Microsoft decides it will be the one to choose which secure login method you use

Microsoft wants to take the decision of which multi-factor authentication (MFA) method to use out of the users' hands and into its own.

The software maker this week is rolling out what it calls system-preferred authentication for MFA, which will present individuals signing in with the most secure method and then alternatives if that method is unavailable.

Redmond first unveiled the feature in a disabled state in April and is now making it generally available to all commercial users through the Azure Portal or Graph APIs, with the decision whether to enable it for tenants now resting with administrators.

That said, in July Microsoft will make system-preferred authentication a default feature in its Azure Entra portfolio for all user accounts, with more information coming out next month.

The goal is to shore up security by not only delivering new features to harden products and services but to, at times, strong-arm people into using them.

More security, fewer problems?

"This system prompts the user to sign in with the most secure method they've registered and the method that's enabled by admin policy," Alex Weinert, vice president and director of identity security at Microsoft, wrote in a blog post. "This will transition users from choosing a default method to use first to always using the most secure method available. If they can't use the method they were prompted to use, they can choose a different MFA method to sign in."

If the new feature is enabled, Azure Active Directory reviews the authentication methods that have been registered for a user account and selects the most secure route. The list of preferred methods starts with temporary access pass then goes, in order, to certificate-based authentication, FIDO2 security keys, Microsoft Authenticator push notifications, and a time-based one-time password. The last is a phone.

Redmond noted that FIDO2 security keys on mobile devices and registration for certificate-based authentication aren't supported because a problem arises when system-preferred authentication is enabled. The company didn't go into details about the issue, but said a fix is coming.

Weinert pointed to the "ever-changing threat landscape" as a key reason for enabling system-preferred authentication for MFA.

Microsoft's over-arching goal is to eventually do away with usernames and passwords as an authentication method and migrating to other options, such as biometrics. However, until then, MFA is a key tool for verifying the user is who they say they are.

Earlier this month, Redmond hardened Authenticator push notifications by enforcing a number-matching step, a way to push back against attackers looking to get through multiple authentication methods by using MFA fatigue, a social engineering technique. Miscreants using stolen credentials will try to overwhelm potential victims by rapidly and repeatedly sending out push notifications asking for login approval.

Looking at you, MitM

System-preferred authentication isn't the only security feature Microsoft is pushing out this week.

• How Microsoft hopes to tame large language models with Guidance
• Microsoft tries a deeper dive into Azure Firewall traffic
• EU monopoly cops probe complaints about Microsoft Azure
• Microsoft will upgrade Windows 10 21H2 users whether they like it or not

The company said it also is adding man-in-the-middle attacks to the list of security threats being addressed in its automatic attack disruption tool in Microsoft 365 Defender. At its Ignite 2022 show last year, Microsoft talked about the tool, which aims to stop or reduce the damage caused by a cyberattack by automatically detecting and disrupting them.

The automatic attack disruption feature is aimed at corporate security operations centers (SOCs) and uses millions of data points and signals – across email, endpoints, collaboration tools, and other systems – and AI techniques to identify actives campaigns, including those involving ransomware – and take measures to isolate the device under attack from the network and suspend compromised accounts used by the attackers.

In February, the vendor expanded the public preview of the feature to include business email compromise (BEC) and human-operated ransomware (HumOR) attacks. This week it added man-in-the-middle (MitM) – also known as adversary-in-the-middle, or AitM – attacks, in which the miscreant puts themselves in the middle of communications between two parties to intercept data, such as credentials and session cookies, traveling between them.

The criminals can then use the data to bypass MFA and launch other attacks.

Eyal Haik, senior product manager at Microsoft, wrote in a blog post that "AiTM attacks are a widespread and can pose a major risk to organizations. We are observing a rising trend in the availability of adversary-in-the-middle… phishing kits for purchase or rent."

Microsoft's Threat Intelligence unit last month outlined a group it refers to as DEV-1101 that developed, advertised, supported, and sold several AitM phishing kits that others used when launching attacks. ®