In this 2 post blog series, I’ll explore emergency “break glass” account best practices, the importance of phishing resistant MFA (Multi Factor Authentication), how phishing-resistant MFA can protect against credential and session token theft via a phishing attack by a bad actor, and finally I will go through a step by step demo on configuring a physical FIDO2 (Fast Identity Online) supported passkey, specifically a YubiKey. I purchased a YubiKey for 30 euros from Yubico. Please note that Yubico offers various types of YubiKeys including different types of USB connectors and physical keys which meet different compliance standards, so it’s essential to research your options before making a purchase. Additionally, since FIDO2 is an open standard, several other vendors offer physical keys, giving you multiple options to choose from.
IMPORTANT NOTE
Part 2 will provide a detailed, step by step demo on configuring a YubiKey. I recommend reading this post (Part 1) first to understand best practices and how FIDO2 works to secure your account. However, if you wish to skip to Part 2, click the following link: Part 2 – Configure a YubiKey For An Emergency Access Account In Entra ID | Cloud Build
Image of a Security Key NFC (Near Field Communication) by Yubico. This is the key I purchased.
Explanation of NFC:
Near Field Communication (NFC) is a wireless technology that enables devices to communicate with each other when they are in close proximity, typically within a few centimetres. Think about when you touch your card or Apple Pay on your phone against a card reader to make a payment. If supported, you can utilise the NFC capabilities allowing you to touch they key on a NFC reader built in to your phone or a internal/external NFC reader built in to your laptop.
As mention above, part 2 covers the step by step demo, so before diving into the steps for configuring my YubiKey as a secure phishing resistant MFA method, I’d like to go through some important points, starting off with best practices you should consider when setting up an emergency access account.
Emergency Access “Break Glass” Account Best Practices
Emergency accounts also known as break glass accounts are crucial accounts that provide access to critical systems during an emergency. Microsoft recommends that organisations have two cloud only emergency access accounts permanently assigned the Global Administrator role. These accounts are highly privileged and should not be assigned to specific individuals. They are limited to emergency scenarios only and where normal accounts can’t be used or all other administrators are accidentally locked out. Here are a few points to note when creating your emergency break glass accounts:
- Assign Both Emergency Accounts Permanent Global Administrator:
- Having two break glass accounts ensures that if one account becomes inaccessible, you have a fallback account.
- Use Non-Obvious Names:
- Avoid obvious names like emergency@.onmicrosoft.com or breakglass@.onmicrosoft.com. Instead, use random human names to make the accounts obscure, making it more challenging for attackers to target them during attacks like password spraying.
- Create Cloud Identities:
- Create your break glass accounts using the *.onmicrosoft.com domain inside Entra ID. Avoid syncing accounts from on-premises to prevent access issues if on-premises systems fail.
- Configure Complex Passwords:
- Use strong passwords, ideally with a minimum of 16 characters as recommended by Microsoft at the time of writing this post. Although it is possible to create passwords up to 256 characters long, a minimum of 32 characters is common. Feel free to increase the length of the password as per your requirements. However, be aware that no matter how strong the password, bad actors can still steal user credentials via a phishing attack, therefore still a potential risk and the reason why it is recommended to use phishing resistant MFA, such as FIDO2 supported devices. More on this later.
- Secure Password Storage:
- If you’re using passwords, follow Microsoft’s recommendation to separate the password into two or three parts, write each part on separate pieces of paper, and store them in secure, fireproof safes in different locations. Ensure only authorised individuals have access.
- Use Phishing Resistant MFA:
- For multi-factor authentication (MFA), use a phishing resistant method like a FIDO2 Security Key. Again, ensure you store these physical keys in a safe location and only allow authorised individuals access.
- Audit and Monitor Access:
- Configure monitoring to notify you if the emergency break glass accounts are used, allowing for swift action.
- Diversify MFA Methods:
- Avoid using the same MFA method as your admins. For instance, if admins use passkeys via their phones or certificate based authentication (CBA), use a physical pass key for the emergency accounts to avoid issues affecting mobile devices such as a wider mobile network outage.
