implementing-passwordless-auth-with-microsoft-entra

使用 Microsoft Entra ID 实施无密码认证,支持 FIDO2 安全密钥、 Windows Hello for Business、Microsoft Authenticator 通行密钥和基于证书的 认证,以消除基于密码的攻击。 适用于无密码部署、FIDO2 通行密钥配置、 抗钓鱼 MFA 或 Microsoft Entra 认证方法策略相关请求。

9 stars

Best use case

implementing-passwordless-auth-with-microsoft-entra is best used when you need a repeatable AI agent workflow instead of a one-off prompt.

使用 Microsoft Entra ID 实施无密码认证,支持 FIDO2 安全密钥、 Windows Hello for Business、Microsoft Authenticator 通行密钥和基于证书的 认证,以消除基于密码的攻击。 适用于无密码部署、FIDO2 通行密钥配置、 抗钓鱼 MFA 或 Microsoft Entra 认证方法策略相关请求。

Teams using implementing-passwordless-auth-with-microsoft-entra should expect a more consistent output, faster repeated execution, less prompt rewriting.

When to use this skill

  • You want a reusable workflow that can be run more than once with consistent structure.

When not to use this skill

  • You only need a quick one-off answer and do not need a reusable workflow.
  • You cannot install or maintain the underlying files, dependencies, or repository context.

Installation

Claude Code / Cursor / Codex

$curl -o ~/.claude/skills/implementing-passwordless-auth-with-microsoft-entra/SKILL.md --create-dirs "https://raw.githubusercontent.com/killvxk/cybersecurity-skills-zh/main/skills/implementing-passwordless-auth-with-microsoft-entra/SKILL.md"

Manual Installation

  1. Download SKILL.md from GitHub
  2. Place it in .claude/skills/implementing-passwordless-auth-with-microsoft-entra/SKILL.md inside your project
  3. Restart your AI agent — it will auto-discover the skill

How implementing-passwordless-auth-with-microsoft-entra Compares

Feature / Agentimplementing-passwordless-auth-with-microsoft-entraStandard Approach
Platform SupportNot specifiedLimited / Varies
Context Awareness High Baseline
Installation ComplexityUnknownN/A

Frequently Asked Questions

What does this skill do?

使用 Microsoft Entra ID 实施无密码认证,支持 FIDO2 安全密钥、 Windows Hello for Business、Microsoft Authenticator 通行密钥和基于证书的 认证,以消除基于密码的攻击。 适用于无密码部署、FIDO2 通行密钥配置、 抗钓鱼 MFA 或 Microsoft Entra 认证方法策略相关请求。

Where can I find the source code?

You can find the source code on GitHub using the link provided at the top of the page.

SKILL.md Source

# 使用 Microsoft Entra 实施无密码认证

## 适用场景

- 组织希望消除基于密码的攻击(钓鱼、凭据填充、暴力破解)
- 监管或内部规定要求抗钓鱼 MFA(行政令 14028、CISA 指导方针)
- 在企业中部署 FIDO2 安全密钥或 Windows Hello for Business
- 从旧版 MFA(短信、电话)迁移到抗钓鱼认证方法
- 为混合加入或云加入的 Windows 设备实施通行密钥支持
- 减少密码重置请求带来的帮助台成本

**不适用于**无法支持现代认证协议的环境;使用 NTLM 或基本认证的旧版应用程序必须先完成迁移。

## 前置条件

- Microsoft Entra ID P1 或 P2 许可证(Azure AD Premium)
- 用于 Windows Hello for Business 部署的 Windows 10/11 22H2+
- 符合 FIDO2 标准的安全密钥(YubiKey 5 系列、Feitian BioPass、Google Titan)
- 用于 iOS 16+/Android 14+ 上通行密钥支持的 Microsoft Authenticator 应用 6.8+
- 为 Windows 设备配置混合 Azure AD 加入或 Azure AD 加入
- 为认证强度配置条件访问策略

