How Hackers Bypass MFA? [2 Ways To Stop Them]

Threatscape
21 Aug 202408:33

Summary

TLDRThis video educates viewers on defending against Man-in-the-Middle (MitM) attacks through the use of Microsoft Entra's conditional access policies. It demonstrates two methods: using device state to block access from non-compliant or non-hybrid join devices, and enforcing authentication strengths like security keys (Passkeys). The presenter guides through setting up policies in the admin center, testing them on different devices, and explains the underlying security mechanisms, including certificate checks and domain validation, to prevent token theft and enhance user security.

Takeaways

  • 🔐 The script discusses the misconception that MFA is often 'bypassed' when it's actually the MFA credentials that are stolen, commonly through man-in-the-middle attacks.
  • 👨‍💻 The video aims to educate viewers on how to defend against such attacks using Azure Active Directory (Azure AD) conditional access policies.
  • 💼 It introduces two methods of defense: one using device state to check for compliance or hybrid Azure AD join status, and another using authentication strengths like security keys.
  • 🛠️ The first method leverages existing on-premises AD or Azure AD licenses, requiring no additional hardware investment, and is considered a low-cost defense strategy.
  • 📱 The script demonstrates setting up a conditional access policy in the Azure portal, targeting specific users and cloud apps, and excluding compliant or hybrid-joined devices.
  • 🚫 The policy blocks access for devices that are not compliant or hybrid-joined, thereby preventing unauthorized access even if MFA credentials are stolen.
  • 🔑 The second method focuses on using security keys (FIDO2) as a form of strong authentication, which is more secure than traditional MFA methods.
  • 🔗 The video shows a practical demonstration where accessing a phishing URL from a non-compliant device results in a block due to the conditional access policy.
  • 🛡️ It explains that even if an attacker has the password, they cannot proceed without the security key, which is registered with Azure AD and is resistant to tampering.
  • 🌐 The script highlights the importance of domain name verification during the authentication process, which adds an extra layer of security against man-in-the-middle attacks.
  • 🔄 The video concludes by suggesting that viewers might want to explore more content on conditional access and security best practices.

Q & A

  • What does MFA stand for in the context of the video?

    -MFA stands for Multi-Factor Authentication, a security mechanism that requires users to provide two or more verification factors to gain access to a resource.

  • What is meant by 'MFA bypass' in the video?

    -In the video, 'MFA bypass' refers to a misconception that attackers are able to bypass Multi-Factor Authentication. It's clarified that what often happens is that the MFA credentials are stolen, not bypassed.

  • What are the two different ways of defending against adversary in the middle attacks discussed in the video?

    -The two ways discussed are using conditional access based on device state (compliant or hybrid joined) and using conditional access with authentication strengths, specifically requiring passkeys.

  • What is the significance of a device being 'compliant' or 'hybrid joined' in the context of the video?

    -A device being 'compliant' or 'hybrid joined' indicates that it meets certain security standards and is managed by the organization's identity provider, which can be used to enforce stronger authentication requirements.

  • Why is using device state as a condition for conditional access considered a low-cost defense?

    -Using device state as a condition for conditional access is considered low-cost because it leverages existing on-premises Active Directory or cloud identity licenses without the need for additional hardware purchases.

  • What is the role of Edge browser's built-in protection in the demonstration?

    -Edge browser's built-in protection provides an initial warning about potentially unsafe sites, which is part of the overall defense strategy against phishing and man-in-the-middle attacks.

  • What is a 'passkey' as mentioned in the video?

    -A 'passkey' in the video refers to a type of strong authentication method that can be a security key or a temporary access pass, which is more secure than traditional passwords and harder for adversaries to intercept.

  • How does the video demonstrate the effectiveness of using passkeys against man-in-the-middle attacks?

    -The video demonstrates that even if an attacker has the password, they cannot proceed further without the passkey, which is registered with Microsoft Entra and tied to a specific domain, thus preventing unauthorized access.

  • What is the purpose of the 'authentication strengths' feature in conditional access policies?

    -The 'authentication strengths' feature allows administrators to define a set of acceptable authentication methods, such as passkeys or temporary access passes, which must be satisfied for access to be granted.

  • Why is the domain name check important when using passkeys for authentication?

    -The domain name check ensures that the passkey is being used for a site that it was registered with, adding an extra layer of security against man-in-the-middle attacks by verifying the site's legitimacy.

Outlines

plate

هذا القسم متوفر فقط للمشتركين. يرجى الترقية للوصول إلى هذه الميزة.

قم بالترقية الآن

Mindmap

plate

هذا القسم متوفر فقط للمشتركين. يرجى الترقية للوصول إلى هذه الميزة.

قم بالترقية الآن

Keywords

plate

هذا القسم متوفر فقط للمشتركين. يرجى الترقية للوصول إلى هذه الميزة.

قم بالترقية الآن

Highlights

plate

هذا القسم متوفر فقط للمشتركين. يرجى الترقية للوصول إلى هذه الميزة.

قم بالترقية الآن

Transcripts

plate

هذا القسم متوفر فقط للمشتركين. يرجى الترقية للوصول إلى هذه الميزة.

قم بالترقية الآن
Rate This

5.0 / 5 (0 votes)

الوسوم ذات الصلة
MFA SecurityConditional AccessCyber DefenseAuthenticationSecurity KeysHybrid ADCompliancePasswordlessAttack MitigationSecurity Policies
هل تحتاج إلى تلخيص باللغة الإنجليزية؟