News

Microsoft Previews Authentication Strength Feature for Greater Control over Multifactor Authentication Access Methods

• By Kurt Mackie
• 10/21/2022

Microsoft this week announced a preview of "Authentication Strength," a new control for organizations using the Azure Active Directory Conditional Access service.

Authentication Strength lets IT pros specify which methods of multifactor authentication (MFA) can be used when accessing network resources. MFA involves the use of a secondary identity verification process beyond providing a user name and password. It's an attempt to address the problem of compromised passwords.

Even though MFA adds security, some MFA methods are "more secure than others" noted Alex Weinert, Microsoft's director of identity security, in the announcement. He characterized Authentication Strength as a "game changing feature" that will help organizations move toward "phishing-resistant MFA" use.

The Azure AD Conditional Access service already lets organizations enforce MFA for users attempting to access network resources. The Authentication Strength preview goes a step further by letting organizations specify the types of MFA methods that must be used.

The ability to specify an MFA method is new with the Authentication Strength capability, according to Microsoft Most Valuable Professional Fabian Bader, who tested it before the preview release.

"Up until now there was no way to distinguish between the different methods," Bader noted, in an Oct. 13 blog post. He offered walkthrough steps on using the feature.

Built-In and Custom Options
The Authentication Strength preview offers built-in options for controlling MFA methods. It also lets organizations set up custom policies.

The built-in Authentication Strength methods, which can't be modified by IT pros, are described as follows, per this Microsoft Learn document:

• MFA strength -- the same set of combinations that could be used to satisfy the Require multifactor authentication setting.
• Passwordless MFA strength -- includes authentication methods that satisfy MFA but don't require a password.
• Phishing-resistant MFA strength -- includes methods that require an interaction between the authentication method and the sign-in surface.

Microsoft's document included a table showing how these built-in Authentication Strength policies might apply. For instance, phishing-resistant MFA would be enabled by requirements for either a FIDO2 security key, Windows Hello for Business (Microsoft's biometric authentication scheme) or Certificate-Based Authentication.

The latter option, Certificate-Based Authentication, is Microsoft's new approach that lets organizations move away from using Active Directory Federation Services, a Windows Server role, for federation with Azure AD. Microsoft previewed the Azure AD Certificate-Based Authentication capability back in February and enhanced it in July. It's now at the "general availability" commercial-release stage.

"With certificate-based authentication (CBA) now generally available in Azure AD, you have three phishing-resistant options to choose from: Windows Hello for Business, FIDO2 security key, and CBA," the announcement indicated.

Microsoft is planning to improve Authentication Strength by consolidating its controls in one place and letting IT pros scope methods to "specific groups, not just all or no users." Those two changes are expected to happen "in the coming weeks."

Requirements
The use of Authentication Strength will require an organization to have an Azure AD Premium P1 license, the Microsoft document indicated.

Organizations also will need to enable "combined registration," which is Microsoft's approach to avoid the confusion that arose between having to separately register "authentication methods for Azure AD Multi-Factor Authentication and self-service password reset (SSPR)," per this Microsoft document.

The combined registration requirement may already be in place for organizations. Microsoft, as of this month, began enforcing the use of combined registration "in Azure AD tenants created before August 15th, 2020," per the document.