## 工作流程

### 步骤 1:配置认证方法策略

在 Microsoft Entra 中启用无密码认证方法:

```powershell
# 连接到 Microsoft Graph
Connect-MgGraph -Scopes "Policy.ReadWrite.AuthenticationMethod", "User.ReadWrite.All"

# 启用 FIDO2 安全密钥认证方法
$fido2Policy = @{
    "@odata.type" = "#microsoft.graph.fido2AuthenticationMethodConfiguration"
    state = "enabled"
    isAttestationEnforced = $true
    isSelfServiceRegistrationAllowed = $true
    keyRestrictions = @{
        isEnforced = $true
        enforcementType = "allow"
        aaGuids = @(
            "cb69481e-8ff7-4039-93ec-0a2729a154a8",  # YubiKey 5 系列
            "ee882879-721c-4913-9775-3dfcce97072a",  # YubiKey 5 NFC
            "fa2b99dc-9e39-4257-8f92-4a30d23c4118",  # YubiKey 5C NFC
            "2fc0579f-8113-47ea-b116-bb5a8db9202a",  # YubiKey Bio
            "73bb0cd4-e502-49b8-9c6f-b59445bf720b"   # Google Titan
        )
    }
    includeTargets = @(
        @{
            targetType = "group"
            id = "all_users"  # 或特定安全组 ID
        }
    )
}
Update-MgPolicyAuthenticationMethodPolicyAuthenticationMethodConfiguration `
    -AuthenticationMethodConfigurationId "fido2" `
    -BodyParameter $fido2Policy

# 启用支持通行密钥的 Microsoft Authenticator
$authenticatorPolicy = @{
    "@odata.type" = "#microsoft.graph.microsoftAuthenticatorAuthenticationMethodConfiguration"
    state = "enabled"
    featureSettings = @{
        displayAppInformationRequiredState = @{
            state = "enabled"
            includeTarget = @{
                targetType = "group"
                id = "all_users"
            }
        }
        displayLocationInformationRequiredState = @{
            state = "enabled"
            includeTarget = @{
                targetType = "group"
                id = "all_users"
            }
        }
        companionAppAllowedState = @{
            state = "enabled"
        }
    }
    includeTargets = @(
        @{
            targetType = "group"
            id = "all_users"
            authenticationMode = "any"
        }
    )
}
Update-MgPolicyAuthenticationMethodPolicyAuthenticationMethodConfiguration `
    -AuthenticationMethodConfigurationId "microsoftAuthenticator" `
    -BodyParameter $authenticatorPolicy

# 启用 Windows Hello for Business
$whfbPolicy = @{
    "@odata.type" = "#microsoft.graph.windowsHelloForBusinessAuthenticationMethodConfiguration"
    state = "enabled"
    pinMinimumLength = 6
    pinMaximumLength = 127
    pinLowercaseCharactersUsage = "allowed"
    pinUppercaseCharactersUsage = "allowed"
    pinSpecialCharactersUsage = "allowed"
    securityKeyForSignIn = "enabled"
    includeTargets = @(
        @{
            targetType = "group"
            id = "all_users"
        }
    )
}
Update-MgPolicyAuthenticationMethodPolicyAuthenticationMethodConfiguration `
    -AuthenticationMethodConfigurationId "windowsHelloForBusiness" `
    -BodyParameter $whfbPolicy

Write-Host "无密码认证方法已成功启用"
```

