Increase security for MFA App Passwords – ‘flaw in security’
There are a few security issues with App Passwords while using MFA. The security around App Passwords needs to be strengthened.
First, App Passwords of all Alpha lower case is not as secure as the current passwords policies our users are using. By enabling MFA, our clients and users are complaining about the strength of the App Password.
Second, App Passwords that can be re-used are lessening the password security of user accounts. This allows users to copy/paste or write down the password to be used again and again.
- Increase the complexity of the App Password (upper case, lower Case, special character, and 16+ characters long)
- Change the App Password to be usable for only one app on one device. This way if it is hacked, then it is not usable by anyone. Without this, MFA decreases security instead of increasing it.
Roberto Franco commented
App specific password should be usable just on a single specific app and device. Else they are normal passwords and denies the purpose of having MFA
Got to do this...
Jerzy Z commented
Just to add to my comment, this is from Azure log: " MFA requirement skipped due to app password "
Jerzy Z commented
Tejas has good comments but the point is if app password is compromised, MFA is not used.
Microsoft has Azure log and you can see all authentications and how the users are authenticated. When app password is used, it will be indicated in the log. Got to Azure Portal > Azure Active Directory >Sign-ins and download to csv, filter in Excel.
Tejas Ambekar commented
Multifactor Authentication is a very innovative method, which employs the latest technology in practice. Many of the users have used biometric authentication using fingerprints. Multifactor authentication also does the same using the phone to input the fingerprint at the time of login. It’s a step ahead of the conventional two-step authentication method that uses one-time password (or OTP) to authenticate the login. It’s such a strong feature that protects the system, even if hackers have the login credentials (username and password) and also the registered phone. Apart front these password related features, there are several other strong features that CloudCodes for Business provides. These are IP restriction, Geo-Fencing, browser restriction, and device restriction.
Know More - https://www.cloudcodes.com/blog/enhanced-office365-security-with-password-policy.html
That is very good suggestion. vote for this.
Today I try to figure out hot to get authentication log for app password. For me it make sense if you have such log. Microsoft support report that they dont have such log and dont plan to do it.