Read the full story
Multi Factor Authentication (MFA) is one of the most effective strategies you can adopt to secure your environment. By requiring two or more forms of authentication, it is possible to make it much harder for malicious actors to gain access to your systems and confidential data.
However, like everything in the world of cyber security, MFA is not a set-and-forget technology. Older authentication protocols could still be leaving you exposed.
Researches have uncovered critical vulnerabilities in Web Services Trust (WS-Trust) authentication protocols. WS-Trust, when used in conjunction with a user account and password, implements an authentication flow. The login credentials are presented to the authenticating resource in an unencrypted form. This does not align with current encryption standards and has been described as ‘inherently insecure’ by Microsoft.
Microsoft currently has WS-Trust authentication protocols in place when connecting to Power Apps, its suite of tools that can be used to rapidly develop custom business applications. One Power Apps tool that is particularly at risk is Common Data Service, a cloud-based platform that allows multiple applications to access the same underlying data.
Recognising the risks associated with relying on WS-Trust authentication, Microsoft moved in February this year to begin phasing it out when connecting to Common Data Service. The change affected applications that use Microsoft.Xrm.Sdk.Client.OrganizationServiceProxy and Microsoft.Xrm.Tooling.Connector.CrmServiceClient classes for the authentication type of ‘Office365.’
With WS-Trust authentication in place, there was the potential for attackers to spoof IP addresses with simple request header manipulation, thereby allowing them to bypass MFA and gain full access to Office 365 accounts including emails, files, contact and other data.
WS-Trust is scheduled to be fully retired by Microsoft in April 2022.
For any organisation relying on WS-Trust to secure applications, it is recommended to move towards using Azure Active Directory, which offers greater protection for applications making use of Common Data Service.
CLICK HERE for detailed information from Microsoft to secure your applications that are still relying on WS-Trust authentication protocols.