### 步骤 2:配置认证强度条件访问

创建要求抗钓鱼认证的条件访问策略:

```powershell
# 为抗钓鱼 MFA 创建自定义认证强度
$authStrength = @{
    displayName = "抗钓鱼无密码"
    description = "要求 FIDO2、WHfB 或基于证书的认证"
    allowedCombinations = @(
        "fido2",
        "windowsHelloForBusiness",
        "x509CertificateMultiFactor"
    )
    requirementsSatisfied = "mfa"
}
$strengthPolicy = New-MgPolicyAuthenticationStrengthPolicy -BodyParameter $authStrength

# 创建要求抗钓鱼认证的条件访问策略
$caPolicy = @{
    displayName = "所有应用要求抗钓鱼认证"
    state = "enabledForReportingButNotEnforced"  # 从仅报告模式开始
    conditions = @{
        users = @{
            includeUsers = @("All")
            excludeGroups = @("Passwordless-Exclusion-Group")
        }
        applications = @{
            includeApplications = @("All")
        }
        clientAppTypes = @("browser", "mobileAppsAndDesktopClients")
    }
    grantControls = @{
        operator = "OR"
        authenticationStrength = @{
            id = $strengthPolicy.Id
        }
    }
}
New-MgIdentityConditionalAccessPolicy -BodyParameter $caPolicy

# 为管理员门户创建更严格的策略
$adminPolicy = @{
    displayName = "管理员访问要求安全密钥"
    state = "enabled"
    conditions = @{
        users = @{
            includeRoles = @(
                "62e90394-69f5-4237-9190-012177145e10",  # 全局管理员
                "194ae4cb-b126-40b2-bd5b-6091b380977d",  # 安全管理员
                "f28a1f50-f6e7-4571-818b-6a12f2af6b6c",  # SharePoint 管理员
                "29232cdf-9323-42fd-ade2-1d097af3e4de"   # Exchange 管理员
            )
        }
        applications = @{
            includeApplications = @(
                "797f4846-ba00-4fd7-ba43-dac1f8f63013",  # Azure 门户
                "00000006-0000-0ff1-ce00-000000000000",  # Microsoft 365 管理
                "0000000a-0000-0000-c000-000000000000"   # Entra 管理中心
            )
        }
    }
    grantControls = @{
        operator = "OR"
        authenticationStrength = @{
            id = $strengthPolicy.Id
        }
    }
    sessionControls = @{
        signInFrequency = @{
            value = 4
            type = "hours"
            isEnabled = $true
        }
    }
}
New-MgIdentityConditionalAccessPolicy -BodyParameter $adminPolicy
```

### 步骤 3:通过 Intune 部署 Windows Hello for Business

通过 Microsoft Intune MDM 配置 WHfB 部署:

```powershell
# 在 Intune 中创建 Windows Hello for Business 配置文件
$whfbProfile = @{
    "@odata.type" = "#microsoft.graph.windowsIdentityProtectionConfiguration"
    displayName = "WHfB - 企业部署"
    description = "适用于所有托管设备的 Windows Hello for Business 配置"
    useSecurityKeyForSignin = $true
    windowsHelloForBusinessBlocked = $false
    pinMinimumLength = 6
    pinMaximumLength = 127
    pinUppercaseCharactersUsage = "allowed"
    pinLowercaseCharactersUsage = "allowed"
    pinSpecialCharactersUsage = "allowed"
    enhancedAntiSpoofingForFacialFeaturesEnabled = $true
    pinRecoveryEnabled = $true
    securityDeviceRequired = $true  # 要求 TPM
    unlockWithBiometricsEnabled = $true
    useCertificatesForOnPremisesAuthEnabled = $true  # 混合场景
    # 混合加入的 Cloud Kerberos Trust(推荐替代密钥信任)
    windowsHelloForBusinessAuthenticationMethod = "cloudKerberosTrust"
}

# 创建配置文件
$profile = New-MgDeviceManagementDeviceConfiguration -BodyParameter $whfbProfile

# 分配给所有 Windows 设备
$assignment = @{
    target = @{
        "@odata.type" = "#microsoft.graph.allDevicesAssignmentTarget"
    }
}
New-MgDeviceManagementDeviceConfigurationAssignment `
    -DeviceConfigurationId $profile.Id `
    -BodyParameter $assignment

# 配置 Cloud Kerberos Trust(用于混合 Azure AD 加入设备)
# 无需 PKI 基础设施
Import-Module AzureADHybridAuthenticationManagement

$domain = "corp.local"
$cloudCredential = Get-Credential -Message "输入 Azure AD 全局管理员凭据"
$domainCredential = Get-Credential -Message "输入本地域管理员凭据"

Set-AzureADKerberosServer `
    -Domain $domain `
    -CloudCredential $cloudCredential `
    -DomainCredential $domainCredential

Get-AzureADKerberosServer -Domain $domain -CloudCredential $cloudCredential `
    -DomainCredential $domainCredential

Write-Host "已为混合 WHfB 部署配置 Cloud Kerberos Trust"
```

