This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
On Azure Fundamentals training module:
[https://video2.skills-academy.com/en-us/training/modules/describe-azure-identity-access-security/3-authentication-methods
It states about MFA:
"With multifactor authentication enabled, an attacker who has a user's password would also need to have possession of their phone or their fingerprint to fully authenticate."
This is not totally true.
Attackers can build websites, that work as proxy and can disguise as legitimate MFA authentication pages. When user is authenticating (received phishing mail that directed user to this page), these websites can fool the user to enter their MFA code on the page, stealing and proxying it to the real Microsoft Login. This way, the attacker does not need to have possession of the phone or fingerprint to fully authenticate.
Can you fix or rephrase this information on the module?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(60.8, 4%, 15%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EKM%3C/text%3E%3C/svg%3E)
Hello,
Thank you for your feedback! We appreciate hearing from you and would love to help others who may have similar feedback. Accepting answers helps increase visibility of this feedback for other members of the Microsoft Q&A community. Thank you for helping to improve Microsoft Q&A!
Hello!
Where am I seeing this?
Multifactor authentication is not completely immune to attack
This is certainly true. Security is a scale on which you can achieve high degrees of security but it's very difficult to say that anything is completely immune to an attack. We've definitely seen some impressive examples of this in headlines over the past several years.
An adversary-in-the-middle (also known as MITM) attack could effectively capture the form (or factor) of identification that is provided by something that the user has. Fortunately, this is time sensitive and orders of magnitude more difficult than methods used to bypass something that the user knows, which makes this type of attack less common than those made on password checks.
We'll pass this suggestion along to the content team however there was recently a major effort to make the Azure Fundamentals content less technical in order to focus on concepts. As a result, a change may complicate the training material too much for an introductory course at this time.
Thank you very much for your feedback!