Entra Break Glass Account MFA via Microsoft Authenticator Passkeys?
Posted by Fabulous_Cow_4714@reddit | sysadmin | View on Reddit | 51 comments
Is there any reason to not use Microsoft Authenticator app device bound passkeys for emergency access accounts instead of hardware security keys?
This avoids the logistics of purchasing and shipping out hardware keys to remote admins and having some of the admins assigned end up losing them.
My understanding is that there a limit of one Authenticator app passkey per account per device, but you can have the admins who would be assigned with access to the emergency access accounts, register a passkey separately on their individual phones.
To avoid giving out the password to register the passkey, we could give each admin a one time use TAP.
With separate devices, the passkey limit would be up to 10 per device.
Is there anything that would make the Authenticator app passkey less functional for emergency access account use than Yubikeys?
bluecollarbiker@reddit
You didn’t provide enough details of what/why your concern in your OP. If you have distributed teams having a break-glass recovery stored in a safe regionally close to multiple teams shouldn’t be an issue.
Your people absolutely shouldn’t be carrying around the break-glass credential with them on their daily driver device. Since you seen to be big enough what does your risk/compliance team think of that suggestion, or do they not understand the danger?
We have 3 backups geographically dispersed. Safe on-site on one side of the country that can be traveled to, lockbox with vendor with 24 hour delivery contract, safe on-site on the other side of the country that can be traveled to. Typically we have someone capable near/at one of the two sites mentioned above. If both those sites are unreachable a couple people can order the lockbox to be shipped next day air somewhere.
We table top recovery once a year and rotate which key is in which location to ensure there aren’t deltas between them.
Fabulous_Cow_4714@reddit (OP)
Where is the PIN for the FIDO2 key going to be stored? In the same locked box with the device?
There are problems both with storing the PIN together with the Yubikey and storing it in some separate place that you could lose access to during a break glass type situation.
Chareon@reddit
You can attach multiple FIDO2 keys to an account. Have a set of 3, and each site has the PINs for the other two but not their own.
Fabulous_Cow_4714@reddit (OP)
With that setup, if one site is unavailable, you will be locked out because you will not have access to the PIN for the only hardware key available.
Chareon@reddit
With at least 3 sites, as long as you only have a loss of a single site, you'd be fine. For example if site1 burns down, you can use the token at site2 with a PIN stored at site3.
If your business only has 1 or 2 physical locations I'm sure there are other options that could be evaluated, even storing things at a high up employee's residence. Scale up beyond 3 sites for your level of risk appetite.
bluecollarbiker@reddit
There’s two written copies of the pin. Each stored separately of the tokens themselves and with different access lists. One at a separate location of ours and one in a separate box with the vendor.
There are a couple of us that know the pin. It changed 3 years ago when we had a key holder personnel change. Prior to that it hadn’t changed for several years.
This process was adopted/adapted from our on-prem break-glass account where it’s worked for us for a little over two decades now.
Traditional-Tech23@reddit
I am going to hijack this, does everyone else still have to register 2 methods for SSPR?
sembee2@reddit
On a Break Glass? If you close the browser after setting the first one, it doesn't ask again.
Traditional-Tech23@reddit
Mine asked again as GA was applied. Really annoying way to set it up Microsoft. You should be able to set Breakglass accounts with FIDO as excluded from SSPR.
Fabulous_Cow_4714@reddit (OP)
I see everyone recommending hardware keys as the best practice, but we absolutely must have another option.
The people in charge don’t want them and may not be able to be convinced otherwise. At the moment, they want to use password plus an office phone number now that MFA has become required for break glass accounts. Prior to this recent change, break glass accounts were exempt from any MFA and password-only was the SOP for break glass accounts.
So, the alternatives to Yubikeys are either to keep this password plus mobile phone and office phone number authentication method or use Microsoft Authenticator app passkeys and assign them to multiple managers to handle situations where one of them leaves the organization or resets/replaces their phone and forgets to immediately reregister a new passkey for the break glass account.