### 步骤 4:为用户注册 FIDO2 安全密钥

实施安全密钥注册工作流:

```powershell
# 通过临时访问通行证批量注册 FIDO2 安全密钥
function Issue-TemporaryAccessPass {
    param(
        [string]$UserId,
        [int]$LifetimeMinutes = 60,
        [bool]$IsUsableOnce = $true
    )

    $tap = @{
        "@odata.type" = "#microsoft.graph.temporaryAccessPassAuthenticationMethod"
        lifetimeInMinutes = $LifetimeMinutes
        isUsableOnce = $IsUsableOnce
    }

    $result = New-MgUserAuthenticationTemporaryAccessPassMethod `
        -UserId $UserId `
        -BodyParameter $tap

    return @{
        UserId = $UserId
        TemporaryAccessPass = $result.TemporaryAccessPass
        ExpiresAt = $result.CreatedDateTime.AddMinutes($LifetimeMinutes)
    }
}

# 批量发放临时访问通行证用于安全密钥注册活动
$registrationUsers = Import-Csv "security_key_registration_list.csv"

$tapResults = foreach ($user in $registrationUsers) {
    $tap = Issue-TemporaryAccessPass -UserId $user.UserPrincipalName
    [PSCustomObject]@{
        User = $user.UserPrincipalName
        TAP = $tap.TemporaryAccessPass
        Expires = $tap.ExpiresAt
        KeySerial = $user.AssignedKeySerial
    }
}

$tapResults | Export-Csv "tap_assignments.csv" -NoTypeInformation

# 监控 FIDO2 注册进度
function Get-Fido2RegistrationStatus {
    $allUsers = Get-MgUser -All -Property "id,userPrincipalName,department"

    $registrationStatus = foreach ($user in $allUsers) {
        $methods = Get-MgUserAuthenticationFido2Method -UserId $user.Id

        [PSCustomObject]@{
            UserPrincipalName = $user.UserPrincipalName
            Department = $user.Department
            Fido2KeyCount = $methods.Count
            KeyModels = ($methods.Model -join ", ")
            RegistrationDates = ($methods.CreatedDateTime -join ", ")
            HasBackupKey = $methods.Count -ge 2
        }
    }

    return $registrationStatus
}

$status = Get-Fido2RegistrationStatus
$total = $status.Count
$registered = ($status | Where-Object { $_.Fido2KeyCount -gt 0 }).Count
$withBackup = ($status | Where-Object { $_.HasBackupKey }).Count

Write-Host "FIDO2 注册进度"
Write-Host "  用户总数:$total"
Write-Host "  已注册:  $registered ($([math]::Round($registered/$total*100,1))%)"
Write-Host "  有备用密钥:$withBackup ($([math]::Round($withBackup/$total*100,1))%)"
```

### 步骤 5:禁用旧版认证方法

逐步淘汰可被钓鱼的认证因素:

```powershell
# 禁用短信和语音电话认证
$smsPolicy = @{
    "@odata.type" = "#microsoft.graph.smsAuthenticationMethodConfiguration"
    state = "disabled"
}
Update-MgPolicyAuthenticationMethodPolicyAuthenticationMethodConfiguration `
    -AuthenticationMethodConfigurationId "sms" `
    -BodyParameter $smsPolicy

$voicePolicy = @{
    "@odata.type" = "#microsoft.graph.voiceAuthenticationMethodConfiguration"
    state = "disabled"
}
Update-MgPolicyAuthenticationMethodPolicyAuthenticationMethodConfiguration `
    -AuthenticationMethodConfigurationId "voice" `
    -BodyParameter $voicePolicy

# 通过条件访问阻止旧版认证协议
$blockLegacyPolicy = @{
    displayName = "阻止旧版认证"
    state = "enabled"
    conditions = @{
        users = @{ includeUsers = @("All") }
        applications = @{ includeApplications = @("All") }
        clientAppTypes = @(
            "exchangeActiveSync",
            "other"
        )
    }
    grantControls = @{
        operator = "OR"
        builtInControls = @("block")
    }
}
New-MgIdentityConditionalAccessPolicy -BodyParameter $blockLegacyPolicy

# 审计仍在使用旧版认证的用户
$legacyAuthReport = Get-MgAuditLogSignIn -Filter "clientAppUsed ne 'Browser' and clientAppUsed ne 'Mobile Apps and Desktop clients'" `
    -Top 1000 | Group-Object userPrincipalName | Select-Object Count, Name |
    Sort-Object Count -Descending

Write-Host "使用旧版认证的用户(最近 30 天):"
$legacyAuthReport | Format-Table -AutoSize
```

