B2C: Is there Insurance Against Scripted Attacks?

2
votes

There are several questions I have about the pricing for accounts and authentication with Azure AD B2C, and they revolve around the concern for scripted DOS attacks.

Pricing Page: https://azure.microsoft.com/en-us/pricing/details/active-directory-b2c/

Azure provides both email and multifactor authentication via text message or phone call when creating accounts.

The email verification is included in the base price for authentication attempts. The first 50k authentications per month are free. I believe this includes sign-in authentication, account/password recovery, and signup. Multifactor authentication (text message or phone call) is optional, and has a flat rate of $0.03 per authentication (no freebies).

What I'm not 100% clear on, is what counts as an authentication. Does the charge occur for each attempt, or only for a successful authentication where a token is issued? I think it may be the latter (successful and token issued), considering the definition given:

Authentications: Tokens issued either in response to a sign-in request initiated by a user, or initiated by an application on behalf of a user (e.g. token refresh, where the refresh interval is configurable).

So if an attacker attempts to authenticate, and fails, will we get charge for each attempt? Is it the same for multifactor as well?

If the attacker is motivated enough, she could conceivably setup her own email and SMS system for receiving and parsing verification codes, and using them to create a large number of fraudulent accounts. If an attacker were to get around the authentication and create millions of accounts, would we still end up getting charged for those accounts and authentications?

Would it matter whether or not we had a scheduled task that would periodically delete incomplete or inactive accounts?

Scenarios:

  1. 1,000,000 fraudulent accounts are created on July 4th, but we find and delete them through the graph API by 1:00am on July 5th.
  2. We are billed on the first of the month. An attacker creates 1,000,000 accounts on the last day of our billing cycle, and we don't catch it in time.
2
securityazureazure-ad-b2c

2 Answers

1
votes

Given failed authentication attempts won't result in a token being issued I think the answer is clear on that front from a charges perspective.

To your second point, there is only so much work you can do to mitigate a motivated attacker and you have to work on the basis that Azure will have some basic mitigations built in.

Having said this, the platform will clearly meet the requirement to handle that volume of sign-ups and holding a million active accounts would cost ~ $1,050 a month, which, while not a small sum, shouldn't break the bank.

1
votes

I would also add that in the event that a motivated attacker does end up causing obviously fraudulent charges to hit your account, the first thing I would do is to get a case opened with Microsoft. From my perspective (No, I am not a MSoft employee or rep) They will 1) be very interested in how the attack took place and was carried out so they can investigate mitigation steps going FWD and 2) would likely work with you the customer to "do the right thing" in relation to charges in the event their system was compromised in a way to cause charges to hit your account from an attack. That could include dropping the charges or working with you in some other creative way.