- On 17. Aug 2020
Nowadays a secure password doesn’t necessarily mean your account is safe.
Data breaches happen almost on a daily basis and often (insecure) password hashes or even blank passwords are exposed to the public or can be purchased on the dark web. And even secure passwords are still a problem in 2020.
Essentially identity protection by password is a failing concept as passwords get re-used very often as more and more services require user identification – even for newspapers! FIDO2 is a project by the FIDO Alliance and the World Wide Web Consortium (W3C) to substantially enhance the security of web application authentication. FIDO2 offers a comprehensive solution to this problem as it is
- more convenient: a single push of a button or a fingerprint read
- more secure: identity theft becomes a relic of the past and
- there is no need for a central identity provider (like Google, Facebook, etc) that the world has to trust.
Especially in times, where the need for working from home becomes essential for businesses around the globe more companies are using cloud-based services like Google Docs or Microsoft Office 365. In this case, Identity protection is highly relevant as there is no networking border (like firewalls or physical networks) that serves as an additional layer for data theft/manipulation in case of identity theft.
2-Factor Authentication (2FA) can help to keep companies to stay secure, with 2FA it is harder for an attacker to steal accounts, even if the attacker knows the password. Still, some 2FA solutions like the typical mobile Authenticator apps (or Tokens) which usually implement TOTP are still vulnerable to phishing.
In contrast to that FIDO2 gives companies and users a highly secure option for a passwordless login or 2FA – both have very few realistic attack vectors. One would be stealing a physical device or compromising the security of the client – but as a decent security advisor, we would also like to mention other attack options. FIDO2 is also a quite cost-effective solution as most mobile phones (all Android 7 and Apple mobiles) as well as all modern Windows PCs (TPM ready) or OSX PCs come already with integrated FIDO2 capabilities; USB FIDO2 keys are on the market for as little as €10.
The following guide gives administrators and users the required settings to enable FIDO2 protection – but is by far no complete FIDO2 Explanation.
1.1. Microsoft/AD Account Protection
With the public preview of Azure AD, FIDO2 security keys can now be used to enhance the security of AD accounts. FIDO2 Keys can be used for passwordless login or in combination with 2FA (called Multi-Factor Authentication – MFA – in this context) it brings user authentication into Microsoft services to new heights. Meanwhile, it is easy to configure for admins as well as the end-user.
To enable FIDO2 Keys support and enhance the security with MFA the following steps are needed.
1. Open https://portal.azure.com/ and sign in as a global administrator.
2. Browse to Azure Active Directory > Security > Authentication methods.
3. Select “FIDO2 Security Key”
5. Set Enable to “Yes” in the “FIDO2 Security Key settings” panel at the bottom of the page.
6. Save the changes by clicking on the “Save” Button.
7. Click on the blue banner with the text: Click here to enable users for the enhanced registration preview.
8. Set “Users can use preview features for registering and managing security info – enhanced” to “All” and click on the save Button
Now users can register their security token.
- Open https://aka.ms/MFASetup and login with your Microsoft account.
- If no alternative method besides “Security Key” is configured we need to first add one.
a. Click on “Add method” and select “Authenticator App” or “Phone”. (Microsoft requires to first set up an authenticator app only then adding a FIDO token is possible)
b. Follow the setup.
- Now that an alternative method is configured. We can add the Security Key.
- Click on “Add method” and select “Security Key”.
- Select “Next” and confirm your first 2FA method.
- Choose your Security Key type and connect it with your PC.
- Setup a pin.
Demo login using passwordless authentication:
1. Use different login options
2. Choose security key
3. Enter PIN of key (or use fingerprint/camera for other tokens) – this is called “user verification” in the FIDO domain
4. Touch your Key (user presence verification)
5. You are logged in – Please note you never entered a password or even a username!
6. You can add further authenticators or keys.
To enforce Multi-Factor Authentication (=2FA) in the free version of Azure AD you need to enable the Security defaults.
Attention, enabling Security defaults blocks all authentication requests made by older protocols like Exchange Active Sync basic authentication.
1. Browse to Azure Active Directory > Properties
2. Click on “Manage Security Defaults”
3. Enable the Security defaults and save the changes
After their re-login to the AD account, users have 14 days to register their MFA device.
To get a finer control about the Multi-Factor Settings you need Azure AD Premium P1 or above to create a conditional policy. In the policy, you can enable MFA for all users, only for specific user or groups. The following steps, from the Microsoft Docs (link below), show how to create the needed policy:
1. Browse to Azure Active Directory > Security > Conditional Access.
2. Select New policy.
3. Give your policy a meaningful name.
a. Under Assignments, select Users and groups
b. Under Include, select All users
b. Under Exclude, select Users and groups and choose your organization’s emergency access or break-glass accounts.
c. Select Done.
5. Under Cloud apps or actions > Include, select All cloud apps
a. Under Exclude, select any applications that do not require multi-factor authentication.
6. Under Access controls > Grant, select Grant access, Require multi-factor authentication, and choose Select
7. Confirm your settings and set Enable policy to On.
8. Select Create to create to enable your policy
Conditional Access: Require MFA for all users – https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/howto-conditional-access-policy-all-users-mfa
Setting up the required Microsoft Azure configuration options to get FIDO2 based two factor authentications (2FA) up and running is only one of many ways to increase your IT security. If you are interested in web application penetration testing in general, you might also like the this article about pen testing an its benefits: Pentesting: Benefits, Legal Compliance and Costs.
About the author
Andreas Kolbeck | Associate Security Consultant | SEC Consult Group