### 步骤 6:监控无密码采用指标

跟踪部署进度和认证方法使用情况:

```powershell
# 生成无密码采用仪表板数据
function Get-PasswordlessAdoptionMetrics {
    $registrationReport = Get-MgReportAuthenticationMethodUserRegistrationDetail -All

    $metrics = @{
        TotalUsers = $registrationReport.Count
        PasswordlessCapable = ($registrationReport | Where-Object { $_.IsPasswordlessCapable }).Count
        MfaRegistered = ($registrationReport | Where-Object { $_.IsMfaRegistered }).Count
        Fido2Registered = ($registrationReport | Where-Object { "fido2" -in $_.MethodsRegistered }).Count
        WhfbRegistered = ($registrationReport | Where-Object { "windowsHelloForBusiness" -in $_.MethodsRegistered }).Count
        AuthenticatorRegistered = ($registrationReport | Where-Object { "microsoftAuthenticator" -in $_.MethodsRegistered }).Count
        SmsOnly = ($registrationReport | Where-Object {
            "sms" -in $_.MethodsRegistered -and
            "fido2" -notin $_.MethodsRegistered -and
            "windowsHelloForBusiness" -notin $_.MethodsRegistered
        }).Count
    }

    $signInLogs = Get-MgAuditLogSignIn -Top 10000 -Filter "createdDateTime ge $((Get-Date).AddDays(-30).ToString('yyyy-MM-ddTHH:mm:ssZ'))"

    $authMethodUsage = $signInLogs |
        Group-Object { $_.AuthenticationMethodsUsed -join "," } |
        Select-Object Count, Name | Sort-Object Count -Descending

    return @{
        Registration = $metrics
        Usage = $authMethodUsage
    }
}

$adoption = Get-PasswordlessAdoptionMetrics
$reg = $adoption.Registration

Write-Host "无密码采用报告"
Write-Host "============================"
Write-Host "用户总数:              $($reg.TotalUsers)"
Write-Host "无密码能力:            $($reg.PasswordlessCapable) ($([math]::Round($reg.PasswordlessCapable/$reg.TotalUsers*100,1))%)"
Write-Host "  FIDO2 密钥:          $($reg.Fido2Registered)"
Write-Host "  Windows Hello:       $($reg.WhfbRegistered)"
Write-Host "  Authenticator:       $($reg.AuthenticatorRegistered)"
Write-Host "MFA 已注册:            $($reg.MfaRegistered) ($([math]::Round($reg.MfaRegistered/$reg.TotalUsers*100,1))%)"
Write-Host "仅短信(需要升级):    $($reg.SmsOnly)"
```

## 核心概念

| 术语 | 定义 |
|------|------|
| **FIDO2** | 快速身份在线 2 标准,使用绑定到硬件认证器或平台凭据的公钥密码学实现无密码认证 |
| **通行密钥(Passkey)** | 可以绑定到设备(安全密钥)或跨设备同步的 FIDO2 凭据,无需密码即可提供抗钓鱼认证 |
| **Windows Hello for Business** | 使用 PIN、指纹或面部识别的 Windows 平台认证器,由 TPM 保护的非对称密钥支持无密码登录 |
| **Cloud Kerberos Trust** | 混合 WHfB 的部署模型,使用 Azure AD Kerberos 访问本地资源,无需 PKI 证书基础设施 |
| **临时访问通行证** | 管理员颁发的限时密码,使用户能够注册无密码方法或在主要方法不可用时恢复访问 |
| **认证强度** | Microsoft Entra 中的条件访问功能,指定哪些认证方法组合满足给定策略的 MFA 要求 |

