Hey everyone! I'm feeling a bit anxious about how secure a Microsoft Self-Service Password Reset (SSPR) setup is when using Multi-Factor Authentication (MFA) alone to verify users. Let's say one user has registered an MFA app on their personal phone, which might not have strong security measures like a PIN or biometric lock. Imagine this phone gets lost after a night out, and the user doesn't notice right away. An attacker could find the phone, access the MFA app if the security is weak, and potentially reset the user's password through SSPR, putting them at risk. I'm wondering if I'm being overly cautious. How do you deal with this kind of situation? Am I missing something important? Thanks for any insights! Cheers!
4 Answers
I'm planning to test how our setup manages these situations because I think this is a valid concern. It sounds like it could lead to serious vulnerabilities if someone loses their phone! 🤔
A solid approach could be requiring a lock on the authenticator app itself. Just a heads up, you can't control SSPR entirely through conditional access because it doesn't follow the same login procedures. Your risk is valid; if a user loses their factors for resetting their password and someone smart finds them, they could really exploit that. It's all about assessing how serious that risk is for your organization.
Even relying only on MFA for SSPR doesn’t eliminate risk if the device gets compromised. You should set up Microsoft Authenticator to require app-specific PINs or biometrics for added security. Also, restricting MFA registration and SSPR to compliant devices like Intune can help.
Have you thought about implementing conditional access? There are setups where password changes can only happen while connected to the company network. The downside is remote workers cannot reset their passwords without going into the office, but it prevents an attacker from changing passwords even with the phone in their possession. But honestly, if someone can get onto a phone with such a weak PIN, that's a major concern on its own since they'll have access to all company data, not just the ability to reset the password.
But isn't SSPR out of scope for conditional access? It seems like a different process.
But wait, can we actually limit SSPR to certain locations? I've heard it's not possible with conditional access.