Conduct an impact analysis of MS Authenticator Passkey authentication against the Entra Id baseline

[tkol2022]

💡 Summary

Microsoft now supports Passkey authentication via the MS Authenticator mobile app and this is considered a phishing-resistant MFA method. The goal of this issue is to examine the changes Microsoft made to the Entra Id > Authentication Methods configurations related to the Authenticator app and passkeys to determine if any changes to CISA baseline policies are necessary.

https://learn.microsoft.com/en-us/entra/identity/authentication/how-to-enable-authenticator-passkey

Motivation and context

We need to ensure the baselines are consistent with Microsoft's configuration changes.

Implementation notes

The work below is to determine impacts to Entra Id policies:

• 3.1 Phishing-resistant MFA SHALL be enforced for all users.

• 3.3 If phishing-resistant MFA has not been enforced and Microsoft Authenticator is enabled, it SHALL be configured to show login context information.

• Review the passkey link above to understand the technical enhancements.

• Review the MS Authenticator settings in the Entra Id > Authentication Methods portal to see if anything has changed that would warrant a modification to the affected baseline policies.

• Review the Passkey (FIDO2) settings in the Entra Id portal to see if any changes to the affected baseline policies are needed.

• Perform a hands-on prototype of passkeys using MS Authenticator with a test user to determine if policy 3.3 should still be dependent on policy 3.1? Currently if there is a conditional access policy that enforces phishing-resistant MFA, then policy 3.3 is not checked and ScubaGear produces a Not Applicable output. We should determine if it makes sense to still check the MS Authenticator settings related to 3.3 regardless of the status of 3.1. This is because now passkeys (a phishing-resistant method) can be implemented with MS Authenticator.