Unphishable mobile MFA through hardware keys

Image:
weerapat1003/Adobe
Stock

Passwords
are
a
mess,
MFA
can
be
more
of
a
stopgap
than
a
solution
to
phishing
and
running
your
own
public
key
infrastructure
for
certificates
is
a
lot
of
work.

Unphishable mobile MFA through hardware keys
phishing attack on smartphone, tablet, and laptop computer
Image:
weerapat1003/Adobe
Stock

Passwords
are
a
mess,
MFA
can
be
more
of
a
stopgap
than
a
solution
to
phishing
and
running
your
own
public
key
infrastructure
for
certificates
is
a
lot
of
work.
The
long-term
goal
is
to
move
to
passwordless
credentials
that
can’t
be
phished.

“Passwords
are
a
huge
problem:
A
huge
usability
problem,
and
a
huge
management
problem,”
Alex
Weinert,
vice
president
of
identity
security
at
Microsoft,
told
TechRepublic.
“There
are
different
ways
to
get
around
the
use
of
passwords,
and
the
old
fashioned
way
is
to
have
a
password
anyway,
but
then
back
it
up
with
something
else.”

Unfortunately,
due
to

social
engineering
,
such
a
method
is
still
insecure.

“Increasingly,
we’re
moving
to
phishing
resistant
credentials,
because
the
problem
with
backing
up
a
password
with
something
else
is
that
if
someone
guesses
your
password,
they
can
trick
you
into
approving
the
other
part,”
Weinert
said.


SEE:

Mobile
device
security
policy

(TechRepublic
Premium)

The
two
multi-factor
authentication
options
that
count
as
phishing
resistant
are
FIDO
security
keys,
which
includes
built-in
biometric
options
like
Windows
Hello,
and
personal
identity
verification
and
common
access
cards.

Jump
to:

Updating
certificates
via
ADFS
is
complicated
and
costly

Ironically,
if
you’re
a
security-aware
organization
in
a
regulated
industry
that
already
did
the
hard
work
of
adopting
the
previous
gold
standard

smartcards
that
hold
a
security
certificate
and
validate
it
against
a
certificate
authority
on
your
infrastructure

you
might
find
yourself
stuck
running
ADFS
as
you
try
to
move
to
the
new
FIDO
keys.
This
is
especially
true
for
companies
with
a

BYOD
policy
.

Until
recently,
the
only
way
to
use
PIV
and
CAC
with
Azure
AD
was
to
be
running
ADFS
on
your
own
infrastructure,
federated
with
your
certificate
authority.
Using
ADFS
as
a
server
to
sign
SAML
tokens
means
managing
signing
certificates.

“Managing
certificates
is
hard,
managing
certificates
securely
is
very
hard
and
on-premises
infrastructure
is
insanely
hard
to
defend,”
Weinert
said.
“If
you’re
going
to
do
it,
you
want
to
be
able
to
put
a
lot
of
resources
into
it.”

On-prem
infrastructure
is
prone
to
attack

Not
every
organization
has
those
resources
available,
and
much
of
the
push
to
move
identity
infrastructure
to
the
cloud
is
because
of
how
hard
it
is
to
keep
it
secure
on
your
own
servers.
Weinert
pointed
to
recent
data
breaches
as
an
example.

“The
breach
is
almost
always
coming
from
on-prem
infrastructure,”
he
said.
“In
most
environments,
punching
into
the
VPN
is
not
that
hard,
because
all
I
need
is
one
user
in
that
environment
to
click
a
bad
link
and
get
malware,
and
now
I
have
command
and
control
inside
the
VPN.
From
there,
it’s
relatively
short
work
to
do
lateral
movement
into
a
server
that
is
doing
something
important
like
validating
certs
or
signing
things.”

One
recent
attack
put
system
level
malware
onto
an
ADFS
server,
allowing
the
attackers
to
wrap
the
process
and
intercept
signatures,
even
though
the
organization
was
using
an
HSM.
That
was
done
by
what
Weinert
calls
a
fairly
sophisticated
attacker.

“Now
that
they’ve
done
it,
everybody
will
try,”
he
warned.

Mobile
certificates
and
Azure
AD

Windows
Hello,
FIDO
tokens
and
passkeys
give
you
the
same
strong
authentication
as
server-based
authentication
without
having
to
run
a
certificate
infrastructure.
Some
organizations
can’t
make
that
move
yet
though.

