maester icon indicating copy to clipboard operation
maester copied to clipboard
verified publisher icon maester365

New Test: SMS-based authentication should be disabled

Open merill opened this issue 1 year ago • 2 comments

SMS Sign in is a primary sign in factor using SMS (instead of the password which is the default), it is meant for specific front-line worker scenarios that's don't require strong authentication with MFA.

Recommendation: Should be disabled.

https://learn.microsoft.com/en-us/entra/identity/authentication/howto-authentication-sms-signin

https://x.com/janbakker_/status/1790996204890829104

merill avatar May 16 '24 21:05 merill

@Cloud-Architekt and @merill following your discussion on Twitter (now also knows as X) should we create a separate check in maester or make EIDSCA.AS01 work with maester. Currently the discovery configuration is missing from this section of the JSON

f-bader avatar May 18 '24 20:05 f-bader

@f-bader and @merill : I would like to cover them as part of the existing EIDSCA.AS01 checks. We need only to decide if we like to test for the state only or in combination of the scope ("all users"). A general check on the state could be valid if there are just (obvious) security concerns (even for frontline workers) and no valid use cases for B2X.

Cloud-Architekt avatar May 22 '24 06:05 Cloud-Architekt

I would say SMS-sign in should not be enabled for anyone as the default.

Any tenant that turns it on should have consciously disable this test.

merill avatar Jul 13 '24 04:07 merill

@Cloud-Architekt was this added to EIDSCA?

merill avatar Aug 04 '24 22:08 merill

Check has been implemented (AS04): https://github.com/maester365/maester/pull/418

Cloud-Architekt avatar Aug 15 '24 04:08 Cloud-Architekt