FIDO2 for Microsoft Online Accounts / Azure AD

vulnerability

Nowadays a secure password doesn’t necessarily mean your account is safe.

 

Data breaches happen almost on a daily basis and often (insecure) password hashes or even blank passwords are exposed to the public or can be purchased on the dark web. And even secure passwords are still a problem in 2020.

Fido2 English Words Patchwork main pic - SEC Consult

Essentially identity protection by password is a failing concept as passwords get re-used very often as more and more services require user identification – even for newspapers! FIDO2 is a project by the FIDO Alliance and the World Wide Web Consortium (W3C) to substantially enhance the security of web application authentication. FIDO2 offers a comprehensive solution to this problem as it is

  1. more convenient: a single push of a button or a fingerprint read
  2. more secure: identity theft becomes a relic of the past and
  3. there is no need for a central identity provider (like Google, Facebook, etc) that the world has to trust.

Especially in times, where the need for working from home becomes essential for businesses around the globe more companies are using cloud-based services like Google Docs or Microsoft Office 365. In this case, Identity protection is highly relevant as there is no networking border (like firewalls or physical networks) that serves as an additional layer for data theft/manipulation in case of identity theft.

2-Factor Authentication (2FA) can help to keep companies to stay secure, with 2FA it is harder for an attacker to steal accounts, even if the attacker knows the password. Still, some 2FA solutions like the typical mobile Authenticator apps (or Tokens) which usually implement TOTP are still vulnerable to phishing.

In contrast to that FIDO2 gives companies and users a highly secure option for a passwordless login or 2FA – both have very few realistic attack vectors. One would be stealing a physical device or compromising the security of the client – but as a decent security advisor, we would also like to mention other attack options. FIDO2 is also a quite cost-effective solution as most mobile phones (all Android 7 and Apple mobiles) as well as all modern Windows PCs (TPM ready) or OSX PCs come already with integrated FIDO2 capabilities; USB FIDO2 keys are on the market for as little as €10.

The following guide gives administrators and users the required settings to enable FIDO2 protection – but is by far no complete FIDO2 Explanation.

1.1. Microsoft/Ad Account Protection

FIDO2 Security Key screen - SEC Consult

With the public preview of Azure AD, FIDO2 security keys can now be used to enhance the security of AD accounts. FIDO2 Keys can be used for passwordless login or in combination with 2FA (called Multi-Factor Authentication – MFA – in this context) it brings user authentication into Microsoft services to new heights. Meanwhile, it is easy to configure for admins as well as the end-user.

The FIDO2 and MFA are easy to configure and supports Azure AD as well as Hybrid-joined AD accounts.

To enable FIDO2 Keys support and enhance the security with MFA the following steps are needed.

1. Open https://portal.azure.com/ and sign in as a global administrator.

2. Browse to Azure Active Directory > Security > Authentication methods.

3. Select “FIDO2 Security Key”

Saving change screen - SEC Consult

4. Set Enable to “Yes” in the “FIDO2 Security Key settings” panel at the bottom of the page.

5. Save the changes by clicking on the “Save” Button.

Enhanced registration preview screen - SEC Consult

6. Click on the blue banner with the text: Click here to enable users for the enhanced registration preview.

Saving enhanced registration setting screen - SEC Consult

7. Set “Users can use preview features for registering and managing security info – enhanced” to “All” and click on the save Button

Login options screen - SEC Consult

Now users can register their security token.

  1. Open https://aka.ms/MFASetup and login with your Microsoft account.
  2. If no alternative method besides “Security Key” is configured we need to first add one.
    a. Click on “Add method” and select “Authenticator App” or “Phone”. (Microsoft requires to first set up an authenticator app only then adding a FIDO token is possible)
    b. Follow the setup.
  3. Now that an alternative method is configured. We can add the Security Key.
  4. Click on “Add method” and select “Security Key”.
  5. Select “Next” and confirm your first 2FA method.
  6. Choose your Security Key type and connect it with your PC.
  7. Setup a pin.
  8. Finish.

Demo login using passwordless authentication:

1. Use different login options

2. Choose security key

Choosing security key screen - SEC Consult

3. Enter PIN of key (or use fingerprint/camera for other tokens) – this is called “user verification” in the FIDO domain

Enter pin screen - SEC Consult

4. Touch your Key (user presence verification)

Security Key Verification screen - SEC Consult

5. You are logged in – Please note you never entered a password or even a username!

Successful Login screen - SEC Consult

6. You can add further authenticators or keys.

Adding authentificators screen - SEC Consult
Managing Security Defaults screen - SEC Consult

To enforce Multi-Factor Authentication (=2FA) in the free version of Azure AD you need to enable the Security defaults.

Attention, enabling Security defaults blocks all authentication requests made by older protocols like Exchange Active Sync basic authentication.

1. Browse to Azure Active Directory > Properties

2. Click on “Manage Security Defaults”

3. Enable the Security defaults and save the changes

Enabling Security Defaults screen - SEC Consult
Selecting New policy screen - SEC Consult

After their re-login to the AD account, users have 14 days to register their MFA device.

To get a finer control about the Multi-Factor Settings you need Azure AD Premium P1 or above to create a conditional policy. In the policy, you can enable MFA for all users, only for specific user or groups. The following steps, from the Microsoft Docs (link below), show how to create the needed policy:

1. Browse to Azure Active Directory > Security > Conditional Access.

2. Select New policy.

3. Give your policy a meaningful name.

Naming wisely the policy screen - SEC Consult

a. Under Assignments, select Users and groups
b. Under Include, select All users

Successful User Exclusion screen - SEC Consult

b. Under Exclude, select Users and groups and choose your organization’s emergency access or break-glass accounts.
c. Select Done.

5. Under Cloud apps or actions > Include, select All cloud apps

Selecting Cloud Apps screen - SEC Consult

a. Under Exclude, select any applications that do not require multi-factor authentication.

Applications that do not require multi-factor authentication screen - SEC Consult

6. Under Access controls > Grant, select Grant access, Require multi-factor authentication, and choose Select

Selecting Grant Access screen - SEC Consult
Creating a new policy screen - SEC Consult

7. Confirm your settings and set Enable policy to On.
8. Select Create to create to enable your policy

Recommended Reading

MFA Licensing – https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-mfa-licensing

Security Defaults – https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/concept-fundamentals-security-defaults

Conditional Access: Require MFA for all users – https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/howto-conditional-access-policy-all-users-mfa

Setting up the required Microsoft Azure configuration options to get FIDO2 based two factor authentications (2FA) up and running is only one of many ways to increase your IT security. If you are interested in web application penetration testing in general, you might also like the this article about pen testing an its benefits: Pentesting: Benefits, Legal Compliance and Costs.

About the author

Andreas Kolbeck
SEC Consult Group
Associate Security Consultant

Andreas is a student majoring IT-Security and works at SEC Consult for over a year now. He is especially interested in second-factor authentication with security-tokens and actively uses them for years. As a Security Consultant, he has a lot of experience with the penetration testing of web applications and other systems. Currently, he is preparing for his OSCP.