In this 2 post blog series, I’ll explore emergency “break glass” account best practices, the importance of phishing resistant MFA (Multi Factor Authentication), how phishing resistant MFA can prevent token theft by a bad actor, and finally I will go through a step by step demo on configuring a physical FIDO2 (Fast Identity Online) supported passkey, specifically a YubiKey. I purchased a YubiKey for 30 euros from Yubico. Please note that Yubico offers various types of YubiKeys including different types of USB connectors and physical keys which meet different compliant standards, so it’s essential to research your options before making a purchase. Additionally, since FIDO2 is an open standard, several other vendors offer physical keys, giving you multiple options to choose from.
IMPORTANT NOTE
Part 2 will provide a detailed, step by step demo on configuring a YubiKey. I recommend reading this post (Part 1) first to understand best practices and how FIDO2 works to secure your account. However, if you wish to skip to Part 2, click the following link: Part 2 – Configure a YubiKey For An Emergency Access Account In Entra ID | Cloud Build
Image of a Security Key NFC (Near Field Communication) by Yubico. This is the key I purchased.
Explanation of NFC:
Near Field Communication (NFC) is a wireless technology that enables devices to communicate with each other when they are in close proximity, typically within a few centimeters. Think about when you touch your card or Apple Pay on your phone against a card reader to make a payment. If supported, you can utilise the NFC capabilities allowing you to touch they key on a NFC reader built in to your phone or a internal/external NFC reader built in to your laptop.
As mention above, part 2 covers the step by step demo, so before diving into the steps for configuring my YubiKey as a secure phishing resistant MFA method, I’d like to go through some important points, starting off with best practices you should consider when setting up an emergency access account.
Emergency Access “Break Glass” Account Best Practices
Emergency accounts also known as break glass accounts are crucial accounts that provide access to critical systems during a emergencies. Microsoft recommends that organisations have two cloud only emergency access accounts permanently assigned the Global Administrator role. These accounts are highly privileged and should not be assigned to specific individuals. They are limited to emergency scenarios only and where normal accounts can’t be used or all other administrators are accidentally locked out. Here are a few points to note when creating your emergency break glass accounts:
- Assign Both Emergency Accounts Permanent Global Administrator:
- Having two break glass accounts ensures that if one account becomes inaccessible, you have a fallback account.
- Use Non-Obvious Names:
- Avoid obvious names like emergency@.onmicrosoft.com or breakglass@.onmicrosoft.com. Instead, use random human names to make the accounts obscure, making it more challenging for attackers to target them during attacks like password spraying.
- Create Cloud Identities:
- Create your break glass accounts using the *.onmicrosoft.com domain inside Entra ID. Avoid syncing accounts from on-premises to prevent access issues if on-premises systems fail.
- Configure Complex Passwords:
- Use strong passwords, ideally with a minimum of 16 characters as recommended by Microsoft at the time of writing this post. Although it is possible to create passwords up to 256 characters long, a minimum of 32 characters is common. Feel free to increase the length of the password as per your requirements. However, be aware that no matter how strong the password, token theft is still a potential risk and the reason why it is recommended to use phishing resistant MFA, such as FIDO2 supported devices. More on this later.
- Secure Password Storage:
- If you’re using passwords, follow Microsoft’s recommendation to separate the password into two or three parts, write each part on separate pieces of paper, and store them in secure, fireproof safes in different locations. Ensure only authorised individuals have access.
- Use Phishing Resistant MFA:
- For multi-factor authentication (MFA), use a phishing resistant method like a FIDO2 Security Key. Again, ensure you store these physical keys in a safe location and only allow authorised individuals access.
- Audit and Monitor Access:
- Configure monitoring to notify you if the emergency break glass accounts are used, allowing for swift action.
- Diversify MFA Methods:
- Avoid using the same MFA method as your admins. For instance, if admins use passkeys via their phones or certificate based authentication (CBA), use a physical pass key for the emergency accounts to avoid issues affecting mobile devices such as a wider mobile outage.
