Microsoft Authenticator

Microsoft Authenticator

Most people use a password manager to store passwords, but did you think about recovering your passwords when you lost all your devices? How to get into your password manager when Multi-Factor Authentication is enabled? If you are using the Microsoft Authenticator app, you might want to look at the recovery feature.

This blog post explains why I switched from the Microsoft Authenticator app to the Raivo OTP app by Tijme Gommers for all my verification codes.

Before I tell you why I switched to another authenticator app, I will go through some of the missing features in the Microsoft Authenticator app.

Microsoft Authenticator Missing Features

I am a long-time user of the Microsoft Authenticator app, but some missing features do not make sense. Why can I not search for an entry, for example? Having so many accounts makes me miss a simple search feature. Sure, I can order the entries, but I would like to have a search box better. Why is there no auto-order option either? Manually ordering all entries is a pain, and a simple auto-order would be nice.

I am missing the option to view the token seed of an entry as well. If I could back up a token seed, I can recover a single verification code. The possibility for an encrypted export would also be a desirable feature.

Simple features like icons are not a must but would be a welcomed feature. My biggest concern, though, is the backup and recovery feature.

Microsoft Authenticator Backup and Recovery

When using an iOS device, you will need an iCloud account and a personal Microsoft account to back up the Microsoft Authenticator. When I lose all my devices due to theft or a natural disaster, I can not access my iCloud account since my iCloud account needs Multi-Factor Authentication, which I am trying to restore. The same goes for my personal Microsoft account. So restoring the Authenticator backup is a challenge. I can write down the password for these accounts, but I am still missing Multi-Factor Authentication, and I do not want to have weaker Multi-Authentication methods like text messages.

Let us say I lost all my devices due to theft or any natural disaster. The first thing I would like to access is the password manager to access my passwords. My current password manager contains three pieces of information: An account, a master password, and a recovery code.

I enabled the account with Multi-Factor Authentication, which I did not recover yet. To recover the backup for the Microsoft Authenticator app, I will need my iCloud and personal Microsoft account. The password manager contains the passwords for both accounts. I cannot access my passwords since I do not have access to the password manager due to Multi-Factor Authentication.

A simple fix would be to back up the token seed for those accounts, which I can write down and store in a secure place, but the Microsoft Authenticator app does not support that.

Recovering an iCloud and personal Microsoft account with Multi-Factor Authentication enabled is not that easy either due to a strict process, if it is even possible.

I created an overview to see what I need to recover my passwords when Multi-Factor Authentication is enabled:

Image 1: Overview recover methods

Maybe it is an idea to create the same to see if you do not lock yourself out when recovering all your passwords.

Raivo OTP

All missing features mentioned above are available in the Raivo OTP app, but most importantly, I can back up a single token seed for a single entry. With this single token seed, I can recover my iCloud account, which contains the encrypted database for Raivo OTP. The only thing I need to write down is:

  1. The recovery code for my password manager
  2. The iCloud token seed for Multi-Factor Authentication recovery

If I write down the recovery code for my password manager and the token seed for my iCloud account, I can recover all my passwords with Multi-Factor Authentication enabled.

Since the Raivo OTP app supports insight to your token seeds, I switched from the Microsoft Authenticator app to the Raivo OTP app.

The Raivo OTP app is easy to use, is secure, has many excellent features, supports insight into your token seeds, and more.

Conclusion

I want to end on a positive note. Microsoft Authenticator does have excellent features like push notifications, notification when an authentication method got deleted from my Microsoft account, and Apple Watch support. Even though these are fantastic features, I switched to the Raivo OTP app by Tijme Gommers for all my verification codes due to the backup and recovery feature.

Please rethink if you can recover all your passwords from your password manager and all account with Multi-Factor Authentication enabled.

Microsoft Office 365 Multi-Factor Authentication

Microsoft Office 365 Multi-Factor Authentication

There are multiple ways to enable Multi-Factor Authentication (MFA) within Microsoft Office 365. This blog post will describe the various technical implementations of Multi-Factor Authentication, including the best-practice to implement it.

