Achieving Passwordless Authentication Today with Workspace ONE

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
hi and welcome to this session about how to  achieve a password-less authentication method   today using Workspace ONE this session  is presented to you by Nikolay Poturnak   and me Peter Bjork but before we start please  take a moment to read through this disclaimer and now over to you Nikolay thanks  peter my name is Nikolay and i represent   Workspace ONE Access product management team we  are on the mission to enable digital workspace   through solving identity and access management  problems one of the interesting areas we've   been looking into recently is how we can  liberate enterprises from using passwords   and as a first step i wanted to talk about  multiple attributes and aspects of passwords   that make them very painful costly and  very unusable for modern enterprise so the first step is the first area to look  into is that passwords are inherently insecure   if you look at the history and  analyze major cyber security breaches   you will see that from 2013 to 2018 more  than 4 billion accounts got compromised   what is more every security cyber breach  included credentials in some shape or form   so attackers have to steal credentials so that  they can escalate privileges they can move   laterally and eventually they can achieve their  mission by extracting crown jewels and important   information from an enterprise passwords are  insecure because first and foremost they involve   a human being in the loop and what that means  is passwords can be stolen and extracted using   a variety of tools and techniques whether this is  a social engineering or this can be a technical   tool such as installing a malware or keylogger or  going as far as impersonating certain website or   company portal and then using credential based  phishing to extract and steal these credentials the second area to look into is user  experience the modern enterprise today   has to offer great user experience as it relates  to application consumption and as it relates to   collaboration the first thing about passwords is  that they're very hard to remember think about   this we have our personal and professional lives  and then the amount and the number of accounts   we're going to have is only going to multiply  and increase in future because of proliferation   of different services and online applications and  what's really happening is that when we face this   complexity we start bypassing these security  guidelines we start reusing passwords we start   rotating them very infrequently and even if  we change passwords we do these minor changes   one digit changes oftentimes that are easily  guessable and can be hacked eventually by by   advanced attackers and the second area is that  passwords are creating a lot of user friction   especially in the context of multi and cross  platform world where mobile devices will have   desktop laptop devices typing a password on a  mobile screen is somewhat a challenging endeavor   especially if you have to use this multiple times  a day one of the interesting statistics that we   stumbled upon is that 80 of workers are actually  not liking passwords and then they would love   to use something else such as tokens smart  cards certificates or any modern technology and i would be remiss not to say that passwords  are expensive for an enterprise let's think about   this if we look at the password lifecycle we  have to create a password and we have to use it   and then we have to maintain it first and foremost  to create the password enterprises have to   set up a lot of processes for generating these  passwords distributing these passwords and also   making sure that these passwords follow  security guidelines when users use them   and create them what's also important to say  is that passwords involve a lot of maintenance   such as password resets or users forgetting  about passwords and then calling a call center   visual capitalist also provides the  statistics that handling 10 tickets   daily would actually cost an enterprise around 128  000 annually and it's also important to consider   that every time there's a security cyber breach  there are these financial costs attributing to   dealing with the cyber breach and dealing with  the consequences of a cyber breach that might   have been caused by a single credential or single  password compromise so to summarize passwords are   insecure they are very expensive and they also  promote bad user experience for modern digital   enterprise so how do we deal with this we  at vmware have been investing a lot of time   to build technology that can help our  customers to enable on a passwordless journey   what sets us apart and what's unique about  our approach is that we'll look at password   passwordless problem from multiple angles and  over the course of these years we've built   several technologies that we're going to talk  about today including mobile single sign-on   vmware verify and phyto webathm so at this point  i'm going to hand it over to petter who's going to   go into details about what mobile single sign-on  is and how enterprises can benefit from using it   thanks for that Nikolay um so let's have a look  at mobile sso and how to achieve a seamless   authentication on your mobile devices certificates  in general is an excellent method or technology of   achieving a very strong yet seamless method of  authentication for your end users the problem is   it doesn't work very well on mobile devices there  are certificate-based authentication mechanisms   but quite often these are proprietary so they are  custom built the certificate-based authentication   so it's up to a the backend and the  client application to to solve it or   the more generic method uh it requires support  of using the safari view controller or chrome   custom tabs and if your applications your client  applications isn't using these you are subject to   the roadmap of the vendor so in in order for them  to incorporate support for it vmware's mobile sso   is different it's actually not uh depending on  the application itself and its capabilities and   i'll i'll show you later how