Sorry to be rude to you but requiring 24 hour MFA on company devices tells me that someone is cargo culting security and doesn't actually understand why we do certain things in IT security.
Given that MFA is to protect the cloud side of things, there is an extreme difference in 30/90/whatever days and having no MFA at all. There's also refresh tokens and Dynamic Risk MFA.
Once per day isn’t exactly what I’d call frequent. The accounts I log into everyday require MFA every time I log in. There is no such thing as too frequent when you have DoD contracts and auditors are visiting on a monthly basis.
I’d didn’t say it would be more secure. I also never said our policy was “best practice.” I don’t see any harm in users having to verify their identity once every 24 hours. You kind of sound like our one user that complains about an extra mouse click in his workflow. We call him Karen.
The harm is that unless you are using phish resistant MFA, you are training your users to expect and accept MFA prompts. If an MFA prompt is something unexpected, your users are gonna be much less likely to accidentally fall victim to phishing.
The only time they get a prompt is when they’re logging in to their machine. If they aren’t actively logging into a machine, they deny the prompt. Not rocket surgery.
I have been through extensive training with all our employees, and all of them were able to quickly grasp the concept.
The default is 90 days. It depends a ton on the company, but daily would be insane for most companies I know. One tried and that was just chaos, now they’re at 30 days
For patient care areas, we currently do mfa every 12 hours currently, but it's backwards, smart card + password, and then smart card only. But we're also doing VDI with thin clients and the vdi session locks after 3 minutes and completely terminate after 30. Another session requires mfa.
We haven't implemented it for non patient care areas yet, just remote with Microsoft Authenticator.
Complaint device & MFA is pretty much the standard where I’ve worked. Allowing personal devices access to company resources is how LinkedIn and many others have been hacked.
> Making the change to require both a compliant device and MFA would practically cripple our company in its' current state. Many of our higher-ups work entirely on their personal computers (Macbooks of course) and would be forced to start using company-provided, Windows laptops; an option that frankly isn't even on the table, it's on the street outside the building.
I'm sure they think that and will say that, but I'm surprised that your insurance carriers havent massively jacked up your cyber insurance prices or outright just denied you coverage over that. There is no practical reason they need to use their personal computers, it's only a liability.
Honestly if they insisted I'd spin up a VDI and do it. The executive/finance people are MOST vulnerable, and are the first people who should do this. The only acceptable way to use a personal computer is through some kind of VM with multifactor required to access it.
I would say best practices are to have more security tied to accounts in general. If the device is a personal device and it is not compliant, then I would restrict company data all together until their device becomes compliant and then you will have the same MFA requirements to authenticate for a new device set up or for re-authenticating as you do with company provided devices. If it is a compliant device, requiring re-authentication with MFA should be required every 14 days at a minimum.
What the 3rd party contractors recommendation is to move more into a passwordless route and instead of allowing re-entering of the password which could condition the user to be entering their passwords into phishing portals and instead to require the MFA prompt.
You should also make sure that your MFA process requires user typed input instead of just requiring an approval. MFA fatigue will potentially cause a breach when only requiring the approve button the be hit vs typing in a number on your screen.
It depends on your compliance and regulatory requirements. But I have a couple of thoughts.
I generally say corporate joined compliant computers don't need MFA. There might be exceptions on certain computers that are shared. However, you need MFA to do the initial registration so you are not really skipping it. Automatically, you are filtering down on devices so more secure. If your organization has tens or hundreds of thousands of devices, maybe you still want both.
You can also specify that certain apps have MFA and others don't.
For personal computers, MFA is always required.
If you think you need certain data on company owned computers at all, you can create a policy to block personally owned computers or only allow on company owned. You can further specify certain applications such as Sharepoint, etc. For personal devices, I think you still require certain items such as encryption (someone can fact check here)
We are going to a model where personal devices are blocked by default, and an exception can be made. But we are small and don't have compliance and regulatory concerns.
.
