MFA registration screen shows phone number as plain text

Question

Hi there,

we are trying to setup MFA registration through Conditional Access for a specific group.

we identified the below issues :

1. MFA registration screen shows the phone number as plain text and editable. This makes any one who knows the default password still put their phone number and get into to the mailbox or the portal.
2. we are looking for masking the phone number and uneditable so user can just get their verification code on their registered mobile number which is updated in the AAD while creating the user account
3. Or there should be a way to setup the mfa phone number for authentication pre-defined with conditional access, so users do not need to get the mfa registration screen. when the user does their first time login the verification code directly sent to their registered phone number.

Answer 1

@Venkatesan T Thank you for reaching out to us. As I understand you have query related to MFA registration screen.

Did a repro in my demo tenant for the issues mentioned above.

MFA registration screen shows the phone number as plain text and editable, this is expected by design as well, because while creating the user we are not entering the phone number details where MFA needs to be triggered, as a Global admin you need to make sure each time on user creation has a unique password instead using a default password every time or either use autogenerated password option.

When the user logs in for the first time, after completing the MFA registration, user is prompted to change the password.

If you pre-populate the phone number at the time of the user creation, user phone number will be masked ( only last two digits ) will be visible for the MFA proof up.

Let me know if you have any further questions, if required we can connect offline and discuss further on this in detail.

Answer 2

Hi there,

thanks for the time. Random password while user creation is accepted.
Please note we are giving user phone number while creating the profile the AAD. So when exists, this can be utilized and the mobile number can be masked so, the user get the OTP directly when they register for MFA.

Actually Microsoft is killing a good feature when they introduce a new one. This is case of per user MFA, we had a flexibility that we can Enforce / Enable MFA, on the O365 MFA page, and can give the Authentication method as Phone or Email in AAD.

This was fully tamper proof when the user logs in, and they just need to enter their verification code when they log in first time. and phone number on the screen also masked. Why such a beautiful feature is killed saying a feature enhancement.

the conditional access policy, though it gives additional security measure to restrict the login, the first login itself seems to be loop hole since phone number shown as plain text and editable.

I understand Microsoft authenticator may be good choice, but still it differs to organization to organization. Which would work for our users, we have to follow them. Being a banking and financial sector, we are not allowed to use a smart phones where user can use authenticator to log in. So the next choice must be their mobile device for verification with text messages.

So this MFA feature must be enhanced. As a global admin we see lot of attacks happening our tenant emails and the only way of getting user safe guarded is MFA.

But MFA registration itself when used with conditional access has this disadvantage what i mentioned. We have to move to P2 lic since we have to automation on of user creation, where the only way of enforcing MFA through conditional access.

But this is still not right to show the phone number as plain text during the MFA registration when the phone number already exists in AAD. When phone number is not present, this can give the convenient of entering it manually.

This not only a showstopper for the automation and also security degraded feature in my opinion.

Answer 3

Uma possibilidade seria traze-lo através de uma variável simples porém armazenada em um diretório ou arquivo não listado ao publico através das configurações do I&AM similar ao que acontece quando criamos um site com login em php e o arquivo conexão fica não visível ao publico .

Espero ter ajudado.att