The session features host and Mobile Mentor Founder, Denis O’Shea, Yubico Solutions Engineer, Shakeel Aziz, Microsoft Cloud Endpoint Technical Specialist, Nick Cordova, and Mobile Mentor Digital Identity Lead, Demetrius Cooper.
During the conversation, the group discusses change management, biometrics, security keys, single sign-on, and multi-factor authentication.
Read below for a synopsis of this conversation on the Passwordless building blocks.
What technology building blocks need to be in place to go passwordless?
Demetrius Cooper: The first building block is to get the business to buy in. Getting the business leads to say, hey, we’re going to go on this passwordless journey with you is crucial, because going passwordless is not a flick of a switch. It takes time. There are workflows that need to be updated and user experience may be impacted. You also have to get the end users to buy in. You also need to consider the costs that are associated with going passwordless and modernizing your identity.
After getting your business to buy in, the next step would be to implement a strong MFA. That means getting the right MFA software and putting together a strong MFA strategy. MFA is multi-factor authentication, which is a security layer that takes place after a user logs in. It verifies that the user is exactly who they are. You can use various ways to implement MFA. You can use biometrics, you can use applications, and you can use a user’s location to determine exactly if they are who they say they are. But there is a difference between implementing MFA as a software and implementing MFA as a strategy.
Implementing MFA as a strategy requires pairing MFA with conditional access policies or any policies to specifically target scenarios where a compromise could exist. If you do not evolve those policies, MFA alone will not work. MFA comes first, then those policies, the single sign-on.
For those unaware, single sign-on is possessing the capability for users to log in with a single username and password with those tokens or credentials, and the approval process is passed along to other websites and other applications. This ensures that a user doesn’t have to remember a set of usernames and passwords that no longer that may not be a reflection of their current state to log in. Having to remember those usernames and passwords is the primary reason for some of these compromises. End-users may be using software to remember those passwords, and I’m sure all of us have seen a sticky note in an office somewhere or a notepad that recalls passwords – and this occurs with highly privileged accounts. Someone that may be running an entire organization often will have a sticky note with passwords on their desktop. Single sign-on breaks that need for a user to remember those usernames and passwords and just automatically logs in to applications on websites
Addressing MFA and the pieces that allow for users to log in, there is biometrics. What biometrics does is use your face or your fingerprint to determine if you are exactly who you say that you are. With modern technology, you can also use your voice to determine if you are who you say you are. There will be a phrase or a sentence you can speak and you’ll be recognized.
The other piece outside of biometrics is security keys. Security keys are ways for a user to confirm that they are who they say they are through a process. Either an admin or the end-user themselves will go through some type of registration of these keys that were built by an alliance like FIDO. Through various forms of validation, those security keys determine that the user is who they say they are. In addition to that, the user has to complete an action associated with those keys. That is an important piece that stops the man-in-the-middle attacks. That action of touching a specific key or security key stops a lot of the threats.
Denis O’Shea: To summarize, the business needs to understand the need and be committed to going passwordless. Technologically, you start with MFA, get the technology in place, but also put the policies in place, the rules in place that force an MFA prompt. When people are trying to access sensitive resources, then you need to have the single sign-on capability to sign in once and your credentials get passed on. You need biometrics on your endpoints and you need secure keys for specific use cases.
How does Microsoft address the passwordless building blocks?
Nick Cordova: One thing I want to touch on is how you mentioned the passwordless journey. The customers that we work with who are on this journey and in different parts typically have limited resources to get to that end goal of passwordless. Our job is to help them along that journey. Our end goal is our customer security and the overall health of customer environments. I want to start by saying on the journey we talk about, you know, our tools that are aligned with what Demetrius just mentioned. Regarding biometrics, we have Windows Hello for Business piece. We have the authenticator app for MFA. We have conditional access policies.
As those play into the customer’s journey, it starts with us trying to get them to enable features. For instance, if MFA isn’t enabled today, enable it for all users. Maybe there are customers that are using SMS and call, which is now considered insecure and we want to move them to that next portion of their journey, which would be the authenticator app for users. We have those different stages that we try to move along with our customers.
Windows Hello for Business, the biometric for Windows Login is an awesome passwordless option, but it doesn’t work for every organization. I have customers specifically in the state and local government that don’t have access to the internet. That’s when our partners come in and have the ability to use security keys in those scenarios. We try to provide multiple outlets for our customers to achieve this idea of being completely passwordless. We have to be patient with the customers as well because this is overhauls are not something that can just happen overnight. There’s change management and planning and kinds of components that go into a move like this. Because of the complexity, we have to work together as partners to help our customers get where they want to go.
Deni O’Shea: This is a multiyear journey. We see it just like endpoint modernization- your identity modernization journey is going to be years. Nobody does this in 90 days. And if you try to do that, you’re going to break your organization. It takes time.
Nick Cordova: Even here at Microsoft, we are on that journey. We use Windows hello for business for Windows log-in as well as the Authenticator app. But the password still exists. The last time I used it, I couldn’t tell you – it’s been quite some time, but we’re on the journey as well.