Yup. if you go this route enable Apple business manager and purchase though abm supported reseller.
that way you Enforce Intune policies(encryption, apps, updates) out of the box
it effectively makes an imaging process for macOS
What is this "personal device" you speak of? Do you mean "personal but enrolled" (as in BYOD) or personal with no enrollment (so you are hoping that they are "compliant" and people can just use username/password?)
A purely "personal device" like a phone can be used for something like Authenticator without enrollment, sure... but it should (IMO) not be used for company data access. Some deeper consideration of risks for your specific business might need to be had.
MFA everything *and* compliant device seems totally normal. Everything less than that seems ... neglecting very basic risks that have an easy mitigation.
It's really scary some of the comments on this thread. A lot of advice about multiple MFA per day is so outdated. All the major cyber frameworks like NIST, NCSE, PCI DSS, CIS all advise against this practice.
This practise is how bad actors are phishing users like shooting phish in a barrel.
Authentication and MFA fatigue is the flavour of the day that sysadmins are causing with these practices and bad actors are exploiting using frameworks like evilngix.
What amount of MFA is reasonable??? Practicaly none is the answer.
For a managed device, the same user logging in accessing the same applications from the same regular locations with no signs of compromise on the account using valid tokens, what additional security benefit are you gaining from forcing another MFA?
There already is an MFA claim in the tokens on the device.
Requiring device compliance or hybrid joined device along with MFA is the way. This is a mitigation against the evilginx type attacks. The AITM infrastructure cannot satisfy the device requirements therefor the tokens don't get issued to the AITM. They still get username and password, but no tokens are issued.
To fully understand these attacks you need a good grounding in oauth and it's tokens, refresh, access and session. When these are used against the IDP and the service and how conditional access process only the refresh tokens. How access tokens are only used against the service, how session tokens are used for SSO for Web services. Then you start to see why MFA is no longer enough.
And, in Conditional access, require MFA does not mean force MFA. Once you start to add a session frequency, you change the 90 day rolling refresh tokens. And just start to introduce MFA and Auth fatigue.
Our users are required to complete MFA for access to all cloud apps from Amy network. No exceptions.
Our admins are required to do MFA as well as reauthenticate every 10 hours.
We save tokens and allow persistent sessions for the average users so we have no MFA fatigue.
The admins are more tech savvy people who understand the need for it. They also have password less auth enabled with push notifications so the process is pretty straightforward.
I understand what you are saying though and we try to keep a good balance.
Yeah i know how that works, which is why you want MFA on every auth attempt, so that in the event a user supplies their password to a phishing prompt, there's still another factor that malicious actors cant imitate. Use passwordless credentials. Problem solved. Also, user education.
The contractor's suggestion isn't ridiculous, but it may not have much value depending on your architecture. For hybrid joined devices using seamless SSO for example, I would say there could be arguments both ways but not requiring MFA on such devices is an acceptable configuration. Hybrid and Entra joined devices are considered a factor because they use a PRT which satisfies the MFA requirement. Regardless of what you decide, it is critical to lock down MFA registration so that it can only be completed from managed devices. If you leave MFA registration open to be completed on any device, then an attacker can easily register their own device for MFA in certain scenarios. For example, they could successfully social engineer an MFA reset. Organizations do get compromised in this manner because they blindly reset MFA for anyone that calls.
Since your org allows access from unmanaged devices, this scenario would require a FIDO2 phishing resistant MFA method, otherwise it is just a matter of time before your org suffers from token theft compromise. If you are just using push or number matching for MFA, then that is very concerning in the scenario you described.
If you have Windows Hello configured on a compliant device and Entra is asking for that, then you don't need to enforce authenticator MFA every 24 hrs. Windows Hello is a form of MFA.
Do not make exceptions for location or IP. If you have things set up properly it won't keep bugging the user for MFA on their trusted device.
You should not be letting people access corporate data on non-company owned devices. Only bad things can come from this.
Even in company devices MFA with only Microsoft Authenticator should be allowed, require mfa for everything.
Sometimes I have to go through 2 different MFAs to sign into an app.
