SSPR locks out users


How trusted locations can cause problems with multi-factor authentication

The challenges of multi-factor authentication

and how you can master them

The security of corporate data is a top priority, and the implementation of multi-factor authentication (MFA) and self-service password reset (SSPR) is an essential step in the right direction.

HoweverHowever, the combination of MFA and SSPR raises some questions, in particular w ith regard to the control of attacks on theiffen.

- Angreager could try, during the initial setup malicious methods to compromise accounts.

Previous solution

Only allow SSPR to be set up within the "Trusted Location"


Consequence

Employees can no longer log in if they are not in the "Trusted Location".

  • The default configuration of MFA in Entra ID does not require a second factor for the initial registration of authentication methods.
  • This leads to security risks, as users without a second factor can be compromised by knowing the password.
  • Setting up a policy that only allows the registration of a method within a trusted location leads to operational restrictions and increased administrative effort.
  • Create a policy that requires confirmation of the second factor for security method changes outside the Trusted Location.
  • Confirmation of security methods possible after 180 days outside the Trusted Location if a valid method is available.
  • Interventions such as cell phone replacement for MFA possible from home, then confirmation with valid MFA method is sufficient.
  • Companies without Trusted Locations must set up the second factor for users.

Luca Kühn
Manager IT Consulting

Ambiguities? Curiosity aroused?
Arrange your personal meeting now!

Glossary

This is a method of verifying a user's identity by using more than one verification factor. Typically, two or more of the following factors are used: something the user knows (e.g. a password), something the user owns (e.g. a smartphone), or something unique to the user (e.g. a fingerprint). In Azure AD, MFA can help to increase the security of user accounts and minimize the risk of unauthorized access.

This is a feature in Azure AD that allows users to reset their password on their own without having to contact support. This feature can increase productivity and reduce costs by reducing the number of support requests.

This is a feature in Azure AD that allows administrators to define access policies based on conditions. These conditions can include, for example, the user's location, the device from which resources are accessed or the user's risk level. Based on these conditions, access can be allowed, denied or additional requirements can be set (e.g. MFA).

In the context of conditional access, a trusted location is a geographic location or IP address range that has been classified as secure. Administrators can create policies based on the user's location to facilitate access from trusted locations or restrict access from untrusted locations.

A Temporary Access Pass is a time-limited passcode that administrators can provide to users to log in to their account or perform actions such as registering for multi-factor authentication or self-service password resets. TAPs can be an alternative to traditional authentication methods and allow for more secure account recovery.

We have what you need: Customized services for your vision

Navigate through the digital transformation, we are your compass

Strategy Consulting

designing future.

We design and understand the future strategy of our customers and adapt our actions accordingly.

Data Intelligence

changing perspective.

We create a cloud-based data infrastructure that ensures data logistics even in heterogeneous structures and from which every company can benefit.

IT Consulting

building foundations.

We are architects and implementers for the future IT structure of the digital enterprise, working with our customers to lay the foundation for digitization.

Business Consulting

delivering growth.

As a digital-first company with a lot of experience in finance and controlling, we pass on our experience for the optimization of corporate management.

Organizational Intelligence

empowering people.

Together with our employees, we transform companies into self-learning organizations and create the jobs of the future.

Business & Process Solutions

bridging gaps.

With state-of-the-art applications, we create data-driven and sustainable solutions, always focusing on the overall context and added value for the strategic orientation of the organization.

Cookie Consent with Real Cookie Banner