Passwords are an insecure authentication mechanism. They are often easily guessed, and the computing power necessary to crack passwords is readily available. Although many organizations have the goal of switching to an entirely password-less authentication system, most companies cannot do so immediately. Legacy applications, user behavior, hardware, and more must be transformed in order to support a password-less model.
Multi-factor authentication (MFA) is a solution that mitigates the risk of password insecurity. Even if an attacker determines the correct password, he or she must still complete an MFA challenge that requires something the attacker does not have, such as a phone or hardware token. Microsoft’s MFA solution is Azure MFA. Azure MFA authenticates users by telephone call, text (SMS) message, push notification to the Authenticator mobile app, or a one-time passcode displayed in the Authenticator app.
Protecting Cloud Applications
Azure MFA is included with Azure Active Directory Premium (AADP). Using AAD conditional access policies, you can require MFA for access to cloud applications in various scenarios. The simplest approach, which many organizations have adopted, is that users must complete an MFA challenge to access any cloud application.
For some organizations, enforcing MFA at every access attempt can prove to be too onerous on end users. To mitigate this, you could extend the conditional access policy to only require MFA when the user is accessing an application from outside the corporate network. Another approach is to integrate Microsoft Intune and only require MFA if the user is coming from an unmanaged or non-compliant device. The example below shows a conditional access policy that requires MFA any time a user is connecting from an unmanaged/non-compliant device.
Multi-Factor Authentication For On-Premises Applications
Azure MFA can be extended to on-premises applications and services through two mechanisms. For on-premises web applications, you can publish the application with the Azure Application Proxy. Once an application is published by the application proxy, you can apply a conditional access policy that requires MFA, exactly as you would with a cloud application.
Traditional Virtual Private Network (VPN) systems, as well as systems such as Citrix and other Virtual Desktop Infrastructure (VDI) systems, typically use RADIUS to authenticate users. These are critical entry points that should always have MFA applied. Fortunately, Microsoft has an extension for the Windows Network Policy Server (NPS) server role that integrates with Azure MFA. Once the extension for NPS is enabled, RADIUS authentication requests that pass through the NPS server will trigger an MFA challenge.
Combined with a Remote Desktop Gateway, the NPS extension is also a great way to secure Remote Desktop Protocol (RDP) access to servers. If you force all RDP connections to pass through the gateway, you can also require an MFA challenge to complete the connection.
Multi-Factor Authentication For Windows Client Computers
A common request is how to require MFA for user sign-ins to desktop PCs and laptops. Traditionally, the only solution to this problem that Windows natively supported was a smart card. Windows 10 changed this with the introduction of Windows Hello and Windows Hello for Business (WH4B). WH4B uses a device-specific credential such as biometric information or a PIN. The device-specific credential unlocks a certificate or key stored in the device’s Trusted Platform Module (TPM) chip.
The certificate/key is used to authenticate to on-premises Active Directory (AD), as well as to obtain a special type of token for AAD. This is considered a multi-factor login, and AAD will not prompt the user to perform MFA again if the user accesses an application that requires MFA from the device.
Planning a Multi-Factor Authentication Rollout
Like most IT projects, MFA rollouts are mostly about planning and communication. If you get these two things right, your project will be a success. We have helped large and small customers successfully add MFA to their environment. Contact us to help you solve your password security problems.