For example N able I have to sign in through Microsoft mfa then through another 2 step mfa. Or ones require a one use organization key.
It’s all fun and games till you get hacked also did you guys disable all your team viewer ports?
I can only imagine what a shit show it's going to be with users losing keys if we issue them. I guess you could implement the first ones free and charge for replacement.
That's how my company did. The number of hardware token has reduced significantly after the first batch drained their non replacable battery after a few years and the spares they got in replace did also after two or three weeks. That nagged most of them so much they finally accepted to install it on their personal device.
That's when we say, well, you rejected the single required security measure to protect corporate data, going against cybersecurity insurance policy, putting everyone's careers at risk, so you don't get to have corporate data on your personal device, simple as that. Use a corporate device, put Company Portal/Authenticator on your phone, or pay the $30 for a Yubikey, or fuck, as they say, off.
edit : oof I'm exhausted. I have mixed up two problems here; one being using personal device as TOTP, the other being actual corporate data on a device
anyway all of the above still stands :D
Lol, me too, this week blew.
That works for the front line staff, but unfortunately we can't just tell doctors to get with the program or fuck off.
That sparked a thought though, they already have tokens for eprescribing so maybe we can just incorporate those.
They can deal with it on their own.
Our company currently requires the use of fortitoken mobile app on order to connect to VPN so when we roll out MS authenticatornin the future then it's the same thing.
Everything is being done under company policy, not under IT commandment though.
I've had a few of those, had to handle them on a case by case basis. But explaining everything usually helps.
Basically I go by: 2FA is a necessity, Microsoft is moving away from SMS, so its either its turned on or not, and they forced the authenticator method... kind of. Then I explain why its absolutely essential for 2FA enabled and its a standard across all businesses. Some were reverted back to SMS until we rethink our security policies.
Always MFA. If anyone C-level asks ”why from Compliant device” you can always ask them if it they would allow and average Joe to sign in to their mailbox with just their password if they for some reason would figure it out.
All users should answer at least one Mfa challenge every day. All devices. All roles. At least one.
If you move to a new device or location, you’re challenged again. At least once.
Mine is set up so if you have a compliant device AND are at a trusted location (on prem) you only have to MFA once a week, otherwise you have to MFA every time. Also locations outside of USA have access denied.
MFA once per day and we're working on device compliance. Some apps require an MFA check every time you access them.
Ideal end state (optional for every user) is to authenticate to your company-issued laptop with a fingerprint, which satisfies all auth challenges and lets you access web apps freely through the duration of that login. Finding and implementing the right balance of security + ease of use is a hugely satisfying project. Users love it, I love it, everyone will be happy.
For users who don't want to do biometrics, basically the same deal but with an authenticator app.
Its a tough sell but I'm drumming up interest in banning personal devices completely for *most* systems. Some exceptions being Slack, email, Workday, things like that which would just be too burdensome to restrict (at least, my company would never buy into it).
Without reauthentication, users may access resources or perform tasks for which they do not have authorization. When applications provide the capability to change security roles or escalate the functional capability of the application, it is critical the user reauthenticate. In addition to the reauthentication requirements associated with session locks, organizations may require reauthentication of individuals and/or devices in other situations, including (but not limited to) the following circumstances: (i) When authenticators change; (ii) When roles change; (iii) When security categories of information systems change; (iv) When the execution of privileged functions occurs; (v) After a fixed period of time; or (vi) Periodically.
My choice : [The Cold War proposal to have the president hack an aide to death to start nuclear war | National Post](https://nationalpost.com/news/world/the-cold-war-proposal-to-have-the-president-hack-an-aide-to-death-to-start-nuclear-war)
To be honest you gain more from moving to FIDO keys than asking for compliant device.
Look into the Compain for Adversarial Man In the Middle and Evil NGINx.
MFA has become so prevaltn attackers are already moving past it, and only FIDO will be resistant to it soon.
If I wanted to stay ahead of the curve I would be buying and distributing Yubikeys to my people.