Securetron@reddit
Not everyone, we have been recommending the usage of Smart card / Certificate Based Authentication instead since it lowers the cost and provides much better resliancy. We have successfully transitioned some of our clients to use this method instead.
More info: https://securetron.net/phishing-resistant-mfa/
Fabulous_Cow_4714@reddit (OP)
We thought of that as an option, but just didn’t want the PKI and certificate expiration dependencies.
Plus, smart cards will still require hardware to store the certificates anyway. You might as well do FIDO2 instead with fewer dependencies.
Hefty-Possibility625@reddit
If you can't convince them why using a phone for your break glass account's MFA is a bad idea, then that's kinda on you.
There's your answer.
St0nywall@reddit
Treat the hardware key as you would an offsite tape storage. When the crap hits the fan, you retrieve the offsite key and utilize it. When it is no longer needed, you reset it and place it back in offsite storage. Offsite storage can be 10 feet away in the company vault or 10,000 miles away and anywhere in between. You only need a way to get the key to you when something happens.
A break glass key is NOT an immediate standby key, it is an "I tried everything else and nothing is working" key.
Fabulous_Cow_4714@reddit (OP)
How would Yubikey PINs be managed in a way that they can’t be lost under the method you described?
St0nywall@reddit
Print the PINs and place them in the same safe (or separate location) as the key. Or put them on a USB, but keep in mind electronic devices deteriorate over time.
sembee2@reddit
Why not just use TOTP? Put the code in to an envelope after doing the setup.
Then set alerts for password changes, new methods being added etc.
No piece of hardware to lose, easily added to a device in an emergency.
FlyingStarShip@reddit
It should be one yubikey in the safe somewhere, not multiple people having access to it, then it is not break glass account but account with no CA on it.
Fabulous_Cow_4714@reddit (OP)
How would storing a Yubikey in a safe work if the people with access to it are all working remotely?
It also can’t be assigned to only one person in case anything happened to that single person on the day you needed the break glass account.
Internet-of-cruft@reddit
You don't use a break glass unless it's an emergency.
If it's an emergency, you should be able to justify those remote folks getting to said safe to retrieve the key.
Fabulous_Cow_4714@reddit (OP)
Remote, as in working from another part of the country.
MisterIT@reddit
Emergency, as in get your butt on a plane
Fabulous_Cow_4714@reddit (OP)
They are not going to want to wait until the next day at the soonest for someone to fly in.
That isn’t realistic.
ArborlyWhale@reddit
You’re the only one making it unrealistic XD
How about your lazy ass do some problem solving like… putting the break glass near the person who might use it!?!?!?!!!11!!?!1
Fabulous_Cow_4714@reddit (OP)
It’s unrealistic for organizations that don’t want security keys in the first place. They really just want passwords.
So, they absolutely will not deal with storing keys in safes or shipping them off to Iron Mountain or a bank safety deposit box.
We are going to have to have another option like Microsoft Authenticator app passkeys or they will just stick with passwords plus phone numbers for MFA since it works with the least amount of change and has no purchase requirements.
Up until recently, it was recommended that break glass accounts not have MFA.
MisterIT@reddit
You don’t seem to understand what a break glass account is for. It’s not for your sysadmins to use as a backup. Maybe you need that kind of solution too based on your business needs.
Fabulous_Cow_4714@reddit (OP)
I know wha it’s for.
It needs to be accessible by someone plus an alternate person in a different location when all other GA accounts are locked out of access to the tenant for some reason.
The other GAs will be get access through PIM when everything is working as normal.
Internet-of-cruft@reddit
You can have multiple Yubikeys per account.
Pick as many people that you trust to have access and have Yubikeys entrusted in their care, or pay for a lockbox somewhere like a bank.
There's nothing more complicated than that.
hybrid0404@reddit
Or even multiple accounts.
SouthJerseyPride@reddit
I don't understand why your comment was buried so deep. That was my thought too...
charleswj@reddit
Ship the responsible people a safe and store the key in it and provide the password if needed. If they're trusted then you can trust them to keep it.