Azure AD MFA Per User

There are three Multi-Factor Authentication statuses within Microsoft Office 365: Enabled, Enforced, and Disabled. The status Enabled indicates that Multi-Factor Authentication is enabled, but the user did not go through the Multi-Factor Authentication registration yet. When the user goes through the Multi-Factor Authentication registration, the status changes to Enforced. Disabled means that Multi-Factor Authentication is not enabled, and the user does not have to log in with a Multi-Factor.

The risk by enabling Multi-Factor Authentication on a user-basis is misconfiguration since Multi-Factor Authentication is not enabled by default when creating a new user account. An administrator can forget enabling Multi-Factor Authentication, which increases the risk of a successful password attack due to missing Multi-Factor Authentication.

Figure 1: MFA on user-level

Azure AD MFA via Conditional Access

Conditional Access policies at their simplest are if-then statements; if a user wants to access a resource, then they must complete an action. An action can be Multi-Factor Authentication. With Conditional Access, you force every user to use Multi-Factor Authentication when logging into Microsoft Office 365. Using Conditional Access, the risk of misconfiguration lowers since every user applies to the Conditional Access when logging in, and its the best-practice to enable Multi-Factor Authentication.

Figure 2: Grant access

Note: Azure AD Conditional Access is part of the Azure AD Premium licensing model. So additional costs are required.

Azure AD Named Locations

You can add trusted IP address ranges within Azure AD as Named Locations. A policy can then exclude the Named Locations. Using an exclusion can prevent an identity from being challenged with Multi-Factor Authentication if it comes from a trusted location.

Figure 3: New names location

Azure AD Identity Protection MFA Registration Policy

The advantage of using the Multi-Factor Authentication policy within Azure AD Identity Protection is that users have 14 days to complete the registration. During these 14 days, they can bypass registration, but they have to register before they can complete the sign-in process at the end of the period. Once the sign-in process is complete, the user can log in without Multi-Factor Authentication. The policy only forces a user to register Multi-Factor Authentication. The Azure AD Identity protection policy is unnecessary when Multi-Factor Authentication is enforced using Conditional Access.

Note: Azure AD Identity Protection is part of the Azure AD Premium licensing model. So additional costs are required.

Azure AD Security Defaults

If you do not have an Azure AD Premium license or do not want to buy any additional license, Azure AD Security Defaults is a good alternative.

Enabling this option configures your organization with the following settings:

  • Requiring all users to register for Azure Multi-Factor Authentication;
  • Requiring administrators to perform multi-factor authentication;
  • Blocking legacy authentication protocols;
  • Requiring users to perform multi-factor authentication when necessary;
  • Protecting privileged activities like access to the Azure portal.
Figure 4: Enable Security defaults

Note: Azure AD Security Defaults are not suitable for complex security requirements. It is either turned on or turned off. If you want to make decisions based on a condition, Conditional Access is the way to go.

Legacy Authentication

Microsoft Azure Active Directory supports several authentication and authorization protocols, including legacy authentication. Legacy authentication includes Exchange ActiveSync, SMTP, Autodiscover, Exchange Web Services, POP3, IMAP4, and many more.

The problem is, legacy authentication does not support Multi-Factor Authentication!

According to Microsoft, more than 99 percent of password spray attacks use legacy authentication protocols. It is crucial to disable legacy authentication when using Multi-Factor Authentication or in any situation.

You can use the Azure portal to identify the usage of legacy authentication within your environment before disabling it.

  1. Navigate to; Azure portal > Azure Active Directory > Sign-ins.
  2. Add the Client App column if it is not shown by clicking on; Columns > Client App.
  3. Add filters > Client App > select all of the legacy authentication protocols. Select outside the filtering dialog box to apply your selections and close the dialog box.
Figure 5: Filter legacy authentication

Note: Conditional Access in Report-only mode is another way to identify legacy authentication within your environment.

Conclusion

According to Microsoft, using Multi-Factor Authentication reduces 99,9% of the attacks within Microsoft Office 365. Using Multi-Factor Authentication does not mean your company is safe for password attacks. It would not be the first time a user accepts a Multi-Factor Authentication challenge on their device when an attacker logs-in within Microsoft Office 365 with leaked credentials. So adoption and education for company users are critical. Enabling Multi-Factor Authentication and disabling legacy authentication is a minimum security measure every organization should take.