Exoprise CloudReady synthetic sensors now support testing of Multi-factor Authentication (MFA). This enables you to use accounts that require MFA when its a tenant-wide settings or provides the capability to test the performance and uptime of MFA infrastructure.
Background
Multi-factor Authentication (MFA) helps secure logins by requiring an additional authentication “factor” (source of verifiable secrets). The original factor is “something you know”, the password. The additional factor is “something you have”, a dedicated key fob or more typically now a cell phone running an authenticator app or receiving SMS.
For more information, have a look at the Microsoft page for MFA: https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-mfa-howitworks
For its security benefits it’s not uncommon for MFA to be required tenant wide. MFA can also be a point of failure. There have been numerous Microsoft 365 outages related to MFA this past year so it’s worth monitoring MFA and being informed of MFA related login problems.
Exoprise Implementation Overview
Exoprise supports testing MFA through Time-based One-Time Password (TOTP). TOTP is implemented by authenticator apps like “Microsoft Authenticator”, “Google Authenticator”.
- The server generates a TOTP secret key and shows it to the user as a QR code and a character string
- The user imports the TOTP_KEY into an authenticator app
- The authenticator uses the TOTP_KEY and the current time to generate a unique and everchanging one-time pass code (TOTP_CODE)
- Which is supplied to and verified by the server during login
- Because the server and the authenticator both have the TOTP_KEY, they will generate the same TOTP_CODE at a given time, which confirms the user’s ownership of the device with the TOTP_KEY
In order for Exoprise sensors to perform a TOTP-based login, they have to function like authenticator apps, i.e., have access to the TOTP_KEY to be able to generate TOTP_CODEs. The TOTP_KEY is supplied to the sensor during configuration and, like passwords, are securely stored with Public/Private Key (PKI) encryption. For more information about our Exoprise private site PKI, see the security overview.
At sensor runtime the TOTP_KEY is utilized to generate the TOTP_CODE and submit it to the login MFA form. The sensor will try to detect and report any MFA related errors if TOTP_CODE submission fails.
How To Setup MFA For Synthetic Sensors
Obtaining the Time-based One-time Password (TOTP) Key
If the account you are using is not yet registered for MFA or is, but you want/need to generate a separate TOTP_KEY for the Exoprise sensors, you’ll need to follow the steps in this section.
- If MFA is required but not yet set up you will be redirected to https://account.activedirectory.windowsazure.com/proofup.aspx during login. If MFA is already set up, but you need/want to generate a new TOTP_KEY you can open that page directly.
- For “How should we contact you?” select “Mobile app” and “Use verification code”
-
Select Mobile App and Use Verification Code And click the ‘Set Up’ button.
- In the popup click “Configure app without notifications”. That’s the standard TOTP option.
Click “Configure App Without Notifications” - The popup will change to the following:
Displaying the Secret Key - Save the secret key. You will need to supply it in the sensor setup wizard. If you plan on setting up other MFA based synthetic testing sensors, you should save off the secret key or you will need to re-register the MFA authentication later.
- To complete the registration, you’ll need to scan the QR code with or enter the “Secret Key” into an existing authenticator app (e.g. Microsoft Authenticator, Google Authenticator, Authy) after which the authenticator will start generating TOTP_CODEs.
- Click “Next” to close the popup and “Next” again in the main window
Verify the MFA Setup with Authenticator APP - To commit the MFA registration, enter the TOTP_CODE from the authenticator app
Commit the registration by entering a generated code - Microsoft may ask for a phone number in case you lose the authenticator.
Additional prompt for a telephone number - If you have already set this up and want to generate a new TOTP_KEY for the sensors, the proofup.aspx page will look like this:
Generating Additional Secrete Keys
Supplying the TOTP_KEY to The Sensor
- For sensors that support Microsoft TOTP MFA The sensor config wizard step where you enter credentials will have an optional “MFA TOTP Key” field in addition to the password field. See the following screenshot for an example of testing MFA with Microsoft Teams.
Exoprise CloudReady Synthetic Microsoft Teams MFA Setup - Enter the MFA TOTP Key into the provided field. A synthetic sensor that tests MFA will cost an additional Exoprise credit once deployed.
- When re-configuring the sensor, the TOTP Key won’t need to be re-entered unless you want to modify it in which case you should uncheck the “keep existing” option.
Sensor Specific Considerations for MFA Testing
Outlook Web Access or OWA
The OWA sensor has two aspects, mailbox access via the EWS API and browser based mailbox testing via the Outlook Web Access interface for sending of test messages. The EWS API requests can be secured by basic auth (username/password) or OAuth. Basic auth has been deprecated and will be removed soon.
Microsoft 365 has two levels of MFA enforcement, enabled and enforced. When enabled, non-web-interactive (EWS API) authentication with the main account credentials continues to work, but when enforced, such authentication is blocked. So enforced MFA may result in OWA sensors errors like this:
Since Basic auth is deprecated, our recommendation to work around this is to switch to OAuth.