- Avoid Assigning to Individuals:
- Do not attach break glass accounts to an individual, such as an engineer’s mobile phone, to prevent issues if the person is unavailable. Just imagine if that individual is on holiday, it’s not good practice from both a convenience and security point of view.
- Exclude from Conditional Access Policies:
- Ensure at least one emergency access/break glass account is excluded from all Conditional Access policies.
- Regular Validation and Documentation:
- Validate your emergency accounts every 90 days or sooner if needed. Document a step by step process to allow authorised IT staff access to the accounts in emergencies. Training and clear documentation are crucial. The last thing you want is to discover an issue during a real emergency which could have been prevented through testing and validation.
Now that we have covered best practices for emergency break glass accounts, you may have read or heard that Microsoft announced mandatory multi factor authentication (MFA) will be enforced for Azure sign ins. This will gradually be rolled out to other portals, such as admin.microsoft.com, and more. So, what does this mean? Well, any user account logging into the admin portals will be required to enable MFA before they can log in.
Previously, it was possible to log into the Azure portal using an account without MFA enabled, but this will no longer be possible going forward. Why? Because one of the most effective security measures available to organisations is multifactor authentication (MFA). Research by Microsoft shows that MFA can block more than 99.2% of account compromise attacks. Since emergency accounts are commonly used to log into admin portals, these accounts are not exempt from this new rule. Attackers could exploit emergency break glass accounts to access your environment with Global Administrator privileges and cause significant damage. Previously, a large number of organisations would create emergency break glass accounts without enabling MFA, which was normal. However, this recent announcement from Microsoft means that organisations will no longer be allowed to login to admin portals using any account including emergency break glass accounts with a password alone. MFA must be enabled with phishing resistant MFA being highly recommended, however, other MFA methods are allowed. In my opinion, it makes sense to secure these highly privileged accounts.
Great, we’re nearly there. What’s next? I would like to provide a quick overview of passkeys and how passkeys can protect you against a bad actor stealing user credentials and session token via a phishing attack using tools such as Evilginx. Let’s learn more.
What are passkeys?
Passwords can be compromised through various methods, including phishing attacks, regardless of their complexity. FIDO2 supported passkeys enable phishing-resistant, passwordless authentication. They replace weak credentials with strong, hardware backed public/private key credentials, reducing the chances of user credentials and session token being stolen.
A common attack method involves a bad actor attempting to steal user credentials by tricking them into clicking a malicious link. Adversary in the Middle (AiTM) attack tools, such as Evilginx, can intercept communication between the user and login providers like Microsoft, Facebook, or Google, capturing the necessary information to access the user’s data. Evilginx is capable of capturing session cookies, which validate a user’s session after MFA is completed. Put simply, Evilginx can bypass non-phishing resistant MFA, making it ineffective and allowing unauthorised access to the user’s data.
When configuring a FIDO2 supported method, such as a physical YubiKey, the process involves the generation of two keys:
- A private key, which remains on the physical YubiKey and never leaves the device. This is similar to how other phishing resistant methods function, such as Windows Hello For Business. This private key never leaves the physical device, so in the case of a YubiKey, the private key is stored securely on the YubiKey. With Windows Hello for Business, the private key remains on the device, such as the laptop, stored in a secure TPM (Trusted Platform Module).
- A public key is provided to the relying party. In my case, the relying party is Microsoft, because I’ll be using my FIDO2 supported physical passkey to log in to admin portals such as the Azure portal.
Because passkeys are phishing resistant, they are highly recommended. Apart from physical FIDO2 security keys, there are other phishing resistant MFA methods available, including Certificate Based Authentication (CBA), passkeys via the Microsoft Authenticator app and one I mentioned earlier, Windows Hello for Business.
Why are passkeys secure?
When configuring a passkey, there are a number of security features that prevent a hacker from misusing your credentials. One of the key security features is proximity, which means the user must have proximity between the authenticator and the laptop. In this case, the authenticator could be a physical FIDO2 security key or a passkey on the Authenticator app. This prevents users from being tricked by a bad actor, for example, if the bad actor attempts to steal a user’s session token via a phishing attack, it would be of no use, because the hacker is most likely sitting someplace far away from the laptop, and therefore the proximity check fails and access is denied.
