate users. They all include the components of something you have, being the hardware, and either something you are (biometrics) or know (PIN).  

Microsoft can now restrict access based on the authentication method used. his gives organisations the option to restrict access to their most critical apps with more secure authentication and to move users fully to phishing-resistant authentication, enhancing the organisation’s security position. 

These options are not limited to internal users, you can require a base level of security for guest accounts to ensure they are using strong multifactor options. 

There are also Azure MFA developments in adopting passwordless technology with Azure Virtual Desktop, enabling Windows Hello for Business and FIDO2 keys, that are currently in public preview. 

MFA Passwordless MFA Phishing-resistant MFA
Combinations of methods that satisfy strong authentication, such as password + SMS Passwordless methods that satisfy strong authentication, such as Microsoft Authenticator Phishing-resistant passwordless methods for the strongest authentication, such as FIDO2 security key

 

 

Need help securing your user identities?

Content+Cloud has several offerings and subject matter expertise aimed at improving your identity security, through stronger authentication options like enabling MFA, starting the journey into passwordless authentication, and even a full security review to build your cloud security roadmap.

 

Further reading  

All your creds are belong to us! Microsoft Community Hub  

Plan an Azure Active Directory Multi-Factor Authentication deployment. Microsoft Learn  

How to use number matching in multifactor authentication (MFA) notifications – Authentication methods policy. Microsoft Learn  

Supported identities and authentication methods. Microsoft Learn 

Related Content