“The
long
term
goal
is
that
we
don’t
have
people
managing
their
PKI
at
all,
because
it’s
so
much
easier
for
them
and
it’s
so
much
more
secure”
to
have
them
managed
in
the
cloud,
Weinert
said.
“Running
your
own
PKI
is
something
that
probably
everyone
wants
to
get
away
from,
but
nobody
can
get
away
from
it
instantly.”

Certificate-based
authentication
in
Azure
AD
adds
smartcard
support
to
Azure
AD,
and
now
you
can
set
a
policy
that
requires
phishing-resistant
MFA
for
signing
in
to
native
and
web-based
apps
on
iOS
and
Android
using
FIDO
security
keys.
This
also
works
for
the
Microsoft
Authenticator
app
on
iOS
and
Android
with
a
YubiKey
for
signing
in
to
apps
that
aren’t
using
the
latest
version
of
the
Microsoft
Authentication
Library.

Using
hardware
keys
lets
teams
provision
certificates
to
remote
workers,
BYOD
and
other
unmanaged
devices

without
having
to
move
away
from
your
existing
infrastructure
until
you’re
ready.
You
also
get
more
confidence
that
the
certificate
is
protected,
because
it
never
leaves
the
hardware
protection
of
the
security
key:
If
you
provision
certificates
directly
on
devices,
you
have
to
trust
the
PIN
on
the
device,
and
setting
a
stricter
PIN
policy
can
be
a
big
hit
to
user
productivity.

Good
security
improves
productivity

As
well
as
organizations
getting
better
security,
employees
get
a
better
experience
because
they
don’t
have
to
make
sure
their
mobile
device
connects
often
enough
to
have
an
up-to-date
certificate
or
deal
with
so
many
authentication
prompts
that
they
get

MFA
fatigue

and
just
click
yes
on
what
might
be
a
phishing
attack.
Using
a
certificate

on
the
phone
or
through
a
security
key

means
you
don’t
need
to
prompt
the
user
at
all.

Too
many
organizations
think
prompting
users
to
sign
in
with
MFA
repeatedly
every
hour
or
two
improves
security.
It
does
the
opposite,
Weinert
warned.

“It’s
counterproductive,
and
not
just
because
it’s
frustrating
for
the
user,”
he
said.
“Now
you
can’t
use
an
interactive
prompt
as
a
security
measure,
because
they’re
going
to
say
yes
to
it.”

He
compared
it
to
enforced
password
changes.

“At
first
glance
it
sounds
like
a
good
idea,
but
it’s
actually
the
worst
idea
ever,”
Weinert
said.
“Changing
your
password
does
nothing
other
than
make
it
easier
for
an
attacker
to
guess
the
next
password
or
to
guess
the
password
you
have
now,
because
people
are
predictable.”

A
hardware
key
is
also
more
portable:
If
someone
gets
a
new
phone

or
a
first
line
worker
signs
on
to
a
shared
kiosk
or
gets
issued
a
different
device
every
day

they
can
use
the
token
straight
away.

Mobile
Azure
AD
Certificate-Based
Access
is
in
public
preview
and
initially
it
only
works
with
YubiKey
security
keys
that
plug
in
to
a
USB
port:
Microsoft
is
planning
to
add
NFC
support,
as
well
as
more
hardware
providers.

It
also
fits
in
with
other
improvements
in
Azure
AD
you
might
find
useful.
If
you
already
use
a
YubiKey
to
secure
access
to
Active
Directory
and
ADFS,
the
same
certificate
on
the
security
key
will
now
let
you
authenticate
to
resources
protected
by
Azure
AD
like
Azure
Virtual
Desktop.

Couple
this
with
the
new
granular
conditional
access
policies
in
Azure
AD
to
choose
which
level
of
MFA
is
required
for
different
apps.
Now
you
can
allow
access
to
legacy
applications
that
might
not
support
FIDO
with
options
like
TOTP
without
having
to
allow
that
for
all
applications.

These
are
options
that
don’t
force
a
false
choice
between
productivity
and
security,
Weinert
notes.

“If
you
inhibit
somebody’s
productivity,
as
an
organization
or
as
a
user,
they
will
always
choose
productivity
over
security,”
he
said.
“If
you
want
people
to
have
better
security
practices,
what
you
need
to
do
is
actually
make
the
secure
way
of
doing
things
the
productive
way
to
do
it.”

About Author

Subscribe To InfoSec Today News

You have successfully subscribed to the newsletter

There was an error while trying to send your request. Please try again.

World Wide Crypto will use the information you provide on this form to be in touch with you and to provide updates and marketing.