Open in app

Sign in

Write

Sign in

Phishing-resistant MFA basics

Derk van der Woude
5 min readJul 24, 2024

--

This blog explains the basics of phishing-resistant MFA (Multi Factor Authentication) and the single- and/or multi-tenant support options (which question I get a lot from MSSPs).

Username and password

We all know that username and (complex) password is not safe anymore, why?

  • Reused passwords; ~65% of users use the same password for different SaaS services (e.g. Facebook, Instagram, LinkedIn, Gmail, Outlook, etc.), if one service gets breached (e.g. LinkedIn in 2012) access to all other SaaS services are possible (e.g. via DeHashed or Darkweb).
Re-used Password(s)
  • Password spray; most used password(s) (e.g. Welcome01!) against all known users accounts of an organization
Password spray
  • (Spear-)phishing; (targeted) phishing site to emulate for example Microsoft 365 to steal the user credentials or token (e.g. EvilGinx)
(Spear-)Phishing via EvilGinx

Even complex passwords can get stolen if they get phished or reused. Although complexity will protect against password cracking methods like rainbow tables, decrypt/dehash, etc.

Multi Factor Authentication

The solution is MFA (Multi-Factor Authentication). MFA consists of the concept of verification of the identity via minimal two out of the three options below:

  • Something you know (e.g. username & password)
  • Something you have (e.g. security key)
  • Something you are (e.g. biometrics)

MFA does protect against username and password abuse (if stolen) but not against token (session cookie) theft.

Passwordless

Passwordless authentication via the Microsoft Authenticator app (enable phone sign-in) to access Microsoft 365 without using a password (change the password in a very long string to prevent brute force because the password field cannot be disabled yet).

Enable phone sign-in for passwordless MFA

Only the username and an approval via the Microsoft Authenticator app (number matching MFA) is required for the user to logon.

Passwordless via ‘Approve a requires on the Microsoft Auth App’

But … passwordless is not phishing-resistant. A test via EvilGinx shows we don’t see the password value but we do see the token (session cookie) value which can be abused (AiTM attack) to access Microsoft 365 and bypass MFA.

EvilGinx

Phishing-resistant MFA methods

Phishing-resistant MFA (all passwordless) protects against AiTM (Adversary in The Middle) type of attacks. At the time of writing there are four methods for phishing-resistant MFA:

  • FIDO2 Security keys
  • Windows Hello for Business
  • Certificate-based Authentication (CBA)
  • Microsoft Authenticator Passkey (Preview)

FIDO2 Security keys

FIDO2 (Fast IDentity Online) Security Keys is a multi-tenant solution for phishing-resistant MFA via a physical security device (e.g. Yubikey) where the private key is stored on the physical device.

FIDO2 Security Key — multi-tenant support

The authentication process via Entra ID is shown below (credits Microsoft), see this link for more details.

FIDO2 Entra ID Authentication process

Windows Hello for Business

Windows Hello for Business is a single-tenant solution for phishing-resistant MFA via an Entra ID joined Windows (10/11) device using biometrics or a PIN code, the private key is stored on the Windows device (TPM).

Entra ID joined device connect via Windows Hello for Business

The method is single-tenant from an Entra ID joined device perspective (computer and/or web access). An use case could be to use the Entra ID joined device to leverage Windows Hello for Business authentication for the user account to access Microsoft 365 and an admin account to access Admin portals (although PAW for Admin accounts is advised).

The authentication process via Entra ID is shown below (credits Microsoft), see this link for more details.

Windows Hello for Business Authentication process

Certificate-based Authentication (CBA)

Certificate-based authentication is a multi-tenant solution for phishing-resistant MFA via a (trusted) PKI infrastructure (on-premises or Online).

Certificate-based Authentication

The CBA solution leverages certificates (client authentication) where the Entra ID UserPrincipalName should match the certificate PrincipalName.

The simplified authentication process via Entra ID is shown below (credits Microsoft), see this link for the more detailed version.

Certificate-based authentication process

Microsoft Authenticator Passkey (Preview)

Microsoft Authenticator Passkey is a multi-tenant solution for phishing-resistant MFA via the Microsoft Authenticator app on iOS (17+) and Android (14+).

Microsoft Authenticator Passkey authentication is in Preview

Authentication Strength

Authentication Strength is an Entra ID | Conditional Access to force the use of phishing-resistant MFA.

My personal advise is to assign named Admin accounts (exclude unnamed) targeting Admins Portals to force phishing-resistant MFA as authentication strength (see above).

--

--

Derk van der Woude
Derk van der Woude

Written by Derk van der Woude

466 Followers
3 Following

Chief Technology Officer @ Nedscaper

No responses yet

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams