6.2.3.2. Limitations and security risks

If MSAD is used as the sole persistency layer (=no IAM database), only a limited set of features is supported in a secure manner. This is due to the fact that MSAD stores only a single „failed attempts counter“, namely „badPwdCount“ for failed password checks.

Most use-cases involving additional authentication factors require additional "failure counters" in order to be robust against brute-forcing attacks.

Example:

  • Authentication scheme: Username/Password check against MSAD followed by OTP check (no IAM database)
  • Risk: An adversary knowing username and password may be able to brute force the OTP because no 2nd factor counter exists and therefore the account is not locked after a few trials.

A non-exhaustive list of known limitations is given below:

The limitations only apply if MSAD is used as the sole persistence layer.

Use-Case
Risk
Recommended Solution
2-factor authentication
Risk of brute-forcing the 2nd factor if username and password is known.
  • Check password against MSAD
  • Combine with IAM database providing the necessary counters
  • Use the User Importer Task to synchronize MSAD users into the IAM database
Temporary Locking
Limited support (only based on bad password counter)
Not supported in Loginapp REST API
Password Reset Self-Service with OTP
Risk of OTP being brute-forced because of lack of failure counter.