MFA prompt frequency

Started by heath, August 07, 2021, 11:40:17 AM

Previous topic - Next topic

heath

Is there a "best practice" on MFA prompt frequency?  We currently have MFA applied for access to most services from off campus (on campus is an excluded "trusted" location).  If I'm reading the documentation correctly, the default "Remember Multifactor Authentication" setting is 90 days.  It was set to 30 days by previous admins. 

The new CIO wants that lowered even further and users to get MFA prompts much more frequently so they know what triggers an MFA prompt.  I think that could lead to users becoming desensitized to approving MFA requests and approving them without giving it much thought which increases the risk of approving allowing access to a malicious actor.  To us in IT, an MFA prompt is assurance.  To regular users, it's an annoyance.

Thoughts?  Are there any studies that show which option is more secure?  I don't mind being shown why I'm wrong, if I am, if it results in better security.

deanwebb

The longer between prompts, the less secure the system.

The faster between prompts, the more likely people get frustrated and use a totally different system with no security at all.

Less secure > totally insecure

Therefore, 90 days is best.
Take a baseball bat and trash all the routers, shout out "IT'S A NETWORK PROBLEM NOW, SUCKERS!" and then peel out of the parking lot in your Ferrari.
"The world could perish if people only worked on things that were easy to handle." -- Vladimir Savchenko
Вопросы есть? Вопросов нет! | BCEB: Belkin Certified Expert Baffler | "Plan B is Plan A with an element of panic." -- John Clarke
Accounting is architecture, remember that!
Air gaps are high-latency Internet connections.

wintermute000

#2
I'd personally say 2 weeks because this is Azure AD's default and Microsoft knows best :p

To reduce friction, get something that can do push notifications i.e. instead of having to read the number and type, just have it come up as a notification that yuo can quickly hit yes to. OFC this will also make it easier for people to blindly hit yes.

To counter this, get the CIO to sign off on MFA phishing testing (not sure of exact term) but basically show to other C levels how easily they all hit the yes button or blindly tell the nice IT guy on the phone the current code and boom you're pwned. Fear is the only way LOL (of course if you go too far you end up with the guys who can extract cookies/tokens from endpoints to bypass 2FA as well ROFL but hey its a game of layers right).

I read a study once from a red team who literally just brute forced compromised credentials and the majority of managers they targeted just hit yes, even when it was literally sitting at the dinner table, should I approve the system saying I'm trying to login, obviously I'm eating dinner so imma hit YES because I am a big brain manager. THE MAJORITY.

heath

More discussion with the CIO today regarding MFA prompt frequency, what the default 365 "Remember Multi-Factor Authentication" setting is (90 days), what we are currently set to (30 days) and what he wants it set to (0 days).  He is pretty insistent he wants MFA prompts for everything all the time.




deanwebb

... I would recommend that prior to going global with the setting, he does a pilot for a month, with the other C-level execs.
Take a baseball bat and trash all the routers, shout out "IT'S A NETWORK PROBLEM NOW, SUCKERS!" and then peel out of the parking lot in your Ferrari.
"The world could perish if people only worked on things that were easy to handle." -- Vladimir Savchenko
Вопросы есть? Вопросов нет! | BCEB: Belkin Certified Expert Baffler | "Plan B is Plan A with an element of panic." -- John Clarke
Accounting is architecture, remember that!
Air gaps are high-latency Internet connections.