Azure AD, Fido2, Temporary Access Pass and Phishing

John Craddock Identity and Access Training

Подписаться 2,8 тыс.

Просмотров 1,4 тыс.

50% 1

Azure AD, Fido2, Temporary Access Pass and Phishing
In this session, you will learn how FIDO2 keys work. We'll then go on to provision the FIDO2 Keys in Azure AD. Strong Authentication is required for a user to register a key. You will see how an administrator can create a Temporary Access Pass (TAP) and how the user uses the TAP to add their keys. You will also discover how FIDO2 keys are phishing-resistant and how phishing-resistant MFA can be enabled in Azure AD.
SUBSCRIBE and KEEP LEARNING
Please add comments, and let's build a community of Identity Geeks together
Join me for an intense 5-day masterclass on Azure AD Identity
learn.xtseminars.co.uk
Times Codes:
00:00 Understanding FIDO2 Keys
11:35 Enabling FIDO2 Keys in your tenant
15:15 Initializing a Security Key
17:08 Adding a FIDO2 Key to your Account
18:07 Temporary Access Pass (TAP)
20:54 Adding a FIDO2 Key to your Account using a TAP
23:00 Adding a FIDO2 Key Blocked by Policy
25:17 FIDO2 Authentication
26:17 Phishing Resistant Authentication
34:30 Wrap up!

Наука

Опубликовано:

25 июл 2024

Ссылка:

Скачать:

Готовим ссылку...

Добавить в:

Мой плейлист

Посмотреть позже

Комментарии : 24

@mattq5474 4 месяца назад

subscribed! great stuff, thank you so much for not just reading the settings like some other youtube trainers but providing context and behind the scenes info, hugely appreciated!

@AndyMaloneMVP Год назад

Awesome John. Cool stuff!

@john_craddock Год назад

Thanks!

@KakaTu272 Год назад

Refreshing , thats awesome John.

@john_craddock Год назад

Thanks Tete, hopefully refreshing all the right parts🤣

@sunnykohli9430 Год назад

Sir keep posting, I am subscriber of legend Andy, now looking forward to learning from you

@john_craddock Год назад

Hi Sunny, thanks for joining. Don't stop following Andy 🤣🤣

@patrick__007 Год назад

Excellent content. Can we expect a weekly update? 😃

@john_craddock Год назад

Hi Patrick, that's my plan! I am please you enjoyed it

@adamabakaradam7865 Год назад

It's very informative thanks.

@john_craddock Год назад

Hi Adam, thank for watching and commenting.

@rtenklooster Год назад

Hi John, thanx for your amazing video's. I am wondering if I can download the openID connect demo/debug webapp somewhere?

@john_craddock Год назад

Hi Richard, I am glad you appreciate the videos, thanks for letting me know. At the moment I only make the webapp available to people that come on my Identity Masterclass - sorry!

@patrick__007 Год назад

What about phishing resistant as an authentication strenth and logging in from various devices. In the first demo (15.17) you had activated the FIDO key from Windows. Is that a requirement? So this isn't going to work on shared or private devices?

@john_craddock Год назад

Hi Patrick, I initialise the key so that it cleared of all credentials and I could add a new PIN and Biometric. This is not Windows dependent, and it can be used on any device. I hope that clarifies your question.

@shayarand Год назад

What would be the angle a pentester would approach when auditing the FIDO2 implementation used by an application? Im speaking from a blackbox perspective.

@john_craddock Год назад

There are two aspects here, the application and the entity that checks the authentication. They could be the same. In the case of Azure AD, Azure AD will be the relying party managing the authentication. The application could be one of the M365 suite of apps. From an application perspective you could validate the type of authentication strength required and are those requirements enforced by the application. From an IdP perspective, you could validate if: FIDO2 is required, the type of FIDO2 key and if signature validate is enforced.

@shayarand Год назад

@@john_craddock Thank you! I appreciate you taking the time to answer

@VivoKey Год назад

Hi John, at around 8 minutes to the video you mentioned that browsers talk directly to authenticators. Is that actually true? I asked because it seems that the browser actually makes a request of the operating system. On Windows for example, a dialog box appears from the windows operating system not from the browser. The same occurs on Android phones. How exactly does that interface work between browser and operating system and authenticator token?

@john_craddock Год назад

Hi VivoKey, Thanks for watching! If you want to get into the actual details of the code flows have a look at the Mozilla docs here developer.mozilla.org/en-US/docs/Web/API/Web_Authentication_API and a good starting point the the Yubico "The WebAuthn standard" whitepaper. You will see CTAP2 works along side the WebAuthn APIs.

@Doctair 10 месяцев назад

John, I followed your steps to the letter but as soon as I test my pilot user , I put in the OTP and the it says Great job done. Then it loops repeatedly. I think this may be due to the Ssrp perhaps? This user doesn’t have a cell phone .. not kidding 😢 . how can I get around this or exclude them from forces to register a cell number . Thanks

@Doctair 10 месяцев назад

After further digging, I believe this has to do with SSRP being enabled for All Users. I can't register Password reset for a keyonly user, did you need to apply some exclusions to your v-john user in the demo?

@john_craddock 9 месяцев назад

Hi @Doctair, sorry for the slow response, it's been a very busy few weeks! Can you provide a few more details of what you are attempting and also the video time for the demo you are referring to and I will take a look. Thanks John

@Doctair 8 месяцев назад

@@john_craddock Hi John, , just had time to circle back on this. There is no problem with setting up the TAP and FIDO2 Keys. your Vid was perfect! My issue, was that my version of the "real" v- john, had been in a loop after the OTP is put in. I could not register the KEY in the "adding Fido key to your Account" section until I disabled SSRP for the entire Tenant. In your demo environment, did you already have SSRP disabled or selected to a specific Group, that perhaps v-john was not a part of ? Are there additional settings you had before your demo was recorded. I hope that makes sense? thanks again for the great vids. been learning a lot.