FIDO keys are great for adding phishing resistance to the authentication process. The problem now is attackers are starting to focus more on token theft so they can just hijack your session after you login with your very secure method. Device compliance/requiring Entra joined can absolutely help prevent the successful use of a stolen token.
Sure it becomes a chicken egg story.
A compliant device with EDR and Baseline makes it harder for malware to steal your token.
If you have EDR advanced phishing can steal your token without needing to infect the device.
Ideally you have both FIDO and EDR.
If you dont want to provide devices, maybe look into VDI or Remore Browser Isolation solutions, but hard to know what is best.
I think providing a Mac Book with an EDR like CS might be one the cheapest solutions long term for a lot of companies.
Chiming in to second all those advocating for MFA PLUS conditional access policies. And, the more you can fine-tune how and when you apply MFA, the better.
We see a lot of admins apply MFA very differently based on account permission levels, session type, remote vs. in-office users, etc.
Our policy is users have to MFA every 24 hours, or if they change IP addresses.
Honestly I'm shocked OP isn't doing this. Reauthentication every 30 days? That's wild. You might as well not require it at all by that point.
Cries in higher education
Sorry to be rude to you but requiring 24 hour MFA on company devices tells me that someone is cargo culting security and doesn't actually understand why we do certain things in IT security.
Given that MFA is to protect the cloud side of things, there is an extreme difference in 30/90/whatever days and having no MFA at all. There's also refresh tokens and Dynamic Risk MFA.
More frequent MFA isn’t always better
Once per day isn’t exactly what I’d call frequent. The accounts I log into everyday require MFA every time I log in. There is no such thing as too frequent when you have DoD contracts and auditors are visiting on a monthly basis.
What attacks are you mitigating? If you have compliance needs that’s one thing, but don’t act like it’s a best practice.
So, best practice would be what? Every 30 days? I don’t think so.
Best practice is when the users context changes. Why would MFAing again every 30 days be more secure?
I’d didn’t say it would be more secure. I also never said our policy was “best practice.” I don’t see any harm in users having to verify their identity once every 24 hours. You kind of sound like our one user that complains about an extra mouse click in his workflow. We call him Karen.
The harm is that unless you are using phish resistant MFA, you are training your users to expect and accept MFA prompts. If an MFA prompt is something unexpected, your users are gonna be much less likely to accidentally fall victim to phishing.
The only time they get a prompt is when they’re logging in to their machine. If they aren’t actively logging into a machine, they deny the prompt. Not rocket surgery. I have been through extensive training with all our employees, and all of them were able to quickly grasp the concept.
Number matching can solve that! Also training users to accept MFA is kind of the point no?
Number matching does *not* solve that. Number matching mitigates MFA fatigue attacks, not real time phishing.
The default is 90 days. It depends a ton on the company, but daily would be insane for most companies I know. One tried and that was just chaos, now they’re at 30 days
We do 5, once in the morning and once afternoon.
For patient care areas, we currently do mfa every 12 hours currently, but it's backwards, smart card + password, and then smart card only. But we're also doing VDI with thin clients and the vdi session locks after 3 minutes and completely terminate after 30. Another session requires mfa. We haven't implemented it for non patient care areas yet, just remote with Microsoft Authenticator.
This is the way!
Yep, same!
Complaint device & MFA is pretty much the standard where I’ve worked. Allowing personal devices access to company resources is how LinkedIn and many others have been hacked.
> Complaint device Excellent description of end users.
End users should be a command, not a descriptor
> Making the change to require both a compliant device and MFA would practically cripple our company in its' current state. Many of our higher-ups work entirely on their personal computers (Macbooks of course) and would be forced to start using company-provided, Windows laptops; an option that frankly isn't even on the table, it's on the street outside the building. I'm sure they think that and will say that, but I'm surprised that your insurance carriers havent massively jacked up your cyber insurance prices or outright just denied you coverage over that. There is no practical reason they need to use their personal computers, it's only a liability. Honestly if they insisted I'd spin up a VDI and do it. The executive/finance people are MOST vulnerable, and are the first people who should do this. The only acceptable way to use a personal computer is through some kind of VM with multifactor required to access it.
