In today’s threat landscape, the advisories are trying to get into organizations in any way they can. New authentication methods are being introduced, and a combination of those methods or auth strengths are too. If you check the demographic of the QR code authentication as advised by Microsoft (which is in Public Preview as of today), this is for the Front Line Workers (FLW), but one of the reasons can be that these users are not always using a computer in the same way that an Information Worker (IW) user does and working with highly sensitive data, so them having a simple password for easy access is possible. Also, implementing MFA can be a challenge, depending on the work they perform. However, Security controls must be implemented with balance when it comes to user productivity.
Blessing or a Curse?
The best benefit I can see in this authentication method is that this goes with the QR Code + PIN combination as per the name says.
Whereas without this option, the FLW may have to sign-in with the password + Authenticator option or by using a phishing resistant option and depending on the sign-in frequency, they might have to perform the same a several times a day which can affect the user productivity.
Social engineering attacks are so popular these days and not even an MFA is safe when it comes to highly coordinated attacks.
The QR code can be printed and attached to the company tag so the FLW can easily scan to log in (which is also the intended way of using according to Microsoft) to the systems when needed. And the PIN length can be 8-20. Realistically, memorising a 20 character long PIN is not practical. Besides, what if the FLW has written down the PIN just next to the QR code it self? It negates the whole security element of the QR + PIN combination and goes back to the password on a post-it-note situation.
User Awareness in important. Advising them not to share the QR codes, PINs or not to write down the PIN is very important in the communication.
QR Code Authentication is a Primary Authentication method as explained by Microsoft and this is a passwordless method to get into the Application registered in Entra easily. This comes with the Security Challenges that need to be addressed which I’m trying to cover below.
Lateral Movement Patterns
One might argue FLW users won’t be working with highly sensitive data. While this might be the case, attackers’ motivation can be a different one. Ideally, all they need is to get into the environment, and rest can be achieved in time. A lateral movement pattern must be identified as soon as possible and must stay 10 steps ahead of the advisory. This applies to Social Engineering as tackling that can help stopping the bad actors getting into the environment (well one of the ways). As an example, the FLW is accessing blueprints and usually they can be highly confidential data.
How to Make QR Code Authentication More Secure?
Scoping out the Accounts, Tasks, devices is the key.
This is where the goodness of Entra and Intune will come into the scene. Managing the devices via Intune is very important as the security controls are going hand-in-hand with Microsoft Entra. These type of devices can be Shared Devices connected to the Corp-network in most cases.
Also, there is a very high chance that the FLWs are not using the apps outside office hours, but they may still log in to their emails to check the payslip in the meantime. Also, QR Code authentication satisfies the primary authentication, so how do you tackle something like that? Three words. Conditional Access Policies!
- Network Locations: You can map a CA Policy with the Network Locations condition for the same FLW user group to make sure if the user is accusing Emails (as an example) outside the corp-network, they will be prompted for the MFA authentication instead.
- Device Platforms: Making sure the Conditional Access Policies has created with the Device Platform conditions as the applications can only be accessed via the recommended platforms.
- Managed by Intune: Making sure the devices are MDM Managed via Intune where you can enforce inactive screen lock, shared mode, compliance policies etc.
- Device Compliance: Making sure the devices are compliant when accessing the applications or set the Conditional Access Policy to block access.
- Device Types: It is highly recommended to enable this Authentication mode in Shared devices.
According to Microsoft – Shared device mode is a feature that allows organizations to configure an iOS, iPadOS, or Android device for multiple employees to share. Employees can pick a device from the shared pool, sign in once, and they automatically gain access to all SDM-supported apps through single sign-on (SSO). When their shift ends, they sign out globally on the device, which removes their personal and company information from all SDM-supported applications. They can then return their device to the pool, while ensuring a secure handoff to the next worker as other users can’t see or access their information.
We recommend enabling SDM on your shared devices. In addition to Microsoft Intune, check out other third-party MDMs that support Microsoft Entra shared device mode.
Once the Shared mode is enabled, Conditional Access Polices can be set to filter the devices as below.
🔗More controls can be found here
| Security Controls | Description |
|---|---|
| Application protection policies | Intune App Protection Policies (APP) ensure organizational data remains safe within managed apps. For enhanced security, set up Microsoft Entra Conditional Access policies to ensure your apps are secured with an app protection policy before granting access to users. |
| Inactivity screen lock | Configure inactivity screen lock and auto sign-out functionalities using launcher apps like Managed Home Screen to protect shared corporate devices from unauthorized access by malicious coworkers with physical access. On BYOD, configure screen lockout capabilities on iOS and Android to prevent local attacks. |
| Interactive user authentication | Interactive user authentication ensures that only authorized users can access resources when they sign in to a device, application, or service. Admins should choose the Microsoft Entra ID authentication methods that meet or exceed their organization’s security, usability, and availability standards. |
Wrapping Up
Making sure to scope this Authentication Method is vital. While this is a Passwordless solution, as admins you must take note this is only “Single Factor Authentication”. User awareness on what to do and what not to do is important. Examples.
- What to do: Advise IT if and when the QR code is lost or stolen
- What not to do: Write the PIN number next to the QR code or anywhere for that matter.
And you can set some rigour with the security controls like Conditional Access Policies and Intune to make sure bad actors won’t take any advantages.
Discover more from EMS Route
Subscribe to get the latest posts sent to your email.
