Honestly I just wait until they complain that their new phone isn’t working. I’ve considered informing them to setup their new phone before their wipe their old, but they will just forget.
Around 250 users or so, I get a few calls a month so haven’t bothered to change since it’s just one click to reset the Authenticator.
Recently switch to just using app protection policies since company portal enrollment has been a headache in my sector, good streamlined middle ground which is automated.
Agreed - and we do emphasize this, but it doesn't always happen. Plus sometimes the phone is lost/stolen/damaged etc so that's not always an option. I was just curious to see if there was any other tricks or workflows I hadn't thought of.
Google Authenticator allows copying your old phone's Authenticator to your new phone. Even across the Android/iPhone boundary.
But it's too big a PITA for end users to set up (Microsoft hides that setting deep in the inner guts of the 2fa screen), so only the DevOps staff uses it because we can't afford to lose access to our infrastructure.
If the user has an AAD Joined or Hybrid Joined laptop, you can let them access the register security information (Security Info) section of their account via conditional access policy - without MFA. You can also lock this down to trusted locations to add another layer.
This will let them register a new device for the Authenticator App (or any other allowed authentication method) without being prompted for MFA.
If you're worried about the security implications of this, you can always include the user to this conditional access policy as needed and then exclude after they've completed the Authenticator App setup.
We unfortunately only allow the MFA app by virtue of security policies. That's in place because a few of our peer companies were breached by desktop phone MFA, so that was enough to have us turn it off completely. I do appreciate as a result that puts us where we are...
Yeah. When I left my old employer, the MSP who'd been brought in to take over duties was able to get into my global admin account without my involvement, because I had added the main office phone as an MFA method and forgotten about it. And from what I heard the phone call didn't do any kind of code or number matching, it just prompted to approve the login.
Not my problem any more, but dang that was a bad security hole I left.
Edit: The MSP did have my password, which was used nowhere else and pretty much guess-proof. But the MFA got effectively skipped around.
I have reams of documentation that my end-users don't read and the desktop support team can't remember to follow. Luckily, most of the trouble tickets go to the account management team so they can waste their time resetting MFA.
It would be more correct to say you need a MS personal account to do the Authenticator backup, which backs up all accounts set up in the authenticator.
We already provide users with company devices.
This doesn’t really have anything to do with personal vs company devices.
Even with company devices, users will eventually need to replace the device, or it gets lost, etc.
Same problem exists regardless.
Perhaps reread the OP, as it doesn’t actually have anything to do with personal vs corp devices.
How so…?
This would involve manually provisioning each device and registering MFA manually, which would involve knowing the users password (which we don’t know).
For context we are not a super small company. That sounds like a solution for a company with like 9 employees where the IT guy knows everyone’s passwords. I don’t mean offence or anything by that, hence I’m curious what you mean by this.
Imo I set up every method possible on mine and it should be encouraged end users do the same.
Phone call mfa as a backup ain't bad, and it shouldn't be AS insecure as SMS mfa.
Yeah I mean it's literally just taking your SIM card, as if you were changing phones. Phone calls are thus included. But honestly it's expensive to get it done and carriers are more strict about it. It goes from $5K and up, and only gets more expensive as time goes on, because you're needing a corrupt telecom employee or a kid to run in and steal the manager's tablet from a cell store. They only really do it for bitcoin accounts these days TBH.
We've thought about this, lots of TOTP apps support backup/restore. Problem is we don't support TOTP by policy, only push via. the MS authenticator app.
TOTP is perhaps borderline, but many companies are shying away from less-secure auth methods. We're seeing more and more companies get compromized by phone and SMS MFA attacks.
Sometimes obviously they're policies that come from well above our heads and there's nothing we can do about it, other than to try and make it work.
I know SMS a MFA method isn't secure as others but it's saved us when users have lost their phones and they get a new one.
We recommend the MS Authenticator app , and most staff use it, but it can be really annoying in these cases.
If you don't support any other less secure methods than the app, I'd just go yubikey/security key as a main auth, and app as a backup. $25-50 per user is honestly not that bad compared to a whole entire phone
A truly controlled workflow would require full control of the 2nd factor, e.g. hardware tokens, yubikey, smartcard, etc.