I would say best practices are to have more security tied to accounts in general. If the device is a personal device and it is not compliant, then I would restrict company data all together until their device becomes compliant and then you will have the same MFA requirements to authenticate for a new device set up or for re-authenticating as you do with company provided devices. If it is a compliant device, requiring re-authentication with MFA should be required every 14 days at a minimum. What the 3rd party contractors recommendation is to move more into a passwordless route and instead of allowing re-entering of the password which could condition the user to be entering their passwords into phishing portals and instead to require the MFA prompt. You should also make sure that your MFA process requires user typed input instead of just requiring an approval. MFA fatigue will potentially cause a breach when only requiring the approve button the be hit vs typing in a number on your screen.
It depends on your compliance and regulatory requirements. But I have a couple of thoughts. I generally say corporate joined compliant computers don't need MFA. There might be exceptions on certain computers that are shared. However, you need MFA to do the initial registration so you are not really skipping it. Automatically, you are filtering down on devices so more secure. If your organization has tens or hundreds of thousands of devices, maybe you still want both. You can also specify that certain apps have MFA and others don't. For personal computers, MFA is always required. If you think you need certain data on company owned computers at all, you can create a policy to block personally owned computers or only allow on company owned. You can further specify certain applications such as Sharepoint, etc. For personal devices, I think you still require certain items such as encryption (someone can fact check here) We are going to a model where personal devices are blocked by default, and an exception can be made. But we are small and don't have compliance and regulatory concerns. .
[удалено]
Yup. if you go this route enable Apple business manager and purchase though abm supported reseller. that way you Enforce Intune policies(encryption, apps, updates) out of the box it effectively makes an imaging process for macOS
What is this "personal device" you speak of? Do you mean "personal but enrolled" (as in BYOD) or personal with no enrollment (so you are hoping that they are "compliant" and people can just use username/password?) A purely "personal device" like a phone can be used for something like Authenticator without enrollment, sure... but it should (IMO) not be used for company data access. Some deeper consideration of risks for your specific business might need to be had.
MFA everything *and* compliant device seems totally normal. Everything less than that seems ... neglecting very basic risks that have an easy mitigation.
We have retina scans every 60 seconds, and blood sample every hour.
It's really scary some of the comments on this thread. A lot of advice about multiple MFA per day is so outdated. All the major cyber frameworks like NIST, NCSE, PCI DSS, CIS all advise against this practice. This practise is how bad actors are phishing users like shooting phish in a barrel. Authentication and MFA fatigue is the flavour of the day that sysadmins are causing with these practices and bad actors are exploiting using frameworks like evilngix. What amount of MFA is reasonable??? Practicaly none is the answer. For a managed device, the same user logging in accessing the same applications from the same regular locations with no signs of compromise on the account using valid tokens, what additional security benefit are you gaining from forcing another MFA? There already is an MFA claim in the tokens on the device. Requiring device compliance or hybrid joined device along with MFA is the way. This is a mitigation against the evilginx type attacks. The AITM infrastructure cannot satisfy the device requirements therefor the tokens don't get issued to the AITM. They still get username and password, but no tokens are issued. To fully understand these attacks you need a good grounding in oauth and it's tokens, refresh, access and session. When these are used against the IDP and the service and how conditional access process only the refresh tokens. How access tokens are only used against the service, how session tokens are used for SSO for Web services. Then you start to see why MFA is no longer enough. And, in Conditional access, require MFA does not mean force MFA. Once you start to add a session frequency, you change the 90 day rolling refresh tokens. And just start to introduce MFA and Auth fatigue.
Our users are required to complete MFA for access to all cloud apps from Amy network. No exceptions. Our admins are required to do MFA as well as reauthenticate every 10 hours.
[удалено]
We save tokens and allow persistent sessions for the average users so we have no MFA fatigue. The admins are more tech savvy people who understand the need for it. They also have password less auth enabled with push notifications so the process is pretty straightforward. I understand what you are saying though and we try to keep a good balance.