Master-IT-All@reddit
Have you considered using a third party to maintain the break glass access account?
If you have your licensing through a Cloud Service Provider you may even be missing out on something they offer.
-Also, do you think you maybe have too many global admins? General rule of thumb, more than two is too many
raip@reddit
You have a fundamental misunderstanding of what a break glass account is used for. It's there for business continuity - not for the admins as a backup account.
Fabulous_Cow_4714@reddit (OP)
I’m referring to business continuity.
It can’t be a single point of failure having one Yubikey in a safe.
What if they somehow lose access to the safe during the emergency?
You are also supposed to have 2 break glass accounts.
macmanca@reddit
We have 2 Yubikeys setup for our break glass account. One is with the supervisor and one is the Manager of the AD/SysAdmin unit. I set them up handed off to them and both have their own safe locations for them.
sarge-m@reddit
As someone said before, you can have multiple Yubikeys per account.
FlyingStarShip@reddit
Do 2 yubikeys max, senior management (that knows what to do in extra) + senior admin or 2 senior admins.
One-Environment2197@reddit
I agree. Only two or three people should have access to the BG account; more than one for redundancy, and they should be senior management types. Other admins should utilize PIM for elevated access.
Speeddymon@reddit
Why not use Privileged Identity Management?
fdeyso@reddit
How is that related?
Speeddymon@reddit
Honestly I won't know whether or not it is related unless OP provides an answer. And I get OP isn't going to change strategies at this point; so it was just a question born from curiosity. OP doesn't have to answer.
fdeyso@reddit
I was asking you, how the F PIM is related to handling MFA for a breakglass account? Yes their MFA approach on it is questionable, but PIM has absolutely nothing to do with it nor it can help much.
Some_Team9618@reddit
Ours has a hardware token attached, and a alert everyone in supervision or higher in IT if it’s every touched. Locked in a safe at our DR site
fdeyso@reddit
We have one at our main site in the security control room too, but filly agree. This is the way.
raip@reddit
Other than Emergency Access accounts aren't supposed to be easy to use. They're there for business continuity. They're to be locked in a safe and only broken into for the most dire of situations - like when your primary Entra admin gets compromised or dies. Having it tied to an admin's phone increases the risk as now, if/when that phone gets compromised, your break-glass is also compromised and this account should be excluded from all other security controls.
Now everyone has their own opinions on this - that's just what their documented intended use is for, but I've been part of multiple multi-billion dollar org where the break-glass account is tied to a trusted admin FIDO2 key and one where it was just in a "pending MFA registration" status with the understanding that whoever gets the password will need to register MFA and then remove it to use. Business can do whatever they want - just make sure it's documented and your ass is covered.
Speeddymon@reddit
Couple of points of clarification but overall good advice.
phunky_1@reddit
People come and go in an organization.
A hardware key in a safe stays there through personnel changes.
Also since the break glass account should never be used, the hardware MFA being somewhat inaccessible helps enforce that.
Fabulous_Cow_4714@reddit (OP)
There can be a backup copy in a safe, but having the one and only access to the account in a safe can turn into a problem.
Also, nobody who would be given access to this account lives in the same region as the safe. So, that could turn into a multi-day delay.
Xelopheris@reddit
Multiple fido2 tokens like yubikeys, tested on a yearly basis. Two in a dual custody safe in your office, plus two more in a safety deposit box in a separate part of town.
For the cost of a second one, you can have more assurance that both won't fail in that year between testing. Having another two offsite means you have the same assurance in the event of a natural disaster that destroys your office.
We may have had a tornado incident at our office.
Careful-Criticism645@reddit
Why do you have so many "break glass" accounts that you're shipping keys out everywhere?
One-Environment2197@reddit
FIDO2 Hardware tokens are the way to go. Period. They're less expensive than the cost of an outage because you didn't want to purchase and ship them out. Dedicate two senior managers as "key holders" and ask them to purchase a Yubikey from a local BestBuy then expense it. Setting them up remotely is easy. You can do it all from the My Account page.