Registration Campaigns Push for Stronger Authentication Methods

A year ago, Microsoft VP for Identity Security Alex Weinert spoke at the TEC 2022 conference and was critical about the slow adoption of multi-factor authentication (MFA) within Microsoft 365 tenants. At the time, only 26.64% of all Entra ID accounts used MFA (34.15% for accounts holding an administrative role). During his presentation, Alex talked about some of the initiatives Microsoft planned to drive MFA adoption and more secure authentication, including changes to the authenticator app, the introduction of authenticator-lite in Outlook mobile, and differentiation of authentication strengths for conditional access policies.

The changes discussed at TEC 2022 are now in production, but there’s still room for improvement. On July 17, Alex Weinert published a Microsoft Technical Community post titled Advancing Modern Strong Authentication focused on Microsoft’s push to get users off SMS responses to use a stronger method such as the Authenticator app. Alex noted that Microsoft telemetry records SMS and voice phone calls still being used for 44% of responses, He also said that Microsoft research concludes that SMS is 40% less effective at repelling compromise by bad actors compared to the Authenticator app, possibly due to an increase in man-in-the-middle attacks.

Entra ID includes a feature called registration campaigns to help organizations move users to the Authenticator app. Essentially, administrators create a campaign and users start to see prompts to “improve your sign ins.” Users can snooze the prompt for a predefined period of up to 14 days but eventually they’ll need to select the authentication method defined for the campaign (the Authenticator app). Nagging until you do something…

The Mail Announcing the Registration Campaign Arrives

Bringing things back to TEC, as I prepared to travel to Atlanta for the 2023 conference this week, I received a note from Microsoft saying that users in my tenant that use SMS and voice methods for MFA responses would be prompted to switch to the Authenticator app (Figure 1).

Good as it is for users to upgrade their authentication method, I didn’t want users to receive an unexpected “Improve Your Sign-in” prompt while I was out of the office. Atlanta isn’t too far away, but the five hours dislocation from my normal working hours would definitely interfere with communications.

Pausing the Campaign

The reason why I received the notification was that the tenant settings for Entra ID had an enabled campaign. I’m not quite sure how the campaign was initiated, but it’s probably due to something I did in the past when checking out new Entra ID features. Microsoft complied and launched the campaign by warning me that it was about to begin.

The short-term solution is simple. I edited the campaign settings to put it into a disabled state (Figure 2).

The available settings for a registration campaign are Disabled, Enabled, and Microsoft controlled. The latter allows Microsoft to control a registration campaign, which is fine if everyone’s prepared for the change. For instance, it’s a good idea to help users install the Authenticator app on their mobile devices in advance.

It’s also wise to brief people about why using the Authenticator app is easy. The first time a user sees number matching and the additional context (location) displayed by the app when responding to an MFA challenge, they might conclude that it’s a more complex process than typing in a simple code received by SMS. But when they understand that number matching makes it harder for attackers to compromise MFA and the additional context helps them recognize suspicious activity (like an unexpected app provoking a challenge), it usually leads to a good result.

The Campaign Relaunches Soon

It’s a good idea to get rid of SMS and voice responses to MFA challenges, so I’ll relaunch the registration campaign when I return from TEC 2023. Life should be calmer then. At least, that’s the plan until the next emergency arises.

So much change, all the time. It’s a challenge to stay abreast of all the updates Microsoft makes across Entra ID and the rest of the Microsoft 365 ecosystem. Subscribe to the Office 365 for IT Pros eBook to receive monthly insights into what happens, why it happens, and what new features and capabilities mean for your tenant.

Number Matching and Geographic Context Now GA for Authenticator App

Updated 20 February 2023

Eleven months after releasing the features to preview, Microsoft has made number matching and additional context generally available with the tag line of advanced Microsoft Authenticator security features. The capabilities are available for multi-factor authentication (MFA) flows now and will be available for passwordless flows soon.

In a nutshell, these features relieve the MFA fatigue some users experience when they process MFA challenges to sign into Microsoft 365 and other apps. Instead of blindly responding to a prompt or “simple approval” (which could be hijacked by an attacker – see MITRE Att&ck technique T1621), the user is forced to respond to the challenge by entering a matching number. This addresses the problem (as experienced in the recent Uber compromise) where an account holder responds to an MFA challenge without putting their brain in gear. MFA fatigue is a very real and current problem.

Additional context allows the Authenticator app to display information about the location of the sign-in and the app provoking the challenge. The extra information helps the user to understand if the sign-in that provoked the challenge is valid. Together, Microsoft says that number matching and additional context help organizations to “prevent accidental [user] approvals in Microsoft Authenticator.”

New UI in Azure AD Admin Center

Tenants can roll the features out to all users or a targeted group, Microsoft has refreshed the UI in Authentication Methods section under Security in the Azure AD admin center (Figure1). You can also configure the settings with a Graph API request, but I wouldn’t bother. The Azure AD admin center does everything you need.

Microsoft planned to implement number matching for all Authenticator users in February 2023 but rescheduled the deployment date to May 8, 2023. At that point, Microsoft will remove the UI to enable or disable this feature from the Azure AD admin center. and all authentication challenges using the Authenticator app will require users to respond to generated numbers rather than the traditional Deny/Approve choice. This is part of Microsoft’s ongoing campaign to increase security by default across Microsoft 365.

Responding to a Non-Fatigued MFA Challenge

I found that it took about ten minutes before Azure AD implemented the updated settings in its challenges. The number challenge uses the same UI as the preview (Figure 2).

Figure 3 shows how the Microsoft Authenticator app (for iOS) prompts the user to enter the number requested by Azure AD. You can also see the additional geographic (based on the IP address of the device used for the sign-in) and application context presented to allow the user to judge if the sign-in is legitimate.

Speaking of Authenticator on iOS, Microsoft says that the app now uses App Transport Security (ATS) for improved privacy and data integrity between Authenticator and web services like the Microsoft 365 apps.

They also say that Authenticator on Android allows users to search their accounts and that this capability is coming to iOS “soon.” I use Authenticator for multiple Microsoft 365 tenants, my Microsoft consumer account, and applications like Twitter and GitHub, so searching will be a nice addition.

Changes Improve Authenticator’s Resistance to Attack

Why is number matching and additional context important for Authenticator? At the TEC 2022 conference, Alex Weinert, Microsoft VP for Identity Security, appealed for Microsoft 365 tenants to deploy multi-factor authentication more broadly (i.e., to increase the overall level of protection from the current 26.84% of user accounts). MFA protects more administrator accounts (34.15%), but that’s hardly a reason to celebrate.

During his TEC session, Alex discussed the updates now available for Authenticator and stressed how these made the app less susceptible to attack and less likely for its users to succumb to the human weakness seen in MFA fatigue. I imagine that with these updates, Microsoft now regards Authenticator as having the same authentication strength as Windows Hello and FIDO-2 keys.

The nice thing about the cloud is that changes like this roll-out without any intervention required on the part of tenants. It’s entirely in your hands to decide whether to take advantage and make MFA challenges more resistant to attack. It makes sense to do so.

Learn how to exploit the data available to Microsoft 365 tenant administrators through the Office 365 for IT Pros eBook. We love figuring out how things work.