## 工具与系统

- **Microsoft Entra 管理中心**:用于配置认证方法、条件访问策略和监控登录分析的门户
- **Microsoft Intune**:用于向托管设备部署 Windows Hello for Business 配置文件的 MDM/MAM 平台
- **Microsoft Graph API**:用于管理认证方法、策略和生成采用报告的程序化接口
- **FIDO2 安全密钥**:存储用于抗钓鱼认证的加密凭据的硬件认证器(YubiKey、Feitian、Google Titan)

## 常见场景

### 场景:企业范围的无密码迁移

**背景**:一个拥有 5,000 名用户的组织计划在 12 个月内消除密码,此前经历了一次入侵 47 个账户的钓鱼攻击。当前状态:60% 使用短信 MFA,30% 使用 Authenticator 应用,10% 没有 MFA。

**处理方式**:
1. 第一阶段(1-2 月):在仅报告模式的条件访问中启用 FIDO2 和 WHfB 认证方法
2. 第二阶段(2-3 月):通过带 Cloud Kerberos Trust 的 Intune 将 WHfB 部署到所有托管 Windows 设备
3. 第三阶段(3-5 月):向高管、IT 管理员和财务人员(最高风险用户优先)分发 FIDO2 安全密钥
4. 第四阶段(5-8 月):为移动优先用户和外勤工作人员启用 Authenticator 通行密钥
5. 第五阶段(8-10 月):将条件访问从仅报告切换到强制抗钓鱼认证
6. 第六阶段(10-12 月):禁用短信和语音电话方法,阻止旧版认证协议
7. 持续:监控采用指标,为落后用户发放临时访问通行证,维护紧急访问账户

**注意事项**:
- 未部署 Cloud Kerberos Trust 会导致 WHfB 在混合环境中访问本地资源失败
- 在确保所有应用程序支持现代认证之前强制无密码会中断访问
- 每个用户只发放一个安全密钥而没有备用密钥会在密钥丢失时产生锁定风险
- 在禁用基于密码的登录之前未将临时访问通行证配置为恢复方法

## 输出格式

```
无密码认证部署报告
================================================
租户:            corp.onmicrosoft.com
用户:            5,247
部署阶段:        第四阶段(Authenticator 通行密钥)

认证方法注册
无密码能力:       4,103 / 5,247 (78.2%)
  FIDO2 安全密钥:  892 (17.0%)
  Windows Hello:   2,847 (54.3%)
  Authenticator 通行密钥:1,234 (23.5%)
  基于证书:        312 (5.9%)

旧版方法状态
仅短信用户:       387 (7.4%) -- 迁移中
仅语音用户:       0(已禁用)
无 MFA 用户:      42 (0.8%) -- 已发放临时访问通行证

条件访问
抗钓鱼策略:       已强制执行(除排除组外的所有用户)
旧版认证阻止:     已启用
管理员门户策略:   需要安全密钥

登录分析(最近 30 天)
总登录次数:       847,293
  无密码:         623,891 (73.6%)
  密码 + MFA:     198,402 (23.4%)
  仅密码:         0(已阻止)
  旧版协议:       0(已阻止)

安全影响
钓鱼事件:         0(部署前 47 次)
密码重置工单:     -82% 减少
平均登录时间:     8.2 秒(无密码)vs 24.1 秒(密码)
```

Related Skills

testing-oauth2-implementation-flaws

9
from killvxk/cybersecurity-skills-zh

测试 OAuth 2.0 和 OpenID Connect 实现中的安全缺陷,包括授权码拦截、重定向 URI 操控、OAuth 流程中的 CSRF、令牌泄露、权限范围(scope)提升以及 PKCE 绕过。测试人员对授权服务器、客户端应用及令牌处理进行评估,发现可导致账户接管或未授权访问的常见错误配置。适用于 OAuth 安全测试、OIDC 漏洞评估、OAuth2 重定向绕过或授权码流程测试相关请求。