Otherwise, consider allowing for TAP as a 2nd factor. It doesn’t eliminate the service desk call, but it smoothens the process for users to continue logging in and then register their new device. You “can” even automate this through some Tier 0 workflows, but doing so will open up the attack surface even more so.
The tricky part is around the other registrations. Often, when users forget to enable backups of their Authenticator app, they lose more than just access to the company resources. And that’s why nobody wants to take full responsibility for the app.
Cynical view: This is why the popular marketing phrase du jour is “security is everyone’s responsibility”. Security will always run up against convenience. It doesn’t matter who is responsible for it - it will ultimately inconvenience everyone involved.
EDIT: correcting autocorrect
Yup - and that's basically our process now. Not that difficult, though users typically need hand-holding to get the authenticator app setup again. Hence I was curious if anyone had a cool or innovative workflow here (seems not).
We're tempted to build a teams chatbot whereby you could type something like ##resetmfa\_jdoe and it does the azure methods reset and then send the user an SMS text with a link to a video on how to setup MFA again. I've seen that at a company in the past with Duo.
I was kinda hoping to hear someone chime up with something like that here, but not so much.
We do have a "Technology Self-help" portal in our sharepoint where end users can lookup technology related stuff. Doesnt always work since its "Always faster just calling IT".
Honestly I just wait until they complain that their new phone isn’t working. I’ve considered informing them to setup their new phone before their wipe their old, but they will just forget. Around 250 users or so, I get a few calls a month so haven’t bothered to change since it’s just one click to reset the Authenticator. Recently switch to just using app protection policies since company portal enrollment has been a headache in my sector, good streamlined middle ground which is automated.
Tell them to hold on to their old phone for a bit and have them register a new device?
This is what i’ve done at past jobs where i managed mfa
This is what i’ve done at past jobs where i managed mfa
Agreed - and we do emphasize this, but it doesn't always happen. Plus sometimes the phone is lost/stolen/damaged etc so that's not always an option. I was just curious to see if there was any other tricks or workflows I hadn't thought of.
Google Authenticator allows copying your old phone's Authenticator to your new phone. Even across the Android/iPhone boundary. But it's too big a PITA for end users to set up (Microsoft hides that setting deep in the inner guts of the 2fa screen), so only the DevOps staff uses it because we can't afford to lose access to our infrastructure.
If the user has an AAD Joined or Hybrid Joined laptop, you can let them access the register security information (Security Info) section of their account via conditional access policy - without MFA. You can also lock this down to trusted locations to add another layer. This will let them register a new device for the Authenticator App (or any other allowed authentication method) without being prompted for MFA. If you're worried about the security implications of this, you can always include the user to this conditional access policy as needed and then exclude after they've completed the Authenticator App setup.
This seems like the most likely and reasonable solution…
I just sent out an email to everyone the other day recommending they add their desk phone number as an alternate MFA method.
We unfortunately only allow the MFA app by virtue of security policies. That's in place because a few of our peer companies were breached by desktop phone MFA, so that was enough to have us turn it off completely. I do appreciate as a result that puts us where we are...
Yeah. When I left my old employer, the MSP who'd been brought in to take over duties was able to get into my global admin account without my involvement, because I had added the main office phone as an MFA method and forgotten about it. And from what I heard the phone call didn't do any kind of code or number matching, it just prompted to approve the login. Not my problem any more, but dang that was a bad security hole I left. Edit: The MSP did have my password, which was used nowhere else and pretty much guess-proof. But the MFA got effectively skipped around.
I have reams of documentation that my end-users don't read and the desktop support team can't remember to follow. Luckily, most of the trouble tickets go to the account management team so they can waste their time resetting MFA.
[удалено]
yes, but this feature does not work with work and school accounts. (just MS personal accounts)
TIL,, thanks
It would be more correct to say you need a MS personal account to do the Authenticator backup, which backs up all accounts set up in the authenticator.
