Why phishing-resistant MFA is important in Microsoft Entra

The threat of phishing attacks is more prevalent than ever and everywhere is recommended that you use Multi-Factor Authentication (MFA) to protect yourself. However cybercriminals are becoming increasingly more sophisticated, and traditional methods of authentication, such as passwords, are no longer sufficient to protect sensitive information. This is where phishing-resistant MFA comes into its own, which provides an additional layer of security by requiring multiple forms of verification, making it significantly harder for attackers to gain unauthorised access to accounts and systems.

Phishing-resistant MFA is crucial because it removes passwords from the login workflow, ensuring that public/private key exchanges can only happen between the devices and a registered provider. This prevents login attempts to fake or phishing websites, thereby reducing the risk of credential theft. Microsoft Entra supports 3 types of phishing-resistant MFA.

1. FIDO2 Keys

FIDO2 keys are physical security keys that provide strong authentication by using public key cryptography. When a user registers a FIDO2 key with a service, a unique key pair is generated. The private key is stored on the security key, while the public key is registered with the service. During authentication, the user must physically interact with the FIDO2 key, which then uses the private key to sign a challenge from the service. This process ensures that only the legitimate user can authenticate, as the private key never leaves the security key and cannot be phished. This can be configured in the Passkey Policy.

Screenshot showing Microsoft Authenticator enabled for passkey

Users can use IOS Wallet on their phone to avoid having to purchase a physical FIDO2 key. Detailed information of the support of FIDO2 in Entra can be found here.

2. Windows Hello for Business

Windows Hello for Business uses biometric data (such as facial recognition or fingerprint scanning) or a PIN to authenticate users instead of a standard password. This method leverages the device’s hardware to securely store the user’s biometric data or PIN, which is then used to unlock a cryptographic key pair. The private key is stored on the device and never leaves it, while the public key is registered with the service. This ensures that authentication can only occur on the registered device, making it resistant to phishing attacks. A guide on how to configure Windows Hello for Business can be found here.

3. Certificate-Based Authentication for MFA

Certificate-Based Authentication (CBA) uses digital certificates to authenticate users. A digital certificate is a cryptographic document that binds a user’s identity to a public key. When a user attempts to authenticate, the service verifies the digital certificate and uses the associated public key to encrypt a challenge. The user must then use their private key to decrypt the challenge and respond, proving their identity. This method ensures that only users with the correct digital certificate and private key can authenticate, making it resistant to phishing attacks. A guide on how to configure Certificate-Based Authentication can be found here.

Conclusion

Implementing phishing-resistant MFA is critical for protecting your organisation from increasingly sophisticated cyber threats. By adopting methods such as FIDO2 keys, Windows Hello for Business, and Certificate-Based Authentication, you can significantly enhance your security posture and reduce the risk of a breach.

While this strengthens your security posture, you still have to monitor all activities in your environment so that any breaches can be identified and mitigated as close to the time of occurrence as possible.

secure365 provides a Managed Detection and Response (MDR) service that triages suspicious events, that is analysed by an expert Security Operations Team 24×7. Click here to discover how secure365 can give you peace of mind.