- Avoid Assigning to Individuals:
- Do not attach break glass accounts to an individual, such as an engineer’s mobile phone, to prevent issues if the person is unavailable. Just imagine if that individual is on holiday, it’s not good practice from both a convenience and security point of view.
- Exclude from Conditional Access Policies:
- Ensure at least one emergency access/break glass account is excluded from all Conditional Access policies.
- Regular Validation and Documentation:
- Validate your emergency accounts every 90 days or sooner if needed. Document a step by step process IT staff to access the accounts in emergencies. Training and clear documentation are crucial. The last thing you want is to discover an issue during a real emergency.
Now that we have covered best practices for emergency break glass accounts, you may have read or heard that Microsoft announced mandatory multi factor authentication (MFA) will be enforced for Azure sign ins. This will gradually be rolled out to other portals, such as admin.microsoft.com, and more. So, what does this mean? Well, any user account logging into the admin portals will be required to enable MFA before they can log in.
Previously, it was possible to log into the Azure portal using an account without MFA enabled, but this will no longer be possible going forward. Why? Because one of the most effective security measures available to organisations is multifactor authentication (MFA). Research by Microsoft shows that MFA can block more than 99.2% of account compromise attacks. Since emergency accounts are commonly used to log into admin portals, these accounts are not exempt from this new rule. Attackers could exploit emergency break glass accounts to access your environment with Global Administrator privileges and cause significant damage. Previously, a large number of organisations would create emergency break glass accounts without enabling MFA, which was normal. However, this recent announcement from Microsoft means that organisations will no longer be allowed to login to admin portals using any account including emergency break glass accounts with a password alone. MFA must be enabled with phishing resistant MFA being highly recommended, however, other MFA methods are allowed. In my opinion, It makes sense to secure these highly privileged accounts.
Great, we’re nearly there. What’s next? I would like to provide a quick overview of passkeys and a popular attack method known as token theft or token replay. Why am I discussing this, you may ask? Because using phishing resistant MFA, such as a passkey, can prevent token theft. Let’s learn more about passkeys and token theft.
What are passkeys?
Unlike passwords which can be compromised no matter how long or complex you set them, FIDO2 security keys enable phishing resistant passwordless authentication. They can replace weak credentials with strong hardware backed public/private key credentials that can’t be reused or replayed in the event your users are targeted via a phishing attack. This is where the hacker attempts to steal the users password by tricking them to click on a link and enter credentials or deploy malware to the device. When configuring a FIDO2 supported method, such as a physical YubiKey, the process involves the generation of two keys:
- A private key, which remains on the physical YubiKey and never leaves the device. This is similar to how other non phishing resistant methods function, such as Windows Hello For Business. This private key never leaves the physical device, so in the case of a YubiKey, the private key is stored securely on the YubiKey. With Windows Hello for Business, the private key remains on the device, such as the laptop, stored in a secure TPM (Trusted Platform Module).
- A public key is provided to the relying party. In my case, the relying party is Microsoft, because I’ll be using my FIDO2 supported physical passkey to log in to admin portals such as the Azure portal.
Because passkeys are phishing resistant, they are highly recommended. Apart from physical FIDO2 security keys, there are other phishing resistant MFA methods available, including Certificate Based Authentication (CBA), passkeys via the Microsoft Authenticator app and one I mentioned earlier, Windows Hello for Business.
Why are passkeys secure?
When configuring a passkey, there are a number of security features that prevent a hacker from misusing your credentials. One of the key security features is proximity, which means the user must have proximity between the authenticator and the laptop. In this case, the authenticator could be a physical FIDO security key or a passkey on the Authenticator app. This prevents users from being tricked by a bad actor, for example, If the bad actor attempts to steal a user’s session token, it would be of no use, because the hacker is most likely sitting someplace far away from the laptop device, and therefore the proximity check fails and access is denied. If you’re interesting in knowing how token theft works, I have embedded a video explaining the steps below. We’ll get to that shortly.
