MFA prompt frequency

heath · August 07, 2021, 11:40:17 AM

Is there a "best practice" on MFA prompt frequency? We currently have MFA applied for access to most services from off campus (on campus is an excluded "trusted" location). If I'm reading the documentation correctly, the default "Remember Multifactor Authentication" setting is 90 days. It was set to 30 days by previous admins.

The new CIO wants that lowered even further and users to get MFA prompts much more frequently so they know what triggers an MFA prompt. I think that could lead to users becoming desensitized to approving MFA requests and approving them without giving it much thought which increases the risk of approving allowing access to a malicious actor. To us in IT, an MFA prompt is assurance. To regular users, it's an annoyance.

Thoughts? Are there any studies that show which option is more secure? I don't mind being shown why I'm wrong, if I am, if it results in better security.

deanwebb · August 07, 2021, 03:43:52 PM

The longer between prompts, the less secure the system.

The faster between prompts, the more likely people get frustrated and use a totally different system with no security at all.

Less secure > totally insecure

Therefore, 90 days is best.

wintermute000 · August 07, 2021, 08:38:46 PM

I'd personally say 2 weeks because this is Azure AD's default and Microsoft knows best :p

To reduce friction, get something that can do push notifications i.e. instead of having to read the number and type, just have it come up as a notification that yuo can quickly hit yes to. OFC this will also make it easier for people to blindly hit yes.

To counter this, get the CIO to sign off on MFA phishing testing (not sure of exact term) but basically show to other C levels how easily they all hit the yes button or blindly tell the nice IT guy on the phone the current code and boom you're pwned. Fear is the only way LOL (of course if you go too far you end up with the guys who can extract cookies/tokens from endpoints to bypass 2FA as well ROFL but hey its a game of layers right).

I read a study once from a red team who literally just brute forced compromised credentials and the majority of managers they targeted just hit yes, even when it was literally sitting at the dinner table, should I approve the system saying I'm trying to login, obviously I'm eating dinner so imma hit YES because I am a big brain manager. THE MAJORITY.

heath · September 13, 2021, 03:06:04 PM

More discussion with the CIO today regarding MFA prompt frequency, what the default 365 "Remember Multi-Factor Authentication" setting is (90 days), what we are currently set to (30 days) and what he wants it set to (0 days). He is pretty insistent he wants MFA prompts for everything all the time.

deanwebb · September 14, 2021, 09:19:03 AM

... I would recommend that prior to going global with the setting, he does a pilot for a month, with the other C-level execs.

MFA prompt frequency

heath

deanwebb

wintermute000

heath

deanwebb