Forum Discussion
Sitekit_RobB
Mar 28, 2024Copper Contributor
UI Risk with MFA configuration
Hi all,
As we discovered recently to our cost and inconvenience - the UI layout in Conditional Access, specifically the Grant\Require Authentication Strength poses a two-part risk if an admin isn't paying enough attention.
The combo-box presents all 3 options like so:
Which can lead to the bottom entry getting clicked on accidentally; but also - because it's a combo box - if someone accidentally knocks their scroll wheel for instance, or applies a scroll down gesture on a touch pad - it can easily slip down to the bottom entry for FIDO2 keys.
Which leads to the second part of the risk. As we discovered earlier this month, the system may not (or possibly will not, we can't confirm either way) allow users to register a FIDO2 key AFTER the config has been set as you can't successfully login. The CA system (or at least this specific clause) should absolutely have some kind of logic check that would bar the enablement of the clause if no user objects have a FIDO2 key registered.
Not only would this save a great deal of frustration on the part of clients using Azure, but also alleviate some of the call volume which the data operations/data engineering team that handles lockout scenarios seems to be suffering with.
Our issue took 2 weeks to resolve, 13 days of which was spent waiting for the team to have availability - as we'd gone through all the initial hoops for verifications, testing etc within the first 12 hours or so of the problem occurring.
No RepliesBe the first to reply