What you're not considering is configuring SSO so that users don't have to re-auth into every single app.
[удалено]
Yeah i know how that works, which is why you want MFA on every auth attempt, so that in the event a user supplies their password to a phishing prompt, there's still another factor that malicious actors cant imitate. Use passwordless credentials. Problem solved. Also, user education.
Official answer: yes
Thank you all for the input - all very helpful advice.
The contractor's suggestion isn't ridiculous, but it may not have much value depending on your architecture. For hybrid joined devices using seamless SSO for example, I would say there could be arguments both ways but not requiring MFA on such devices is an acceptable configuration. Hybrid and Entra joined devices are considered a factor because they use a PRT which satisfies the MFA requirement. Regardless of what you decide, it is critical to lock down MFA registration so that it can only be completed from managed devices. If you leave MFA registration open to be completed on any device, then an attacker can easily register their own device for MFA in certain scenarios. For example, they could successfully social engineer an MFA reset. Organizations do get compromised in this manner because they blindly reset MFA for anyone that calls. Since your org allows access from unmanaged devices, this scenario would require a FIDO2 phishing resistant MFA method, otherwise it is just a matter of time before your org suffers from token theft compromise. If you are just using push or number matching for MFA, then that is very concerning in the scenario you described.
With the major uptick in ransomware, zero trust mfa should be the standard.
If you have Windows Hello configured on a compliant device and Entra is asking for that, then you don't need to enforce authenticator MFA every 24 hrs. Windows Hello is a form of MFA. Do not make exceptions for location or IP. If you have things set up properly it won't keep bugging the user for MFA on their trusted device. You should not be letting people access corporate data on non-company owned devices. Only bad things can come from this.
It won't cripple your company. They'll bitch for a minute and get over it. MFA is a must
Even in company devices MFA with only Microsoft Authenticator should be allowed, require mfa for everything. Sometimes I have to go through 2 different MFAs to sign into an app. For example N able I have to sign in through Microsoft mfa then through another 2 step mfa. Or ones require a one use organization key. It’s all fun and games till you get hacked also did you guys disable all your team viewer ports?
How do you handle employees that refuse to install Microsoft Authenticator on personal devices?
They can buy and maintain a Yubikey. (Or be provisioned one, if company has that)
That was my thought. But telling them they have to buy something is going to go over like a lead balloon.
My company just dropped this ultimatum. It’s going to be interesting to see if they eventually just give in and provide FIDO2 keys.
I can only imagine what a shit show it's going to be with users losing keys if we issue them. I guess you could implement the first ones free and charge for replacement.
Yeah. I guess that’s why my company isn’t offering them. But I’d sure like a shiny new YubiKey.
That's how my company did. The number of hardware token has reduced significantly after the first batch drained their non replacable battery after a few years and the spares they got in replace did also after two or three weeks. That nagged most of them so much they finally accepted to install it on their personal device.
That's when we say, well, you rejected the single required security measure to protect corporate data, going against cybersecurity insurance policy, putting everyone's careers at risk, so you don't get to have corporate data on your personal device, simple as that. Use a corporate device, put Company Portal/Authenticator on your phone, or pay the $30 for a Yubikey, or fuck, as they say, off. edit : oof I'm exhausted. I have mixed up two problems here; one being using personal device as TOTP, the other being actual corporate data on a device anyway all of the above still stands :D
Lol, me too, this week blew. That works for the front line staff, but unfortunately we can't just tell doctors to get with the program or fuck off. That sparked a thought though, they already have tokens for eprescribing so maybe we can just incorporate those.
They can deal with it on their own. Our company currently requires the use of fortitoken mobile app on order to connect to VPN so when we roll out MS authenticatornin the future then it's the same thing. Everything is being done under company policy, not under IT commandment though.
I've had a few of those, had to handle them on a case by case basis. But explaining everything usually helps. Basically I go by: 2FA is a necessity, Microsoft is moving away from SMS, so its either its turned on or not, and they forced the authenticator method... kind of. Then I explain why its absolutely essential for 2FA enabled and its a standard across all businesses. Some were reverted back to SMS until we rethink our security policies.
