Reports published by Proofpoint recently documenting MFA vulnerabilities in Microsoft 365 (Office 365) have likely caused concern among Microsoft customers. The report cites “critical vulnerabilities in multi-factor authentication (MFA) implementation in cloud environments where WS-Trust is enabled” ultimately allowing a potential attacker to bypass MFA and get access to an organization’s Microsoft 365 apps including email, SharePoint, CRM, data and more. On its website, Microsoft announced deprecation of the WS-Trust authentication protocol, stating it is “inherently insecure by current encryption standards”.
Making sure you are using non-deprecated protocols is important to maintaining security. But what other conclusions can security professionals take away from this vulnerability? Below are some guidelines that provide basic pointers for assessing the security of authentication and access management solutions:
1. Separate your security solution from the apps you need to protect: Segregation of duties is a basic tenet of security. The same goes for security solutions. Placing all your eggs in one basket compounds risk, so ideally you should be deploying a dedicated authentication and access management solution that can be managed and secured independently of other apps and services;
2. Apply MFA consistently to all apps and services: Look for a solution that can address all use cases. MFA is considered one of the most effective security measures for reducing risk of breach. It makes sense, therefore, to ensure an access management solution can centrally apply authentication and conditional access to all your apps, including legacy on-prem ones; and,
3. Make sure your solution is secure: One of the most prevalent authentication methods used today is PUSH OTP, but not all solutions are created equal when it comes to security. Always work with a trusted security vendor whose core business is security. Regarding PUSH OTP:
a. Make sure the OTP app cannot be backed up to an external drive or copied to another device. Apps that allow this don’t have the built-in security to ensure the apps can only be used on a specific and intended device. So always make sure that the OTP app is encrypted, protected and tied cryptographically to a specific mobile device.
b. Make sure the OTP app supports secure app enrollment and activation: In order for the security code to be protected and secured when a user installs the app, the app installation process needs to be encrypted. Otherwise, the cryptographic module that generates the security codes could be at risk. Some vendors carry out an OS check before allowing the app to be installed on the intended mobile device. However, if the app can be copied to a malicious device that complies with the OS rules, this kind of workaround wouldn’t be of any help in protecting the integrity of the app itself or a malicious actor’s ability to clone the app.
c. Make sure the OTP app can be supported on any OS. Your users will likely need to install apps on a broad range of devices, including mobiles, tablets and desktops. Broad OS and end-point device compatibility ensures a consistent and secure authentication across the board for all apps and users.
For more information on how Thales can help, read our “Implementing Strong Auth for Office 365 with SafeNet Auth Service” solution brief and watch this “Best Practices for Securing Office 365 Access Management” webinar.