To effectively implement unphishable authentication using Entra within your organization, it is crucial to address every aspect of the user lifecycle. This includes processes like: creating a user account without a password, providing hardware keys (such as YubiKeys), beginning the integration of users and PCs, managing network authentication, implementing conditional access, and enabling unphishable entry to resources outside of Entra ID (like Linux systems). We recognize the complexity of this task, and we are committed to simplifying it by meticulously exploring each component. Let’s dive in!
Microsoft hasn’t rolled out the option for setting up passwordless accounts yet, which can be a bit frustrating. The most practical solution for now involves creating accounts with exceptionally long passwords that are not stored, coupled with implementing unphishable authentication via conditional access policies. To assist with this, we’ve put together a thorough tutorial on how to create users with random passwords, including PowerShell scripts for account creation.
Handing out hardware keys like YubiKeys for unphishable authentication poses significant challenges for any size of organization. For large organizations, global distribution entails complex issues such as customs compliance and the need for a dedicated team to manage and dispatch keys, adding to the complexity. Our vast experience in global key distribution is a crucial asset in this context. EZCMS simplifies these challenges with its integrated ticketing software, aiding your IT department in efficiently managing and tracking key inventory. Additionally, our specialized YubiKey logistics service, backed by global partnerships, ensures smooth international delivery of keys. Discover more about our ticketing software and global YubiKey distribution partnerships.
Conversely, smaller organizations face distinct obstacles, like limitations from major vendors who may not cater to smaller businesses and a lack of capabilities to distribute or print smartcards. This can make the shift to a phishing-resistant system quite difficult. At Keytos, we extend our services to companies of all sizes, providing support ranging from smartcard printing to the procurement and distribution of hardware keys, ensuring an effortless transition to a phishing-resistant framework.
The primary challenge here is familiarizing users with the selected unphishable authentication method while protecting IT staff from tactics akin to those seen in the MGM password reset incident, where attackers impersonated a user to obtain a temporary password.
While Microsoft suggests using a Temporary Access Pass (TAP), a deeper examination shows that TAPs essentially serve as single-use passwords and are susceptible to similar attacks, potentially becoming the weakest link in your security. We have compiled a comprehensive guide on user onboarding without TAP, which is strongly recommended for consultation. The ideal approach is a self-service onboarding method, like the government ID verification provided by EZCMS (refer to the accompanying video for more details on this).
Once the user’s identity has been verified, we suggest two options: setting up a dedicated kiosk for users to access the EZCMS application independently without needing their personal computers, or enabling remote users to register using their own devices. Thankfully, EZCMS is equipped with additional verification steps that help address any security concerns arising from the use of personal, unregulated devices.
Following identity verification, the next step is for users to configure their work computers. Notably, Windows 11 facilitates this process by supporting the use of a security key during the initial setup. This functionality allows users to log into their computers for the first time using their FIDO2 key, eliminating the need for a password or TAP.
Utilizing Autopilot intrinsically means that you are also making use of Intune. For VPN and Wi-Fi authentication, the preferred approach is to implement X.509 certificates, managed via Intune SCEP. You have the option to establish and manually oversee your ADCS CA and SCEP server; however, third-party Intune PKI solutions like EZCA can greatly simplify this procedure. These services help in quickly setting up an HSM-backed CA and assist in efficiently configuring a certificate based Wi-Fi profile.
After implementing unphishable authentication in your organization, it’s essential to ensure that these methods are exclusively used for logins. Microsoft’s Entra ID, particularly its conditional access feature, serves as an efficient mechanism for this purpose. Having a Premium P1 license or higher grants access to Entra ID conditional access.
To activate conditional access, start by logging into the Azure portal as a global administrator. Then navigate to Entra ID and follow the path Security -> Conditional Access Policies -> New Policy. Begin by crafting a policy, but first apply it to a limited group of test users to avoid inadvertently restricting access for everyone. Choose the specific applications for policy enforcement. In the Conditions segment, you might opt to exclude device platforms incompatible with your authentication method, though generally, it’s advisable to apply this across all platforms to eliminate any security gaps that could be exploited. In the access controls’ Grant section, adjust the setting to “Require Authentication Strength” to Passwordless MFA. Including device requirements in your policy is also beneficial.
For more comprehensive information on device security, take a look at our webinar on the topic:
Securing corporate accounts for unphishable authentication is a vital first step, but many organizations overlook a critical component in their infrastructure: Linux. Traditionally, Linux has relied on local accounts that are not integrated with Entra ID. While this approach was adequate for early SSH operations, it falls short of meeting the security and operational demands of modern cloud environments. Managing credentials and users at such a scale is, to put it mildly, a formidable task. Some organizations attempt to incorporate their Linux systems with Entra – a functional approach, but not the most secure, often subject to disruptions caused by DNS issues. Major organizations like Google, Facebook, Uber, and Netflix, have shifted towards using SSH certificates instead.
SSH certificates are cryptographic tools that grant temporary access to Linux systems. The main hurdle lies in their issuance: manual generation is possible, but Linux lacks an automated system to verify user access levels before granting permissions. These large organizations have developed in-house systems for confirming user permissions and creating SSH certificates. While these solutions are proprietary, services like EZSSH offer a similar functionality. EZSSH authenticates users through Entra ID, complies with your conditional access policies, and checks Azure RBAC or hybrid policy ACLs for non-Azure SSH points. It then generates a short-lived SSH certificate for user access, which expires after the session, thereby preventing potential misuse.
This guide demonstrates that while transitioning to a fully unphishable framework in Entra involves several components, it is certainly achievable with detailed planning. Once you switch to unphishable authentication, you’ll likely find the old conventional methods less appealing. We’ve been operating under a unphishable model for over three years now, and the results have been exceptional! To learn how your organization can securely and quickly implement unphishable authentication, feel free to schedule a FREE consultation with one of our ex-Microsoft identity experts today!