Monday, August 5, 2024

Strength the Break glass accounts (Emergency access) with FIDO2

Standard

 


Many organizations create emergency access accounts to prevent being locked out of their Microsoft Entra organization. These accounts ensure that administrators can always sign in or activate another user’s account when needed. Typically, two or more emergency access accounts are created to mitigate the impact of losing administrative access. These accounts are highly privileged and are not assigned to specific individuals.

For detailed guidance on creating an emergency access account, refer to this Microsoft guide. https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/security-emergency-access?WT.mc_id=%3Fwt.mc_id%3DMVP_328457

Generally, we use lengthy passwords for emergency access accounts. The usernames and passwords are sealed and stored in a very secure location. These accounts are excluded from all security mechanisms, meaning no MFA or similar protections are applied.

To strengthen security, instead of using passwords, we can use FIDO2 keys. There are many FIDO2 security vendors available, offering various technologies. 

Some examples:

  1. Yubico YubiKey 5 NFC: Known for its versatility, this key supports multiple protocols including FIDO2, FIDO U2F, and NFC, making it compatible with a wide range of devices12.
  2. Feitian ePass K9: This key is praised for its robust security features and ease of use. It supports FIDO2 and U2F protocols3.
  3. SoloKeys Solo 1: An open-source security key that supports FIDO2 and U2F. It’s a great choice for those who prefer transparency and community-driven development3.
  4. TrustKey T110: This key offers strong security with FIDO2 support and is known for its durability and reliability3.
  5. GoTrust Idem Key: A compact and reliable key that supports FIDO2 and U2F, making it a solid choice for securing your accounts3.

0 comments:

Post a Comment