Is MS365 Modern Authentication more secure ?

Posted by rmeman@reddit | sysadmin | View on Reddit | 18 comments

So MS retired old authentication and switched to modern. From what I understand, at sign-in time, the client now sends the password and in returns gets back a token which is used/refreshed for further access. Hackers already wrote tools that can extract this token from PC's memory and use it somewhere else: [https://mrd0x.com/stealing-tokens-from-office-applications/](https://mrd0x.com/stealing-tokens-from-office-applications/) So what's the point of "Modern Authentication" since now it's basically stealing tokens instead of passwords, either which can be used to gain access to the user's data.

Reply to Post

18 Comments

[-]

vodged@reddit

you've got bigger things to worry about than an O356 token being stolen if an attacker is on a corporate device performing memory dumps..

[-]

rmeman@reddit (OP)

The regular password is also stored encrypted in a file that Outlook decrypts at login time. So if an attacker has access to the machine and can decrypt the password or dump the memory, what's the point of Modern Authentication ? What benefits are there over traditional passwords ?

[-]

Danti1988@reddit

MFA will stop them using the password, you can also dump cookies from DPAPI and completely bypass MFA and any other protection, but you need local admin first.

[-]

rmeman@reddit (OP)

MFA is required before the token is granted. Once you steal the token you can access user data without being asked for MFA. [https://www.darkreading.com/endpoint/microsoft-warns-of-rise-in-stolen-cloud-tokens-used-to-bypass-mfa](https://www.darkreading.com/endpoint/microsoft-warns-of-rise-in-stolen-cloud-tokens-used-to-bypass-mfa)  The point is that with local admin a malware could have stolen the old password method and it can steal the new 'modern' token. I really see no advantage to it

[-]

homing-duck@reddit

If you are AAD joined (yeah, i know... something something entra) or HAAD joined, the PRT (primary refresh token) is stored in the TPM, which is then used every 4 hours to generate a new session token for each application. Depending how you have your conditional access policies setup, you can require your devices to be compliant. During the process that runs every 4 hours to grant a new session token, it will also check that it is the correct device requesting the token by using a device cert which is stored on the TPM. I have not heard of an easy way to steal the private keys on the TPM. If someone did steal the PRT and a session token, it will likely only work for up to 4 hours, until the session token needs to be renewed.  You can even take it further by requiring MFA at each request, but make it easier for the users by setting up windows hello for business. The act of them simply unlocking their computer with either their pin or biometrics will satisfy this requirement for their interactive session and it is pretty seamless for the user (unless they are sitting at their computer constantly (no toilet or coffee breaks) for greater than 4 hours. If they have persistent system level access to a device, you are probably screwed no matter what, but it would be difficult for them to get a single token they can permanently use.

[-]

Random_dg@reddit

That’s one of the reasons why you should limit regular users’ permissions to be relatively weak. That way if they get compromised, it’s only their weak account that has been compromised. When and if they do administrative tasks, you force them to login to a separate machine with their separate “power” account, and restrict their tokens as much as possible. Also worth noting is that for better coverage you employ additional tools that can detect anomalous administrative actions, more MFA steps (for example to confirm stopping or terminating a production machine), and other advanced methods.

[-]

vodged@reddit

you're acting like a compromised device is the only way people ever get hacked. how about phishing? or data breaches and credential stuffing?

[-]

Danti1988@reddit

Yeah, the refresh token is stored in lsass, once you get either of them the attacker is in the cloud and bypassed MFA. It’s all about defence in depth, you can only hope to slow an advanced attacker down and make it as difficult as possible. Defender for cloud AV/EDR would make dumping lsass very difficult.

[-]

Lawlmuffin@reddit

BYOD exists...

[-]

j4sander@reddit

Modern Auth is more than just replacing a password with the tokens. Legacy Auth did not support MFA, Modern Auth does. Tokens can be scoped to only certain services. Someone steals your Outlook token, they can't signin to the company VPN with that like they could if they got your password. Limits lateral movement. Tokens can be revoked and sessions ended, without changing the users password. If the user has multiple devices, each would have a unique token instead of all using the same password. This allows things like 'impossible to travel' risk based login blocking, and makes it easier to detect if a token does get stolen, and investigate how. Modern Auth sends the device details with the signin request, which is how we get Conditional Access rules so we can disallow byod, etc.

[-]

rmeman@reddit (OP)

It just sounds like application passwords.

[-]

technaustin@reddit

I feel like you are looking for an excuse to use less secure methods. Nothing is perfect; but modern auth is a huge step up from basic. Even though flaws can be exploited, it’s much less likely than a user just giving up their password and now the attacker has access to their account. Used in conjunction with other methods like MFA security on workstation login, training, and endpoint protection, you start to have multiple layers of protection.

[-]

TheGuldfisken@reddit

You could combine it with [Conditional Access: Token protection (preview)](https://learn.microsoft.com/en-us/azure/active-directory/conditional-access/concept-token-protection)

[-]

thefpspower@reddit

Ah there it is, I was going to say that I think the next step with tokens is making them only work on the machine and account they are attributed to. Powershell already has a kind of encryption like for Secure Strings this where if you ask it to encrypt a password or username the hash is different even on different accounts on the same machine. Either way if someone steals your tokens you have bigger issues.

[-]

jknvk@reddit

> So what's the point of "Modern Authentication" It gives some people at MS a job for a while. Sure, it's an endless loop of reinventing the wheel, but it's still a job.

[-]

rmeman@reddit (OP)

yeah, but they also forced hundreds of millions of users to change authentication mechanisms and I fail to see the benefit from a security point of view. Maybe I just don't know something - hence this post - and someone smarter than me can point out how Modern is more secure than unencrypted passwords over SSL.

[-]

kitkat0820@reddit

Its able to create authorized Azure AD keys. If you can, leave MS.

[-]

rmeman@reddit (OP)

What advantage is there to that over traditional passwords ?