Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Are security codes allowed in the Advanced Protection Program? #459

Open
2 tasks
adhilto opened this issue Oct 3, 2024 · 0 comments
Open
2 tasks

Are security codes allowed in the Advanced Protection Program? #459

adhilto opened this issue Oct 3, 2024 · 0 comments
Labels
Baseline Revision question This issue is a request for information or needs discussion

Comments

@adhilto
Copy link
Collaborator

adhilto commented Oct 3, 2024

💡 Summary

A security-relevant setting under the Advanced Protection Program settings is not addressed in the baselines (GWS.COMMONCONTROLS.9) that may allow users enrolled bypass phishing-resistant MFA requirements.

Motivation and context

If you enable security codes under Advanced Protection Program, but disable security
codes under the main 2-step verification page, which setting takes precedence? Either
way we might want a policy disallowing security codes under the Advanced Protection
Program for consistency.

Implementation notes

image

Acceptance criteria

  • Determine what guidance we want to give here
  • Update the baseline if needed
@adhilto adhilto added question This issue is a request for information or needs discussion Baseline Revision labels Oct 3, 2024
@adhilto adhilto mentioned this issue Oct 3, 2024
Open
8 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Baseline Revision question This issue is a request for information or needs discussion
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@adhilto