SOLVED
Home

Azure MFA and NIST requirements

%3CLINGO-SUB%20id%3D%22lingo-sub-111424%22%20slang%3D%22en-US%22%3EAzure%20MFA%20and%20NIST%20requirements%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-111424%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20there%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20am%20currently%20involved%20in%20a%20SharePoint%20project%20dealing%20with%20high%20security%20requirements%20and%20I%20have%20some%20problems%20matching%20NIST%20requirements%20with%20Azure%20MFA%20ways%20to%20authenticate.%3C%2FP%3E%3CP%3ENIST%20800-63b%20(%3CA%20href%3D%22https%3A%2F%2Fpages.nist.gov%2F800-63-3%2Fsp800-63b.html%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fpages.nist.gov%2F800-63-3%2Fsp800-63b.html%3C%2FA%3E%20)%2C%20chapter%205.1%20talks%20about%20different%20authenticator%20types%20like%20memorized%20secret%2C%20OTP%20devices%2C%20cryptographic%20devices%20and%20so%20on.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAs%20far%20as%20I%20know%2C%20MFA%20offers%20authentication%20based%20on%20SMS%20or%20the%20Authenticator%20app.%20Which%20type%20of%20authenticator%20is%20this%3F%20I%20found%20some%20slides%20from%20Microsoft%20saying%20that%20NIST%20Assurance%20Level%203%20can%20be%20achieved%20with%20Azure%20MFA.%20but%20if%20I%20understand%20this%20correctly%2C%20Level%203%20needs%20for%20example%20a%20multi%20factor%20cryptographic%20device%20or%20a%20multi%20factor%20OTP%20hardware%20together%20with%20a%20cryptographic%20device....%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHow%20does%20this%20match%20with%20using%20SMS%20or%20Authenticator%20app%3F%20Especially%20when%20user%20accesses%20the%20application%20with%20his%20mobile%20device%20which%20is%20the%20same%3F%20Thank%20you%20very%20much%20in%20advance%20%3A)%3C%2Fimg%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ERegards%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ERalph%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-111424%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%20AD%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EAzure%20AD%20Premium%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-120227%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20MFA%20and%20NIST%20requirements%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-120227%22%20slang%3D%22en-US%22%3E%3CP%3ERalph%2C%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHere%20is%20a%26nbsp%3B%20Microsoft%20document%20that%20accomplishes%20what%20you%20are%20looking%20to%20address.%20The%20report%20answers%20your%20question%20directly.%26nbsp%3B%20I%20have%20added%20the%20document%20for%20your%20convenience.%26nbsp%3B%20However%2C%20you%20can%20also%20reference%20the%20work%20here%3A%26nbsp%3B%3CSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fgoo.gl%2F28eiTc%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fgoo.gl%2F28eiTc%3C%2FA%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAzure%20Multi-Factor%20Authentication%20enables%20compliance%20with%20regulatory%20requirements%20for%20multi-factor%20authentication%20such%20as%20the%20following%20ones%20to%20%5Ba%5D%26nbsp%3Bname%20of%20few%3A%3C%2FP%3E%3CUL%3E%3CLI%3ENIST%20800-63%20Electronic%20Authentication%20Guidelines%20for%20Level%203%20Assurance%2C%3C%2FLI%3E%3CLI%3EHIPAA%20Requirements%20Relative%20to%20Electronic%20Protected%20Health%20Information%20(EPHI)%2C%3C%2FLI%3E%3CLI%3EPayment%20Card%20Industry%20Data%20Security%20Standards%20(PCI%20DSS)%2C%3C%2FLI%3E%3CLI%3ECriminal%20Justice%20Information%20System%20(CJIS)%20Security%20Policy%2C%3C%2FLI%3E%3CLI%3EAuthentication%20in%20an%20Internet%20Banking%20Environment%20Guidance%20(FFIEC).%3CBR%20%2F%3E%3CSPAN%3E(Beraud%2C%20Jumelet%2C%20%26amp%3B%20Grasse%2C%202015%2C%20p.%2012)%3C%2FSPAN%3E%3C%2FLI%3E%3C%2FUL%3E%3CP%3EThanks!%26nbsp%3B%3CBR%20%2F%3EBob%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EReferences%3C%2FP%3E%3CP%3E%3CSPAN%3EBeraud%2C%20P.%2C%20Jumelet%2C%20A.%2C%20%26amp%3B%20Grasse%2C%20J.%20(2015).%26nbsp%3B%3C%2FSPAN%3E%3CI%3ELeverage%20Azure%20Multi-Factor%20Authentication%20with%20Azure%20AD%20-%20Microsoft%3C%2FI%3E%3CSPAN%3E(pp.%201-40%2C%20Rep.).%20Microsoft%20France.%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-117543%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20MFA%20and%20NIST%20requirements%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-117543%22%20slang%3D%22en-US%22%3E%3CP%3ENo%20worries%20at%20all!%20I%20believe%20you%20are%20correct%20about%20that%2C%20the%20Authenticator%20prompt%20seems%20to%20be%20the%20preferred%20method%20going%20forward.%20There%20have%20been%20some%20security%20issues%20around%20the%20global%20telecom%20system%20that%20manages%20SMS%2C%20so%20most%20companies%20seem%20to%20be%20trying%20to%20discourage%20anyone%20from%20using%20that%20method%20anymore%20if%20possible.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-116486%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20MFA%20and%20NIST%20requirements%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-116486%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20Grant%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Esorry%20for%20delay%20in%20reply%20and%20thank%20you%20very%20much%20for%20sharing%20your%20thoughts.%20I%20think%20the%20idea%20is%20not%20to%20enable%20e.g.%20SMS%20as%20authentication%20method%2C%20but%20only%20codes%20inside%20the%20authenticator%20app.%20This%20will%20be%20considered%20as%20out%20of%20band%2C%20even%20user%20tries%20to%20access%20services%20from%20the%20same%20device.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%20and%20regards!%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ERalph%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-111762%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20MFA%20and%20NIST%20requirements%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-111762%22%20slang%3D%22en-US%22%3E%3CP%3EI'm%20afraid%20I'm%20far%20from%20an%20expert%20in%20this%20realm%2C%20but%20I%20believe%20that%20the%20Authenticator%20app%20can%20function%20as%20an%20OTP%20and%20an%20out-of-band%20device.%20It%20functions%20in%20OTP%20mode%20when%20you%20have%20it%20setup%20to%20give%20you%20a%20one-time%20code%20each%20time%20you%20need%20to%20log%20in%2C%20and%20it%20functions%20in%20out-of-band%20mode%20when%20you%20have%20it%20set%20up%20to%20send%20the%20user%20a%20prompt%20via%20Authenticator%20that%20they%20must%20respond%20to%20in%20order%20to%20complete%20sign%20in.%20Hopefully%20this%20at%20least%20helps%20a%20bit%20Ralph!%3C%2FP%3E%3C%2FLINGO-BODY%3E
Ralph Göbel
Occasional Contributor

