Microsoft’s new security feature locks hackers out with GPS
Microsoft has devised new Azure Active Directory identity and access management capabilities that give organizations a better chance of fending off crafty techniques used by hackers to get around two-factor authentication.
Microsoft’s CISO recently explained the identity problem facing most organizations. “People are very focused on taking advantage of identity, it’s become a classic: hackers don’t break in, they log in,” he told CNBC in an interview abut Microsoft’s efforts to kill the password.
The software giant is introducing GPS-based named locations and filters to its Azure AD “Conditional Access” feature, which looks at a range of signals for authorized user access.
SEE: Windows 10 Start menu hacks (TechRepublic Premium)
“The GPS-based named locations and filters for devices enable a new set of scenarios, such as restricting access from specific countries or regions based on GPS location and securing the use of devices from Surface Hubs to privileged access workstations,” says Vasu Jakkal, corporate vice president for Microsoft Security, Compliance and Identity.
Microsoft Security general manager Andrew Conway gave ZDNet a breakdown of the new GPS-based conditional access feature, which should help organizations lock down their most important business applications.
“An IP address may not be enough context to validate the location from which an employee is logging in, especially if that company has strict requirements for a particular application or resource,” Conway says.
“In these strict access scenarios, a user will receive a prompt on the Microsoft Authenticator app requesting them to share their location to confirm the country. This could be layered on top of other policies, such as requiring multi-factor authentication.”
The recent SolarWinds attack shows how sophisticated attacks are getting in their attempts to get around two-factor authentication. Microsoft president Brad Smith called the SolarWinds incident “a moment of reckoning“, in part because it caught the US’s most important cybersecurity companies off guard.
The attack stung Microsoft and FireEye – two of the biggest cybersecurity companies in the world – via a tampered update from SolarWinds’ network monitoring software, Orion. FireEye’s breach began with the backdoor in the SolarWinds update, and the attackers then used the initial intrusion to acquire employee credentials.
FireEye required employees to use a two-factor code to remotely access its VPN, but the attackers used the stolen credentials to enroll a second, non-authorized mobile device for one employee in the company’s two-factor authentication system, at which point it was spotted.
For Microsoft’s new system to work, the organization would need to have connected their on-premise identity solution with Microsoft’s Azure AD cloud identity service to use the risk-based capabilities of Conditional Access.
These additions to Conditional Access enable you to now target conditional access policies to a set of devices based on certain device attributes, such as whether it is a corporate-managed device or whether the device is in an allowed range says Microsoft.
Conditional Access supports Windows, iOS, macOS, and Android devices that have been enrolled into Azure AD.
“When using certain attributes as the properties for filters for devices, the device has to meet certain criteria, such as being managed by Microsoft Endpoint Manager, marked compliant, and hybrid Azure AD joined,” Conway adds.
Microsoft is rolling out GPS-based Conditional Access as part of its own shift to hybrid work as more vaccines are given and people start returning to offices on some days.
Key to that strategy is its push for a “zero-trust” architecture, where it assumes the company has been breached and that there is no border to the corporate network.
But according to Microsoft’s Jakkal, only 18% of its own customers have enabled multi-factor authentication.
“We saw a significant jump in usage when the pandemic began. And when that happened, we saw a significant decrease in aggregate compromises – people thought they were activating to protect only remote access, but MFA protects the entire network,” she says.