Another important security feature is that the FIDO2 supported device is tied to a specific website address. This means that if a hacker tries to fool the user by redirecting them to a different URL, the authentication attempt would fail. This is because the private key stored on the device will only respond to the specific website it was originally registered with. So, even if a hacker tries to mimic the real website by creating a good looking clone pointing the user to login.micr0soft.com (disguising the o for a zero), the FIDO2 supported key won’t complete the authentication process because it was originally registered against login.microsoft.com and not the fake login.micr0soft.com.
Still confused? I demonstrate the flow between the public and private key in a diagram below. Click the image below to enlarge.
How does a hacker steal user login information?
The process is known as token theft or token replay. This involves various methods a hacker will use to steal a user’s session token or a cookie which is created once the user has logged in and authenticated. If the hacker manages to obtain the session token, the session token can be captured and replayed on the hackers device, allowing the hacker direct access to the users data without having to login again. The methods used can include, but are not limited to, installing malware on a user’s device, stealing the session token and sending it over the Internet to the hacker, or using a technique known as adversary in the middle (AiTM) attack. When a user successfully logs in, a session token/cookie is automatically created, granting the user access to email, Teams, OneDrive data, and more. As mentioned above, hackers can use techniques to steal the session token and replay it on their own computer to gain access to the user’s data.
In the video below, Merill Fernando (Principal Product Manager @ Microsoft Entra) demonstrates a couple of controls which can prevent token theft. He provides a demo of how EvilJinx can be used to steal and replay a token to access user data, and then provides a demo showing a number of security measures to help prevent it, including using phishing resistant MFA.
DISCLAIMER:
Evilginx has the potential for malicious use. It’s crucial for defenders to account for such attacks and devise strategies to safeguard their users from these types of phishing threats. Evilginx should only be employed in lawful penetration testing engagements with explicit written consent from the targeted entities or for educational objectives.
Another good video by Alex Weinert (VP Identity Security at Microsoft) in which Alex provides several solutions to help prevent token theft.
Passkeys Available via Phone Using the Authenticator App
In the next post, I demonstrate how to set up a physical FIDO2 support passkey from Yubico. However, passkeys are also available without needing to purchase a physical key. Modern smartphones come equipped with built in FIDO2 authentication capabilities, providing you with phishing resistant protection and allowing you to use biometric features like fingerprint or face recognition as passkeys. With the Microsoft Authenticator app, you can register and use these passkeys on your iphone or android phone to securely log into your accounts. This provides a convenient and cost effective way to enhance your online security without having to purchase physical security keys.
I know what you’re thinking! “If passkeys are available for free using phones via the Authenticator App, why should I purchase a physical key?”
Great question! While passkeys on smartphones offer a great level of convenience and security, there are several reasons why an organisation might still opt for physical security keys. Here are a few benefits:
- Device Flexibility: Physical passkeys can be used with any device, including shared workstations, without relying on employees’ personal mobile phones. If you don’t allow the use of personal mobile phones in your organisation, you could purchase physical passkeys.
- Enhanced Protection: Physical keys can offer an extra layer of protection against malware and other attacks that might target vulnerabilities in mobile devices.
- Compliance Requirements: In some industries, compliance requirements may mandate the use of physical keys. Therefore, while smartphone based passkeys are excellent for many users, physical keys still play a crucial role depending on your organisational requirements.
- Emergency Break Glass Accounts: A physical FIDO2 key would be a better option than a mobile phone for an emergency break glass account. It ensures that access is not dependent on the availability or functionality of a specific mobile device. YubiKeys don’t contain moving parts and are designed to be simple and robust, with a solid construction that contributes to their reliability. They don’t require batteries or an external power source, as they draw power directly from the USB or NFC connection when in use, making them ideal for offline storage and offsite locations.
That’s it! I hope you enjoyed and found Part 1 useful. In Part 2, I will go through the steps to configure my newly purchased YubiKey. Click the following link if you’re interested in learning more. Part 2 – Configure a YubiKey For An Emergency Access Account In Entra ID | Cloud Build