5.1 Security Considerations for Implementers

When processing a request with the amr_values parameter set to a value of "ngcmfa", certificate or other asymmetric key-based authentication alone does not satisfy multiple factors if the key that is used is present in the msDS-KeyCredentialLink attribute on the user object in Active Directory, even if the key is protected by a smart card or requires a PIN to unlock.

Clients use the amr_values parameter when requesting an access token to register keys via the request described in [MS-KPP] section 3.1.5.1. It is expected that:

• The client only registers keys that are protected from roaming to other machines, such as by storing the private-key portion in a hardware trusted platform module (TPM).

• Multiple factor authentication has been performed in order to register a key.

Keys registered this way can then be exchanged by the client for user certificates using the request described in [MS-OAPXBC] section 3.1.5.1.4. The returned certificates can be marked as smart card certificates or have a PIN associated with them.

If the server allows certificates returned by the flow described in [MS-OAPXBC] section 3.1.5.1.4 to count as multiple factor authentication, then a malicious application running in the user's context could potentially use a previously received certificate with a hardware-bound private key to get a new access token and register a new key. The new key can then be roamed to an attacker's machine, where the attacker can exchange it for further certificates or use it directly to impersonate the user.