this is possible  but for now you you just need to know that it is   not requiring any kind of sdks um you can download  any vanilla application from the app store or play   store as long as the back end can be federated  often we can provide a a mobile single sign-on   um and so it doesn't require any recoding and it's  absolutely uh seamless for the end user the the   user doesn't have to pick a certificate or do any  uh real interaction in the flow of authentication   traditional uh certificate based authentication  is obviously you have the certificate you you   validate the signature uh check for check the  chain and check for revocation and then you   extract the user identifier within the  certificate and obviously check if the   user is authorized to the system or not we  do all that with mobile sso as well but we   add information about the device as well and as  extra protection the method of transportation   is quite unique and i'll go into details how this  is done in a second but that provides you with an   extra layer of protection because if someone  would get the hand of one of the certificates   it's incredibly unlikely that we'll be able  to mimic the way we deliver the certificate to   Workspace ONE Access for example and within  the certificate in the device portion of it we   include the unique identifier of the device  and this is only available for mdm vendors and   all in all with this the method of transportation  the unique identifier it provides us with an mdm   thumbprint so we know that this device is  actually handled by our platform and then   as the last step in the authentication flow we  Workspace ONE Access can reach out via apis to   Workspace ONE UEM and check for compliance so how  does mobile sso work well first of all we need to provide a a profile a management profile from  UEM onto our devices so once that is done   and the user launches the application the  the client reaches out to to the backend   and the user isn't authenticated so your  tenant in this case salesforce will redirect   redirect the device to the configured identity  provider and then in mobile sso ios on   apple devices and our tunnel client steps in to  handle the method of authentication while the   applications are paused so the authentication  is not done by the applications themselves but   on apple or by ios and on android the tunnel  and so once this authentication is done   a sample assertion is sent to the application  which has been paused and not just waiting   for something to happen and obviously in the  application take takes this sample assertion   and send it to the back end and now the user  is happily authenticated into the system   this was very high level intentionally so let's go  a little more deeper in each one of the platforms   but first just to recap since the application  is not a part of the authentication flow per se   we support universal application support you  don't need any special sdk or anything like that and then it is 100 seamless the user will not be  prompted for anything and i'll show you a demo   video in a while but let's take a deeper close  on how this looks like on on ios so you launch   the salesforce client it reached us out to the  backend gets redirected to Workspace ONE and then depending on your access conditional access  policies obviously we identify this as an ios   device thereby will be prompt for mobile sso  for for ios devices so access will send a   kerberos challenge so the the standard protocol  kerberos is actually used here and this is   intercepted by ios itself it never reaches the  salesforce client app so then a traditional   kerberos certificate-based kerberos authentication  happens between our kdc the kdc that we deliver   as part of Workspace ONE access and once this is  successfully authenticated the user is handed back   into Workspace ONE Access which can offer  or issue a sample assertion and then   the application takes this assertion and send  it to the backend and the session can start so   during the the phase of authentication again  the application was paused it it wasn't   taking an active part of the authentication  but ios was performing it and why we could use   this method on ios is obviously because apple uh  incorporated kerberos support uh in ios many many   years ago and we are taking advantage of that but  we created or modified the kdc of ours so to make   sure that it works and so this is one example  it's incredibly hard for someone who would have   the certificate and try to mimic this exchange  using the kerberos protocol um it's highly it   is kerberos i just want to emphasize that  this kerberos realm is between the device   UEM access and our kdc it has absolutely nothing  to do with your active directory kerberos realm   nothing there is no relationship whatsoever um  so let's have a look at how android flow looks   like and the reason this is different and  uses the tunnel client is because android   do not have universal uh kerberos support that  we could use utilize so the application launches   um reach out to the back end and gets redirected  and now this redirection is something that   the tunnel client is monitoring so it listens  when this particular application tries to   communicate to access then intercept the traffic  establish a tunnel a mutually authenticated tunnel   to our certificate proxy it's called so  here is the act of authentication happening   so the certificate used here is delivered to the  certificate proxy and cached there for a very   short period of time once this tunnel is  established the application is unpaused so it   reaches out to access and now access knows this  is an android device we are prompting for mobile   sso so access will retrieve the certificate from  the certificate proxy which is many times hosted   on on the same machine especially if you're  running on premises so now the user can be   authenticated by access using this certificate  and the saml assertion is issued sent via the   the application to the backend and then  the session can start and once the user   has authenticated and the saml assertion has been  delivered the tunnel is terminated the cache is   cleared out of the