This happens when the Office 365 sign-on policy excludes certain end users (individuals or groups) from the MFA requirement. Okta incorrectly sends a successful MFA claim To get out of the resulting infinite loop, the user must re-open the web browser and complete MFA again. If the user completes MFA in Okta but doesn’t immediately access the Office 365 app, Okta doesn’t pass the MFA claim. The user doesn't immediately access Office 365 after MFA. But again, Azure AD Conditional Access requires MFA and expects Okta to pass the completed MFA claim. If the user is signing in from a network that’s In Zone, they aren't prompted for the MFA. The sign-on policy doesn’t require MFA when the user signs in from an "In Zone" network but requires MFA when the user signs in from a network that is "Not in Zone" However, Azure AD Conditional Access requires MFA and expects Okta to pass the completed MFA claim. Neither the org-level nor the app-level sign-on policy requires MFA. Okta sign-on policy is weaker than the Azure AD policy: “Detecting token theft can be difficult without the proper safeguards and visibility into authentication endpoints.End users can enter an infinite sign-in loop in the following scenarios: “As far as mitigations go, publicly available open-source tools for exploiting token theft already exist, and commodity credential theft malware has already been adapted to include this technique in their arsenal,” DART added in its blog post about the MFA workaround. For unmanaged devices, they recommend conditional access policies and strong controls. And as employees increasingly access systems through personal devices, security controls are weaker and malicious activity is hidden from the security team’s view.įull visibility into devices reduces token theft risk, but DART concedes that’s difficult with so many unmanaged devices accessing the network. Threat actors are stealing authentication tokens already verified by multifactor authentication (MFA) to breach organizations’ systems.Ī new alert from Microsoft Detection and Response Team (DART), said token theft for MFA bypass is particularly dangerous because it requires little technical expertise to pull off, it’s tough to detect, and most organizations haven’t considered token theft as part of their incident response plan. Analysts see an uptick in token theft from authenticated users, allowing threat actors to bypass MFA protections.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |