Identity 101: 2 Factor Authentication and App Passwords

2FA A Must!!!

2 Factor Authentication (2FA) / 2 Step Verification is a big push these days and works as an additional security in this ever increasing world of social engineering and cyber threats. Not just at your work but for your personal account as well.

This should be turned on for every app you use if you care about your security. Many big providers have this option like Facebook, Gmail, Twitter, Dropbox, Apple, Microsoft, Crypto Sites etc… The list goes on and becomes larger day by day!!!

Most common additional security are SMS, Phone and App verification (There are additional types but these are most common). Because these are a separate disjoint method if say your email (in the cloud) is compromised and these methods are not affected by the internet to say as such!!!

For App Verification I say u MUST have an app which has a backup and restore functionality. I have over 20 apps on 2FA and imagine if I lost my device / format then I will have to go to each of the 20+ sites, disable 2FA and then re-register for 2FA. PITA (Don’t think I will even remember all the sites until I hit them some random day and it asks for 2FA code!!! Lol!!!)

Therefore, I really recommend a few:

  • LastPass Authenticator: Backup and Restore functionality and if you already use Lastpass as a password manager, you already have an account.
  • Microsoft Authenticator: Just been updated with backup and restore functionality on iOS a day ago.
  • 1Password Authenticator: If you are already invested in this wonderful Password App.. Don’t look any further!!!
  • Authy: Strong leader in this field.

I therefore simply can’t recommend Google Authenticator as they don’t have a simple backup and restore facility (and looks so dated). Any app supporting RFC6238 TOTP (Time-Based One-Time Password) and site supporting that is good 🙂

Companies enabling 2FA and allowing QR code scan MUST allow you to use any app which a user wishes to use so that you can use a central repository of your own backup and restore (and ease of use). If you are forced to use proprietary apps for each login (say Google says must use google app, LastPass says must use LastPass auth app, Microsoft says must use their app)… you can imagine the number of apps you will end up with on your phone and to manage them.

The positive of individual apps is that since they are customized for the site, they can do push notifications which allows easy login (via allow/deny or yes/no button popup). But I will still like a single app experience.

Sometimes, its a decision to give the “branding” of the company but I totally disagree with this as 2FA should be seamless for a user and if I have everything controlled by 1 app then why not? Bad business decision (user un-friendly) if they force their own auth app over the more popular ones.

But that is normally not the case with most of the big companies and majority didn’t even bother to write their own app (and thus maintain app and code).

Apps are broken after 2FA???

Once you have 2FA ON (say on Google – I am heavily invested in their online ecosystem like mail, calendar, contacts etc), you will suddenly realise that many apps are asking for your password again. Say, for example, I turned on 2FA on my Gmail and I was using the same to log in and send pics to me (IMAP Protocol) of my security cameras when triggered by my security software. It stopped working. Or my contacts or calendar syncing via CardDAV or CalDAV protocols on my iPhone suddenly starts asking for the password.

This is because these apps can’t handle 2FA as they are not built for that. Google gives you an easy method to circumvent this issue by generating App Passwords for them. It allows you to generate a one time random 16 digit passcode which you can enter it on these apps. You DON’T have to remember them or write them down as if you have to re-enter it on the devices, just generate a new code. You can go here to do so.

Screenshot showing an example of what you can do.

Other providers like Microsoft, Yahoo (really? someone using it still?) etc do have a similar method.

TL;DR: 2FA – Turn ON (Not just for your business but for your personal use as well), use an app with secure backup and restore feature for sanity and if some apps suddenly break then look for App Password setting from the provider.

It's only fair to share...Share on Facebook
Facebook
0Tweet about this on Twitter
Twitter
Share on LinkedIn
Linkedin
Email this to someone
email
Share on Reddit
Reddit
0Print this page
Print

Google API Bug: Google Groups Settings returning wrong value – You need to invite!!!

So.. This is wierd..

Apparently, If you try and set “whocaninvite” in groups settings via API to “NONE_CAN_INVITE”, the API returns the value as “ALL_MANAGERS_CAN_INVITE”.

If you set other settings say “ALL_MANAGERS_CAN_INVITE” or “ALL_MEMBERS_CAN_INVITE” it works fine and confirms by returning the same value back.

This is the same if you do via GAM tool or via their web portal to change a group settings

 

 

Above, if you select “Managers of the group” and save.. and then go back to the group, you will see the tick gone.

Apparently not affecting everyone.. Well it was and then they said they fixed it, and I said.. Nope.. So they have to open a new bug 72470856 for this one.

C’mon google.. you guys are the coders right? the developers?

It's only fair to share...Share on Facebook
Facebook
0Tweet about this on Twitter
Twitter
Share on LinkedIn
Linkedin
Email this to someone
email
Share on Reddit
Reddit
0Print this page
Print

Powershell Tip: FIM/MIM Explicit Disconnectors be gone… quickly!!!

Happy New Year!!! Hope everyone had a great 2017 and hopefully an even better 2018

If you know disconnectors then you definitely know how irritating the FIM/MIM GUI can be to convert a disconnector from explicit to normal or vice versa when you have potentially 10’s or 100’s of them… Joiner tab isn’t really friendly to select multiple disconnectors and “batch” convert them.

Thanks to Lithnet MIIS Powershell you can do the conversion of 100’s of them in 1 line and in couple of seconds

If you have a MA with 100’s of explicit disconnectors just run the following command (replacing the <MA NAME> with the ….. MA Name )

Done… Simples… You can ofcourse do the opposite as well if you wish i.e. Normal disconnectors -> Explicit Disconnectors.

It's only fair to share...Share on Facebook
Facebook
1Tweet about this on Twitter
Twitter
Share on LinkedIn
Linkedin
Email this to someone
email
Share on Reddit
Reddit
0Print this page
Print

MIM AD Sync Error: Unable to update the password – Another POV

So we sync AD users from cross-domain (not a single forest). So say from “DC=contoso,DC=com” to “DC=fabrikam,DC=com”. Not getting too much into it, we do some matching and rules extension to convert a few value to match the destination domain.

Have recently been seeing the following error when sync engine is trying to enable a disabled user in fabrikam domain.

cd-error

Unable to update the password. The value provided for the new password does not meet the length, complexity, or history requirements of the domain.

Although the password policy is the same between the two domains.

After a tip, for some reason after the user was synced but for some reason the password was not set. And when it was trying to enable the users, it didn’t have a password and failing the domain policy.

Fix: I got the list of users failing from MIM and set their password manually in the destination by using the following script

 

After this, the sync engine fixed the user up automatically.

It's only fair to share...Share on Facebook
Facebook
0Tweet about this on Twitter
Twitter
Share on LinkedIn
Linkedin
Email this to someone
email
Share on Reddit
Reddit
0Print this page
Print

Generic LDAP MA Error on Upgrade to AADConnect v1.1.649.0

Hey Guys

Another day – another bug #bugmaster (although a very small one)

If you use Azure AD Connect and manually upgrading to v1.1.649.0 and have a Generic LDAP MA in your configuration, after the upgrade you will get a “no-start-ma” error on Delta / Full Import or an “extension-dll-exception” on an export or when syncs start automatically after the upgrade.

Fix: Easy one – open the MA and click through each config page to refresh the MA manually.

Microsoft has acknowledged the bug and will fix it in the next release.

I am surprised as there aren’t that many MA extensions in AADConnect so how this was missed in their internal testing..

It's only fair to share...Share on Facebook
Facebook
4Tweet about this on Twitter
Twitter
Share on LinkedIn
Linkedin
Email this to someone
email
Share on Reddit
Reddit
0Print this page
Print