Forum Discussion
O365 MFA Mobile App Security Concern
- I agree that if a user is tricked into giving away their password, it is likely that the same user could also be duped into happily pressing a button on their phone, especially if the memo from IT says "you will soon receive a pop-up box on your phone, don't worry, that's just us, please authorize that." Sigh.
Here are some things that may help you:
1) In the MFA service settings page, uncheck the option for "Notification through mobile app" leaving only "text message to phone" or "Verification code from mobile app"
https://account.activedirectory.windowsazure.com/UserManagement/MfaSettings.aspx
2) Consider investing in an Azure AD Premium P1 license as this provides an additional conditional access feature where you can block users who are not domain joined, or are not enrolled in Intune... You can also implement IP Fencing rules to block countries that you don't do business with. For example, a lot of phishing is originating from IP addresses associated with Nigeria, so you could block all IP's from logging in from that country.
3) Simulate phishing attacks then follow up with user training
Yes, you are correct. These are all reasonable actions to implement.
We train, train, train. That's what is so concerning. We follow up after training with more reminders and examples. The very same users who swear that they would never click and act on a phishing attempt often get walloped and then have absolutely no recollection that they handed over their credentials. Their response usually includes, "well, it looked real...."
I was hoping that someone would leap forward on my post and point out an obvious flaw in my logic, but that doesn't seem to be the case. I can't see moving forward with the straight Approve method until I can come to peace with this issue. With a security hole this easily exploited, Notification Only seems like just pushing the issue one layer up and adding a process that provides a false sense of security.
I like MFA and think that it solves a big issue and is common place enough to be accepted and familiar to most users. I just have concerns about this one facet of this implementation of MFA.
Thanks for your recommendations.
It seems like the consumer Microsoft Account has a partial solution to the oblivious user. When requiring identity verification, it prompts the user to Approve the Push Notification with Number xx. On the phone, it lists three choices: xx yy zz, and the user is supposed to push xx, instead of just "approve". If the hacker can't directly communicate with the hacked user, after he enters the compromised user ID and password, he can't tell the hacked user which approve option to press. However, the oblivious hacked user still has a 1 in 3 probability of accidentally pressing the correct auth code. Perhaps Microsoft should prompt the user with nine possible auth codes, greatly reducing the probability of a lucky guess when making a reply to an unrequested approval notification.
JayFMSTechComm - Thanks for staying on top of this and replying. Yes, I saw this feature show up on the consumer side and I like it. It seems like a good compromise.