We've just set up a phone system that uses Microsoft Single Sign-On (SSO), along with a conditional access (CA) policy to enhance the security of user logins. The CA policy requires users to reauthenticate every 30 days. This has caused some problems, especially for those using the softphone app on their mobile devices. If users don't open the app, they don't realize they need to reauthenticate, leading to missed calls until they do. I'm trying to figure out how to handle this situation. Is it just a matter of telling users to regularly check the app? I'm hesitant to remove the reauthentication requirement because it presents a security risk if a softphone is compromised. I'm open to suggestions!
3 Answers
Reauthentication every month doesn’t really enhance security if someone has already breached your system. If an attacker has access, they could still bypass that 30-day window. This policy might just be making it inconvenient for users without adding valuable security. It's possible that a more tailored approach would be effective here!
As someone who's been in sysadmin for over 20 years, I would recommend revisiting that policy. Reauthenticating every 30 days might not be practical for users, especially with phones where reliability is key. If your product isn’t warning users to log in, that’s a significant issue. Does your system fully support conditional access?
I agree! Phones are expected to "just work". It's frustrating when they don't.
Have you considered generating a last sign-in report? You could use that to send out automated emails warning users a few days before their reauth deadline. It's not foolproof, but it could help prevent missed calls by notifying users proactively. In my experience, multiple reminders leading up to the deadline help too!
Good idea! Though, getting users to actually respond to those emails is a whole different challenge.
You're right about the inconvenience, but isn't periodic reauthentication suggested in NIST guidelines?