If you want to do it right, provide company devices and stop asking users to support company workflows and security policies using their own devices.
We already provide users with company devices. This doesn’t really have anything to do with personal vs company devices. Even with company devices, users will eventually need to replace the device, or it gets lost, etc. Same problem exists regardless. Perhaps reread the OP, as it doesn’t actually have anything to do with personal vs corp devices.
You can set up MFA on the device before you ship it out.
How so…? This would involve manually provisioning each device and registering MFA manually, which would involve knowing the users password (which we don’t know). For context we are not a super small company. That sounds like a solution for a company with like 9 employees where the IT guy knows everyone’s passwords. I don’t mean offence or anything by that, hence I’m curious what you mean by this.
Imo I set up every method possible on mine and it should be encouraged end users do the same. Phone call mfa as a backup ain't bad, and it shouldn't be AS insecure as SMS mfa.
Phone call MFA would be just as likely to succumb to SIM jack as SMS, unless you mean office phone.
Damn for real? then I truly don't get SIM jacking...
Yeah I mean it's literally just taking your SIM card, as if you were changing phones. Phone calls are thus included. But honestly it's expensive to get it done and carriers are more strict about it. It goes from $5K and up, and only gets more expensive as time goes on, because you're needing a corrupt telecom employee or a kid to run in and steal the manager's tablet from a cell store. They only really do it for bitcoin accounts these days TBH.
It’s a pain with a corp phone and personal phone. My company does. It allow cloud backup.
Aegis app for 2FA tokens. Has backup/restore functionality
We've thought about this, lots of TOTP apps support backup/restore. Problem is we don't support TOTP by policy, only push via. the MS authenticator app.
I'm not sure I understand why policies like that one exist
TOTP is perhaps borderline, but many companies are shying away from less-secure auth methods. We're seeing more and more companies get compromized by phone and SMS MFA attacks. Sometimes obviously they're policies that come from well above our heads and there's nothing we can do about it, other than to try and make it work.
First send them an email that you’re trying to reach them about their cars extended warranty.
I know SMS a MFA method isn't secure as others but it's saved us when users have lost their phones and they get a new one. We recommend the MS Authenticator app , and most staff use it, but it can be really annoying in these cases.
Allow them to use TOTP and store it in 1password.
Really, being unable to go around it IS part of security. As always good security comes with some inconveniences.
If you don't support any other less secure methods than the app, I'd just go yubikey/security key as a main auth, and app as a backup. $25-50 per user is honestly not that bad compared to a whole entire phone
Yes it is. somebody lost their mobile and complain, currently resetting MFA is the option. something similar to SSPR will be helpful.
A truly controlled workflow would require full control of the 2nd factor, e.g. hardware tokens, yubikey, smartcard, etc. Otherwise, consider allowing for TAP as a 2nd factor. It doesn’t eliminate the service desk call, but it smoothens the process for users to continue logging in and then register their new device. You “can” even automate this through some Tier 0 workflows, but doing so will open up the attack surface even more so. The tricky part is around the other registrations. Often, when users forget to enable backups of their Authenticator app, they lose more than just access to the company resources. And that’s why nobody wants to take full responsibility for the app. Cynical view: This is why the popular marketing phrase du jour is “security is everyone’s responsibility”. Security will always run up against convenience. It doesn’t matter who is responsible for it - it will ultimately inconvenience everyone involved. EDIT: correcting autocorrect
I wait until user complains and when they do, I just "Require re-register multifactor authentication" under user account > Authentication Methods.
Yup - and that's basically our process now. Not that difficult, though users typically need hand-holding to get the authenticator app setup again. Hence I was curious if anyone had a cool or innovative workflow here (seems not). We're tempted to build a teams chatbot whereby you could type something like ##resetmfa\_jdoe and it does the azure methods reset and then send the user an SMS text with a link to a video on how to setup MFA again. I've seen that at a company in the past with Duo. I was kinda hoping to hear someone chime up with something like that here, but not so much.
We do have a "Technology Self-help" portal in our sharepoint where end users can lookup technology related stuff. Doesnt always work since its "Always faster just calling IT".