Another important security feature is that the FIDO2 supported device is tied to a specific website address or relying party. This means that if a bad actor tries to fool the user by directing them to a fake URL via a phishing attack, the authentication attempt would fail when the user attempts to use their phishing resistant device, such as a YubiKey. This is because the private key stored on the device will only respond to the specific website it was originally registered with. So, even if a hacker tries to mimic the real website by creating a good looking clone pointing the user to login.micr0soft.com (disguising the o for a zero), the FIDO2 supported key won’t complete the authentication process because it was originally registered against login.microsoft.com and not the fake login.micr0soft.com.
Still confused? I demonstrate the YubiKey registration process in the diagram below.
Click the image below to enlarge.
How does a hacker steal user credentials and session token?
One of the methods I am focusing on in this post is where bad actors steal user credentials via a phishing attack, by fooling the users to click a link which directs the user to fake login page. The user assumes that they are accessing a genuine login page and upon the entering a username, password and even going through non-phishing resistant MFA, the bad actor captures the users session token and then replays it on their own device. Yes, there are tools such as Evilginx which can bypass MFA. This allows the hacker direct access to the user’s data such as email, one drive data and so on, without having to authenticate again.
In the video below, Merill Fernando (Principal Product Manager @ Microsoft Entra) demonstrates how Evilginx works and provides a couple of controls which can prevent such an attack when an Adversary in the Middle (AiTM) attack tool such as Evilginx is used.
DISCLAIMER:
Evilginx has the potential for malicious use. It’s crucial for defenders to account for such attacks and devise strategies to safeguard their users from these types of phishing threats. Evilginx should only be employed in lawful penetration testing engagements with explicit written consent from the targeted entities or for educational objectives.
Note
While phishing-resistant MFA provides strong protection against phishing attacks and greatly reduces the risk of credential theft, it does not completely prevent token theft, for example, if a bad actor uses malware on a user’s device. This is why it’s essential to adopt a defense in depth strategy, which includes multiple layers of security measures, including endpoint protection on your devices.
In the below video Alex Weinert (VP Identity Security at Microsoft) provides several solutions to help protect against token theft.
Passkeys Available via Phone Using the Authenticator App
In the next post, I demonstrate how to set up a physical FIDO2 support passkey from Yubico. However, I wanted to mention that passkeys are also available without needing to purchase a physical key. Modern smartphones come equipped with built in FIDO2 authentication capabilities, providing you with phishing resistant protection and allowing you to use biometric features like fingerprint or face recognition as passkeys. With the Microsoft Authenticator app, you can register and use these passkeys on your iPhone or Android phone to securely log into your accounts. This provides a convenient and cost effective way to enhance your online security without having to purchase physical security keys.
I know what you’re thinking! “If passkeys are available for free using phones via the Authenticator App, why should I purchase a physical key?”
Great question! While passkeys on smartphones offer a great level of convenience and security, there are several reasons why an organisation might still opt for physical security keys. Here are a few benefits:
- Device Flexibility: Physical passkeys can be used with any device, including shared workstations, without relying on employees’ personal mobile phones. If you don’t allow the use of personal mobile phones in your organisation, you could purchase physical passkeys.
- Enhanced Protection: Physical keys can offer an extra layer of protection against malware and other attacks that might target vulnerabilities in mobile devices.
- Compliance Requirements: In some industries, compliance requirements may mandate the use of physical keys. Therefore, while smartphone based passkeys are excellent for many users, physical keys still play a crucial role depending on your organisational requirements.
- Emergency Break Glass Accounts: A physical FIDO2 key would be a better option than a mobile phone for an emergency break glass account. It ensures that access is not dependent on the availability or functionality of a specific mobile device. YubiKeys don’t contain moving parts and are designed to be simple and robust, with a solid construction that contributes to their reliability. They don’t require batteries or an external power source, as they draw power directly from the USB or NFC connection when in use, making them ideal for offline storage and offsite locations.
That’s it! I hope you enjoyed and found Part 1 useful. In Part 2, I will go through the steps to configure my newly purchased YubiKey. Click the following link if you’re interested in learning more. Part 2 – Configure a YubiKey For An Emergency Access Account In Entra ID | Cloud Build