Microsoft has closed an important security gap in its Azure Active Directory multi-factor authentication setup procedure that an attacker could use to register their own device when a user is registering for the first time.
Major authentication service providers like Microsoft and Google are encouraging users and enterprise to adopt two-factor or multi-factor authentication, with both firms arguing that it’s the best protection available against credential phishing attacks.
Microsoft’s own security team recently even urged large enterprise to enforce MFA and remove passwords altogether because of the difficulties people have remembering complex passwords and password reuse.
Due to user behavior, Microsoft is also considering removing forced password expiration from its Windows 10 version 1809 security baseline because people just pick slight variations on existing ones.
But while it has been encouraging enterprise to enforce MFA, the Azure AD controls it provided admins when rolling out MFA had a security gap in the setup process — one that customers have been demanding it close.
The key problem was that when rolling out MFA, users could setup MFA on an untrusted network and potentially from an untrusted device.
Security expert SwiftOnSecurity described the problem from the perspective of an admin:
You: “All users require MFA now.”
Microsoft: “You’re awesome at security!”
User: “I never registered MFA, what’s that?”
Attacker: “I’ll just register my overseas phone number. MFA enrolled!”
Microsoft: “You have successfully MFA’d and Access is granted.”
Attacker: “Hell Yeah.”
A new set of AzureAD “conditional access” policies available to admins mean that now, if a user is not on a trusted network and attempts to register MFA for the first, they’ll be blocked, Microsoft explains.
That requirement should prevent remote attackers from registering their phone during the initial registration.
The user on an untrusted network will see a message on their device along the lines of: "We are currently unable to collection additional security information. Your organization requires this to be set from specific locations or devices."
The new controls are available as part of the public preview of Azure AD conditional access that Microsoft announced today. There are also new controls available for the password reset experience