introduction
In cloud environment : the simple authentication of “username and password” can be easily breached by cyber criminals.
and Many logins can be compromised in minutes >> then private data; such as personal and financial details, will be under threat.
Which lead us to try to add more authentication methods to make it very difficult to breach your account
identity in Azure Active Directory can protected by the following tools
- MFA : Multi Factor Authentication
- Conditional access based on device or location or even IP
- PIM : Privileged Identity management
- Azure Identity Protection
What is MFA ?
Multi-Factor Authentication (referred to MFA ) is : using of two or more independent authentication methods to identity user when requesting access to an application or service.
Types of MFA methods
Something You Know Password
- Password
- Personal Identification Number (PIN)
- Security Question
Something You Have
- Smartphone
- Token
- Smart Card/ID Badge
Something You Are
- Fingerprint
- Retinal Scan
- Voice Pattern
With MFA >> even if your password is stolen or your phone is lost,
still,,,
the chances of someone else having your second-factor information is highly unlikely..
Risks of MFA
The world is NOT perfect
While MFA provide extra security, layer
Still ,,,
MFA is most often exploited through social engineering.
Hacker doesn’t need to try to crack MFA security when they can simply call a support line, as you, and get your password reset.
Some MFA services using SMS can be vulnerable to hack your phone
There are even some types of malware that can be distributed to a person’s phone through a malicious link that can intercept SMS messages such as a one-time passcode and send them directly to a cyber-attacker.
Any how :
As mentioned above : MFA provide extra layer to secure your account
Still in advanced need more actions , which will be discussed in networks pioneers articles
available authentication methods in MFA
When a user signs in to an application or service and receive an MFA prompt, >>
He can choose from one of their registered forms of additional verification.
- An administrator could require registration of these Azure AD Multi-Factor Authentication verification methods,
- or the user can access their own Profileto edit or add verification methods.
The following additional forms of verification can be used with Azure AD Multi-Factor Authentication:
- Microsoft Authenticator app
- OATH Hardware token
- SMS
- Voice call
Next article we will discuss how to configure and use these authentication methods
Please be tuned
when we have to force using MFA
conditional Access policies (which will fully discussed in next articles ) could b configured to enforce registration MFA at first sign-in , in the following cases
- Leaked credentials
- Sign-ins from anonymous IP addresses
- Impossible travel to atypical locations
- Sign-ins from unfamiliar locations
- Sign-ins from infected devices
- Sign-ins from IP addresses with suspicious activities
Some of the risk detections detected by Azure Active Directory Identity Protection occur in real time and some require offline processing.
Administrators can choose to :
- block users who exhibit risky behaviors and remediate manually,
- require a password change,
- or require a multi-factor authentication as part of their Conditional Access policies.
MFA recommendations
To give your users the right balance between security and ease of use >> we recommend the following configurations:
If you have Azure AD Premium:
- Enable single sign-on (SSO) across applications using managed devices or Seamless SSO.
- If re-authentication is require >> then use a Conditional Access sign-in Frequency policy.
- For users that sign in from non-managed devices or mobile device scenario >> , use Conditional Access to enable persistent browser sessions and sign-in frequency policies.
If you have Microsoft 365 licenses or the free Azure AD :
- Enable single sign-on (SSO) across applications using managed devices or Seamless SSO.
- Keep the Remain signed-in option enabled and guide your users to accept it.
For mobile devices scenarios
- , make sure your users use the Microsoft Authenticator app. This app is used as a broker to other Azure AD federated apps, and reduces authentication prompts on the device.
To optimize the frequency of authentication prompts for your users,
- you can configure Azure AD session lifetime options.
- You should Understand the needs of your business and users, and configure settings that provide the best balance for your environment.
Managed devices
- Devices joined to Azure AD using Azure AD Join or Hybrid Azure AD Join receive a Primary Refresh Tokens (PRT) to use single sign-on (SSO) across applications. This PRT lets a user sign in once on the device and allows IT staff to make sure that standards for security and compliance are met.
- If a user needs to be asked to sign in more frequently on a joined device for some apps or scenarios, this can be achieved using Conditional Access Sign-in Frequency.
conclusion
this article was the theoretical side of MFA
next article we will see how to configure MFA in Azure AD and how to user will use it
please be tuned
