Providing an additional layer of defence to prevent unauthorised access, multi-factor authentication (MFA) is increasingly essential, but never more so than in secure corporate environments.
For a time, simplistic MFA measures may have been sufficient for ensuring security. However, attackers are developing sophisticated methods to circumvent MFA, often using tactics to steal authentication tokens instead of directly bypassing MFA itself. This approach, known as an Adversary-in-the-Middle (AiTM) attack, can allow hackers to impersonate users even in secured environments.
In this post, we’ll explore how these attacks work and discuss two effective ways to safeguard your organisation. These strategies provide scalable protection across devices and security levels, helping defend against MFA compromise without requiring significant additional investment.
Understanding Adversary-in-the-Middle Attacks
AiTM attacks exploit the gap between users and their identity providers, intercepting authentication tokens during the login process. This type of attack allows the adversary to capture and use the same session tokens used by legitimate users, effectively hijacking their access.
This presents a substantial threat to organisations reliant on traditional MFA alone, underscoring the need for robust defences that can identify and mitigate AiTM attacks in real-time.
Solution #1 - Enforcing Device Compliance with Conditional Access
A cost-effective way to mitigate AiTM attacks is to implement Conditional Access policies based on device compliance. This approach restricts access to managed, compliant devices, ensuring that only corporate-approved devices can access resources.
How to Implement Device Compliance Policies:
- Access the Admin Centre: In your identity provider’s admin centre (for the purposes of this explanation, we will be using Entra ID) and navigate to the conditional access settings.
- Define Targeted Policies: Target users and resources. As a best practice, apply policies to all cloud applications, adding exclusions only as necessary.
- Configure Conditions for Device Compliance: Set conditions to permit access only from devices marked as Intune-compliant or Hybrid Active Directory joined. Specify conditions that exclude access for non-compliant devices.
- Test and Deploy: After creating the policy, test it with a user account to ensure it effectively blocks access from unmanaged devices.
Example Use Case:
Let’s say you have a user attempting to log in from an Intune-compliant device. When they enter their credentials, the conditional access policy will verify the device compliance before granting access. If the device is unmanaged, access will be blocked, thwarting any adversary attempting to use stolen credentials on an unapproved device.
This method provides a robust, cost-efficient layer of security, especially when you already use Intune or Entra ID. However, it may limit access for users on personal (BYOD) or non-compliant devices.
Solution #2 - Enforcing Passkeys and FIDO2 Authentication
For organisations requiring BYOD access or broader device compatibility, FIDO2 authentication and passkeys provide an advanced, flexible solution for preventing MFA token theft via AiTM attacks. FIDO2 and passkeys rely on hardware-based authentication and a security key, significantly reducing the risk of credential interception.
How to Set Up FIDO2 and Passkey Authentication in Conditional Access:
- Disable Device State Checks: To accommodate BYOD access, first disable any device state checks in your conditional access policy.
- Create a New Policy for FIDO2 or Passkeys: Define a policy targeting relevant users and applications without device filtering. Instead, apply grant controls specifying an authentication strength.
- Define Authentication Strength: In the Authentication Strengths settings, create a custom authentication strength policy that accepts FIDO2 keys or passkeys.
- Activate and Test: Once activated, this policy will prompt users to authenticate with FIDO2 or passkeys, ensuring robust protection against AiTM attacks, even on personal devices.
Example Use Case:
When a user logs in from a BYOD device, they are prompted to use a security key, such as a FIDO2 device. This prevents attackers from accessing the account even if they have the user’s password. The authentication process checks for a match between the domain the passkey is registered to and the current login request, blocking phishing attempts that redirect users to fraudulent sites.
As adversaries continually evolve their tactics, conditional access offers a powerful defence against MFA token theft. Depending on your organisation’s needs, you can choose between enforcing device compliance for managed devices or using FIDO2 authentication for flexible yet secure access from both managed and BYOD devices.
For most organisations, a layered approach works best: start with device compliance and consider FIDO2 passkeys for users who need BYOD access. With these controls, you can better protect against AiTM attacks, securing your environment from sophisticated threats without sacrificing user accessibility.
A full demonstration of these strategies, delivered by Threatscape’s Microsoft MVP Ru Campbell, can be found here, along with a wide range of further Microsoft security hints and tips.
Are you utilising all of Entra ID’s tooling to maximise your organisation’s security? Threatscape’s complimentary Microsoft Entra ID Advisory Service helps you understand the identity threats we see lodged against organisations every day, and the associated security protections available within your Microsoft 365 licence. During your no-obligation consultation with one of our Microsoft security experts, you’ll gain insight and recommendations on how Entra ID and other capabilities within Microsoft 365 help defend cloud identities against a wealth of threats.