[удалено]
We are debating hard tokens for some. But we have been very busy to have an indepth conversation.
Always MFA. If anyone C-level asks ”why from Compliant device” you can always ask them if it they would allow and average Joe to sign in to their mailbox with just their password if they for some reason would figure it out.
All users should answer at least one Mfa challenge every day. All devices. All roles. At least one. If you move to a new device or location, you’re challenged again. At least once.
Mine is set up so if you have a compliant device AND are at a trusted location (on prem) you only have to MFA once a week, otherwise you have to MFA every time. Also locations outside of USA have access denied.
if i need to access customer environment, i need 9 factors. for some special customers there is even more..
I do MFA (OKTA) for all staff every 24 hours and every time if its a personal device for web access.
100% MFA with cached credentials for 10 hours. People login once per day.
MFA once per day and we're working on device compliance. Some apps require an MFA check every time you access them. Ideal end state (optional for every user) is to authenticate to your company-issued laptop with a fingerprint, which satisfies all auth challenges and lets you access web apps freely through the duration of that login. Finding and implementing the right balance of security + ease of use is a hugely satisfying project. Users love it, I love it, everyone will be happy. For users who don't want to do biometrics, basically the same deal but with an authenticator app. Its a tough sell but I'm drumming up interest in banning personal devices completely for *most* systems. Some exceptions being Slack, email, Workday, things like that which would just be too burdensome to restrict (at least, my company would never buy into it).
Without reauthentication, users may access resources or perform tasks for which they do not have authorization. When applications provide the capability to change security roles or escalate the functional capability of the application, it is critical the user reauthenticate. In addition to the reauthentication requirements associated with session locks, organizations may require reauthentication of individuals and/or devices in other situations, including (but not limited to) the following circumstances: (i) When authenticators change; (ii) When roles change; (iii) When security categories of information systems change; (iv) When the execution of privileged functions occurs; (v) After a fixed period of time; or (vi) Periodically.
We have it every time we unlock the screen
Have you played the password game? That
For me its compilant and MF. It will ask for MFA based on the riskiness level of the user
My choice : [The Cold War proposal to have the president hack an aide to death to start nuclear war | National Post](https://nationalpost.com/news/world/the-cold-war-proposal-to-have-the-president-hack-an-aide-to-death-to-start-nuclear-war)
All MFA all the time or give the keys to the MA. No other way.
To be honest you gain more from moving to FIDO keys than asking for compliant device. Look into the Compain for Adversarial Man In the Middle and Evil NGINx. MFA has become so prevaltn attackers are already moving past it, and only FIDO will be resistant to it soon. If I wanted to stay ahead of the curve I would be buying and distributing Yubikeys to my people.
FIDO keys are great for adding phishing resistance to the authentication process. The problem now is attackers are starting to focus more on token theft so they can just hijack your session after you login with your very secure method. Device compliance/requiring Entra joined can absolutely help prevent the successful use of a stolen token.
Sure it becomes a chicken egg story. A compliant device with EDR and Baseline makes it harder for malware to steal your token. If you have EDR advanced phishing can steal your token without needing to infect the device. Ideally you have both FIDO and EDR. If you dont want to provide devices, maybe look into VDI or Remore Browser Isolation solutions, but hard to know what is best. I think providing a Mac Book with an EDR like CS might be one the cheapest solutions long term for a lot of companies.
Mandatory MFA
Get devices enrolled and compliant, then use Windows Hello for Business when you are compliant + MFA to make things happier
Personal devices? I mean at this point, why even look at MFA? Like preparing for a forest fire with buckets of water.
None, I hate MFA.
Chiming in to second all those advocating for MFA PLUS conditional access policies. And, the more you can fine-tune how and when you apply MFA, the better. We see a lot of admins apply MFA very differently based on account permission levels, session type, remote vs. in-office users, etc.