Hi there,

 

I am currently involved in a SharePoint project dealing with high security requirements and I have some problems matching NIST requirements with Azure MFA ways to authenticate.

NIST 800-63b (https://pages.nist.gov/800-63-3/sp800-63b.html ), chapter 5.1 talks about different authenticator types like memorized secret, OTP devices, cryptographic devices and so on.

 

As far as I know, MFA offers authentication based on SMS or the Authenticator app. Which type of authenticator is this? I found some slides from Microsoft saying that NIST Assurance Level 3 can be achieved with Azure MFA. but if I understand this correctly, Level 3 needs for example a multi factor cryptographic device or a multi factor OTP hardware together with a cryptographic device....

 

How does this match with using SMS or Authenticator app? Especially when user accesses the application with his mobile device which is the same? Thank you very much in advance :)

 

Regards

 

Ralph

4 Replies
Highlighted
Solution

I'm afraid I'm far from an expert in this realm, but I believe that the Authenticator app can function as an OTP and an out-of-band device. It functions in OTP mode when you have it setup to give you a one-time code each time you need to log in, and it functions in out-of-band mode when you have it set up to send the user a prompt via Authenticator that they must respond to in order to complete sign in. Hopefully this at least helps a bit Ralph!

Hi Grant,

 

sorry for delay in reply and thank you very much for sharing your thoughts. I think the idea is not to enable e.g. SMS as authentication method, but only codes inside the authenticator app. This will be considered as out of band, even user tries to access services from the same device.

 

Thanks and regards!

 

Ralph

No worries at all! I believe you are correct about that, the Authenticator prompt seems to be the preferred method going forward. There have been some security issues around the global telecom system that manages SMS, so most companies seem to be trying to discourage anyone from using that method anymore if possible.

Ralph, 

 

Here is a  Microsoft document that accomplishes what you are looking to address. The report answers your question directly.  I have added the document for your convenience.  However, you can also reference the work here: https://goo.gl/28eiTc

 

Azure Multi-Factor Authentication enables compliance with regulatory requirements for multi-factor authentication such as the following ones to [a] name of few:

  • NIST 800-63 Electronic Authentication Guidelines for Level 3 Assurance,
  • HIPAA Requirements Relative to Electronic Protected Health Information (EPHI),
  • Payment Card Industry Data Security Standards (PCI DSS),
  • Criminal Justice Information System (CJIS) Security Policy,
  • Authentication in an Internet Banking Environment Guidance (FFIEC).
    (Beraud, Jumelet, & Grasse, 2015, p. 12)

Thanks! 
Bob 

 

References

Beraud, P., Jumelet, A., & Grasse, J. (2015). Leverage Azure Multi-Factor Authentication with Azure AD - Microsoft(pp. 1-40, Rep.). Microsoft France.

 

Related Conversations
Tabs and Dark Mode
cjc2112 in Discussions on
46 Replies
Extentions Synchronization
Deleted in Discussions on
3 Replies
Stable version of Edge insider browser
HotCakeX in Discussions on
35 Replies
How to Prevent Teams from Auto-Launch
chenrylee in Microsoft Teams on
30 Replies
flashing a white screen while open new tab
Deleted in Discussions on
14 Replies
Security Community Webinars
Valon_Kolica in Security, Privacy & Compliance on
13 Replies