testing-mobile-api-authentication

9
from killvxk/cybersecurity-skills-zh

测试移动应用 API 的认证与授权机制,识别认证失效、不安全的令牌管理、会话固定、 权限提升和 IDOR 漏洞。适用于对移动应用后端进行 API 安全评估、测试 JWT 实现、 评估 OAuth 流程或评估会话管理的场景。适合涉及移动 API 认证测试、令牌安全评估、 OAuth 移动端流程测试或 API 授权绕过的相关请求。

testing-api-for-broken-object-level-authorization

9
from killvxk/cybersecurity-skills-zh

测试REST和GraphQL API中的越权对象访问(BOLA/IDOR)漏洞,即已认证用户通过操纵API请求中的对象标识符 来访问或修改属于其他用户的资源。测试人员拦截API调用,识别对象ID参数(数字ID、UUID、slug), 并系统性地替换为其他用户的ID,以确定服务器是否执行了对象级授权。 对应OWASP API安全Top 10 2023 API1(越权对象访问)。

testing-api-authentication-weaknesses

9
from killvxk/cybersecurity-skills-zh

测试API认证机制中的弱点,包括令牌验证失效、端点未强制认证、密码策略薄弱、凭据填充风险、 URL或日志中的令牌泄露,以及会话管理缺陷。评估JWT实现、API密钥处理、OAuth流程和会话令牌熵, 以识别认证绕过漏洞。对应OWASP API2:2023 认证失效(Broken Authentication)。

performing-oauth-scope-minimization-review

9
from killvxk/cybersecurity-skills-zh

执行 OAuth 2.0 权限范围最小化审查,识别过度授权的第三方应用集成、 过多的 API 范围、未使用的令牌授权以及跨身份提供商和 SaaS 平台的 高风险 OAuth 同意模式。 适用于 OAuth 范围审计、API 权限审查、第三方应用风险评估或同意授权最小化的请求。

performing-authenticated-vulnerability-scan

9
from killvxk/cybersecurity-skills-zh

认证(凭据)漏洞扫描使用有效的系统凭据登录目标主机,对已安装软件、补丁、配置和安全设置进行深度检查,相比未认证扫描可发现 45-60% 更多漏洞。

performing-authenticated-scan-with-openvas

9
from killvxk/cybersecurity-skills-zh

使用 OpenVAS/Greenbone 漏洞管理(GVM)框架配置并执行凭据认证漏洞扫描,支持 SSH 和 SMB 凭据,实现全面的主机级别安全评估。

implementing-zero-trust-with-hashicorp-boundary

9
from killvxk/cybersecurity-skills-zh

使用 HashiCorp Boundary 实现具备动态凭据代理、会话录制和 Vault 集成的身份感知零信任基础设施访问管理。

implementing-zero-trust-with-beyondcorp

9
from killvxk/cybersecurity-skills-zh

使用身份感知代理(IAP,Identity-Aware Proxy)、上下文感知访问策略、设备信任验证和 Access Context Manager,部署 Google BeyondCorp Enterprise 零信任访问控制,对 GCP 资源和内部应用强制执行基于身份和安全态势的访问。

implementing-zero-trust-network-access

9
from killvxk/cybersecurity-skills-zh

通过配置身份感知代理、微分段、基于条件访问策略的持续验证,以及在 AWS、Azure 和 GCP 环境中以 BeyondCorp 风格的架构替代传统 VPN 访问,在云环境中实施零信任网络访问(ZTNA)。

implementing-zero-trust-network-access-with-zscaler

9
from killvxk/cybersecurity-skills-zh

使用 Zscaler 实施零信任网络访问(Zero Trust Network Access,ZTNA),通过 Zscaler Private Access(ZPA)配置应用分段、访问策略和连接器,替代传统 VPN 架构

implementing-zero-trust-in-cloud

9
from killvxk/cybersecurity-skills-zh

本技能指导组织按照 NIST SP 800-207 和 Google BeyondCorp 原则在云环境中实施零信任(Zero Trust)架构,涵盖以身份为中心的访问控制、微分段(Micro-Segmentation)、持续验证、设备信任评估,以及部署身份感知代理(Identity-Aware Proxy)以消除 AWS、Azure 和 GCP 环境中的隐式网络信任。