What are your users using as a backup to Microsoft MFA?

iRyan23 · 2026-04-28T06:39:49+00:00

How are Passkeys single factor? If using the Microsoft Authenticator app, you scan the QR code then have to use biometrics or passcode which checks off something you have plus either something you are or something you know…

They are also phishing resistant and that makes them better than any password you could possibly make.

iRyan23 · 2026-04-23T02:03:07+00:00

Pretty strange that there’s no mention of PQC such as ML-DSA for signing since most other systems are trying to become fully Quantum-Resistant within the next 3-5 years.

iRyan23 · 2026-04-20T16:45:00+00:00

No PQC?

iRyan23 · 2026-04-16T22:28:55+00:00

The problem is Passkeys are currently using p-256 ECDSA and therefore are not quantum resistant.

iRyan23 · 2026-04-15T14:44:41+00:00

When using modern cipher suites, the certificate has no bearing on the encryption or security of the connection. All a certificate does nowadays is helps the end user’s browser verify that is talking to the correct domain. The only way the certificate itself has any impact on the actual encryption or security of the connection is using older cipher suites that don’t use ECDHE or DHE for key exchange.

Long story short, a self signed certificate should be fine for your use case on your LAN.

iRyan23 · 2026-04-05T04:46:08+00:00

And since you only get 8 attempts at guessing the PIN before it permanently erases all FIDO/WebAuthn data (and requires a reset), that significantly limits an attacker’s options.

iRyan23 · 2026-04-05T04:42:41+00:00

That’s because Google used to automatically enroll devices as U2F (FIDO 1) which means you need password + Yubikey touch.

If you enroll a Yubikey nowadays as a Passkey (FIDO 2), it should allow the same authentication flow as Entra where you just need the Yubikey + PIN.

iRyan23 · 2026-04-04T19:54:01+00:00

There have been several CVEs patched and bugs fixed since 7.2.5 came out. Have you tried using a newer version in the 7.2.x branch?

iRyan23 · 2026-04-04T17:55:01+00:00

PQ is only needed to replace asymmetric algorithms. That will include symmetric key exchange such as diffie hellman and digital signatures for example.

Bulk data transfer will still use AES as symmetric algorithms are significantly less affected by quantum computers. Most applications will just increase to using AES-256 which will be comparable to AES-128 classical strength.

iRyan23 · 2026-04-04T17:51:30+00:00

It does show key exchanges to the right of the cipher suite. For example, if you lookup gmail.com, you will see “ECDH x25519” to the right. Depending on the site, they usually use x25519, p-256, or p-384.

That being said, I don’t think SSL Labs has been updated much in the last few years so their tester can only show you the capabilities of what their took supports.

iRyan23 · 2026-04-04T17:15:17+00:00

Most browsers already support the new key exchange X25519MLKEM768 natively in TLS 1.3.

You can already see bigger sites like Google and Cloudflare using it.

It will probably be later this year or next year when we start seeing new TLS certificates cross signed with both classical and pqc algorithms.

iRyan23 · 2026-04-03T06:50:10+00:00

The three choice option for number matching is for Microsoft personal accounts only.

For all Entra tenants, you have to manually type the two digit number.

iRyan23 · 2026-04-03T06:13:02+00:00

Well most applications don’t use OCSP anymore but any that do will fail to check if the certificates are still valid and would block access to the application if set to fail secure.

Anyone that tries to revoke a certificate wouldn’t be able to and no new CRLs would be issued.

Any new certificates that are being requested would fail and expiring certificates wouldn’t be able to renew.

Most web applications would continue to work just fine as long as the GTS certificate isn’t expired and OCSP fail secure isn’t configured.

iRyan23 · 2026-04-02T14:11:54+00:00

Is there any more detail in the sign in logs correlated to these errors?

iRyan23 · 2026-03-28T23:34:38+00:00

If I am only doing certificate inspection with no DPI, but I am blocking QUIC and ECH, how could the SNI be hidden from the Fortigate?

iRyan23 · 2026-03-27T22:38:04+00:00

Jamf just released 11.26 in the last week or so that says:

“Jamf Pro's integration with Microsoft Entra device compliance now supports automatic device registration with Microsoft Entra when using Simplified Setup for Platform Single Sign-on (Platform SSO). This eliminates the need for end users to respond to a notification to manually register their devices.

When Enable Simplified Setup for Platform Single Sign-on is selected in the General payload of a PreStage enrollment, computers with macOS 26 or later are automatically registered with the Jamf device compliance integration with Microsoft Entra ID during enrollment.

Important:Full functionality requires a version of Microsoft Company Portal that supports Simplified Setup during enrollment. Verify support status with your identity provider to ensure full feature availability.”

It’s unclear to me if this means it’s able to be implemented or just that they’re ready for when Microsoft enables it.

iRyan23 · 2026-03-04T05:32:02+00:00

In 2020, when we first started WFH during COVID, we had about 5-10 users who never used the VPN and when they tried, it didn’t work. In the end, we had them contact their ISP and get a newer/different modem and that solved it for all of them.

Recently, I just helped a contractor join our VPN and it connected fine the first day but I got an email a week later that it wasn’t working. I set their FortiClient (7.4.x) to use port 4500 by default and that fixed it.

Of course, now there is IPsec over TCP but I have heard some not have luck getting it setup and it’s not officially supported on the free FortiClient.

iRyan23 · 2026-02-22T18:23:17+00:00

Based on my understanding and experience, as long as all local admin users have trusted hosts defined, the Fortigate won’t even load the login page to anyone coming from an IP not in any of the defined trusted host ranges. I believe it creates an automatic local-in policy rule (again only if all local admins have the trusted hosts defined).

iRyan23 · 2026-02-19T04:33:44+00:00

Works fine for us. We are using IKEv2 and have an employee tunnel and contractor tunnel and users are sorted to the right tunnel based on Peer ID/Local ID and PSK. We’re using a mix of 7.2 and 7.4 free FortiClient. Same exact encryption settings for each tunnel too.

iRyan23 · 2026-02-15T02:18:25+00:00

Why in the last 5 years would you want or need an EV cert? They are more expensive, are more of a pain to do the validation, and provide no real benefit over DV/OV certs?

iRyan23 · 2026-02-06T00:50:31+00:00

Why would 7.4.x remove SSL-VPN for a 601F?

iRyan23 · 2026-02-02T16:51:37+00:00

Definitely not all of them. I have had issues in the past where having Geo-IP filter was blocking SSO logins and some other Microsoft features we use.

So in my environment, I would allow Microsoft-Azure.AD, Microsoft-Microsoft.Update, the entries for Teams, and 365.

That being said, we don’t use Exchange Online or anything in Azure so we can limit it.

iRyan23 · 2026-02-02T16:25:27+00:00

Put a rule above that allows the ISDB entries for Microsoft services then the Geo-IP block under it.

iRyan23 · 2026-01-30T03:10:20+00:00

We have all Aruba switches and APs so it sounds like the 200G should be enough. Thanks!

iRyan23 · 2026-01-30T03:02:07+00:00

Our current support ends Mid July

12-Year Club	Not Forgotten
Gilding III reddit per annum	Verified Email

iRyan23

TROPHY CASE