Day 6 - SC-900 - Authentication Methods in Azure AD(AAD)
Passwords: -Weakest of authentication methods in AAD -Subject to classic exploitation techniques such as password spraying & bruteforce attacks -Still subject to exploitation even with enforced complexity -Can be combined with other non-controlled application methods to bolster it, such as: -SMS: -SMS is considered less than secure in practical application. -Voice Call
-Can be combined with controlled application methods to bolster it, such as: -Microsoft AuthN App: -Can be used as a primary form of AuthN to sign into an AAD account -Can be used as additional verification option for self-service password reset(SSPR) or AAD multi-factor authentication(MFA) events. -Users must download the phone app & register their account to use this application.
-Open Authentication(OATH) Token One-Time Password(OTP) -Open standard that specifies how time-based OTP(TOTP) codes are generated -Software Token: -AAD generates a secret key, or seed, that is input into the app & used to generate each OTP -Typically an application -Hardware Token: -Small hardware devices that look like a key fob -Secret key/seed programmed into the token -Displays a code that refreshes every 30 or 60 seconds
Passwordless: -Windows Hello -AuthN feature built into Windows 10 -Replaces passwords with strong two-factor AuthN(2FA) on PCs & Mobile Devices -Allows userse to AuthN to: -Microsoft Account -AD Account -AAD Account -Identity Provider Services -Relying party services that support FIDO2 AuthN -Windows Hello is for personal devices. -Uses a PIN or biometric gesture. -Windows Hello for Business is for business owned devices -Uses Key-based or cert-based AuthN -Solves the following problems: -Password reuse -Exposure of symmetric network credentials during/after a server breach -Replay attacks -Password exposure due to phishing
-Microsoft Authenticator -Fast Identity Online(FIDO)2 Security Key: -Uses public-key (Asymmetric) cryptography for user AuthN -User has a physical device(USB or NFC) -AuthN Sequence: -Provide Username > Cryptographic Challenge > Use FIDO2 key to sign > service verifies response > Access is granted