certificate and everything  so let's have a look at how this looks like   from a user's point of view and we'll start  on an ios device so here i have an enrolled   ios device and i launch intelligent hub and i  will launch first a web version of salesforce and here you can see this is mobile sso and it  reaches out to UEM for compliance check and and   the users are immediately gaining access into  salesforce so no real interaction was required   by the user that was the web version of salesforce  not ideal when using an ios so let's download   just the vanilla version from app store  the salesforce native client instead and since this this is downloaded from the app  store there is no management no configuration   done to it so i'll just type in my my tenant  url and then i get connected to my tenant and   again mobile sso is issued here so  you can see no special version of the   client completely seamless the the act  of authentication for the end users   and now it works both on web versions of the  applications obviously but also the native version   so next let's just have a quick  look at how it looks like on android and in this case i'll actually download the  uh the native client of salesforce from uh   Workspace ONE Access portal instead uh the big  difference here is since we are delivering it   it's managed so we can provide configuration  settings so now when the user launches salesforce   i don't have to type in my my tenant  i'm immediately redirected or taken   to my correct tenant and there you saw here you  see the uh the authentication using mobile sso and   we are already authenticated now the application  is is launched so incredibly incredible   good user experience i would say and with  the extra protection with the fact that we   know the device id and i would say it's a very  very strong method of authentication as well   but you might want to boost your trust level in  the user identifier even further so many people   are using a multi-factor authentication and  we just released our Verify Intelligent Hub   mfa solution which is the industry first  integrated multi-factor authentication   technology which means you're  already having Intelligent Hub built in to Intelligent Hub we also now include  a mfa client and and the beauty is you don't have   to register any mobile numbers or anything like  that as long as you are either managed by UEM   or if you are simply registered which means you  have logged in to to to the platform then you can   actually utilize this mfa solution um so what  is different the main difference between mdm   enrolled device and registered well when you  launch the application you log in and you get   a management profile then you are managed  and this management profile could for example   include mobile sso profiles and such but  if you look at registered mode instead   then you simply launch Intelligent Hub and  login to it there is no management profile being   deployed onto your device so it's still per se  standalone but the mfa functionality still works in order to use verify Intelligence Hub you you  need UEM um pretty much any version will work   you need Workspace ONE Access the saas  tenant for now um and then you need uh the   Intelligent Hub version to 2005 or later so when you have mfa configured and you click  on in this case let's say salesforce and you do   not have if you have mfa already activated and  then you get a push notification but the if you   have no device registered in UEM this is how it  looks like so the end user will be prompted to   go to uh Workspace ONE UEM to set up at least  registration so we know where to send the um the   mfa request and if you have multiple devices  it's only allowed to have one device today   as your mfa client so then if the user has  multiple enrolled devices the users get   this drop down so they can choose  which device they they want to use we have some settings where we have the enhanced  verification on managed devices which means   um you you try to launch an application  mfa kicks in due to the access policies   and if you are on a managed device you when you launch intelligent hub you typically  protect it with a pin or biometric like thumb   print or face id and once that is launched and  if you have activated this setting when you   click approve a second validation uh is required  which means face id for example is invoked yet one   more time even though you just did it to launch  Intelligent Hub but if you don't like this extra   step of validation obviously you can just disable  this setting the same thing for registered devices   so this is a registered devices you get the push  notification when you click approve you get a   thumbprint or face id so you need to validate  an extra time and then the last setting   enhanced verification requests  from mobile devices so this is   targeting mobile devices where you also have your  mfa client on so here you can request an extra   validation for those devices so  here i launch the application on my   mobile device and i get the mfa prompt and then  i have to validate myself an extra time either   using thumbprint or face id so let's have a  look at how this looks like in the real world so i'll start by logging into  my portal uh on my my mac here and then i launch salesforce and here you can see i'm required to do mfa   so i get that push notification i click on it  and then i see some information about the request so this is my initial login into Intelligent  Hub so here you see user name the device   type the location when i click approve  there were no extra verification required   so i didn't activate the settings i just showed  you and then i get access into salesforce and with that i'll hand it over to Nikolay  to walk you through the fido web health functionalities a lot peter at this point  let's talk about fido and webauthn this is   a very interesting and innovative topic and we are  very passionate about telling you more and sharing   more information about this i think the first  place for us to start is to understand what fido   is fido stands for fast identity online fido is a  consortium that develops secure open and phishing   proof passwordless authentication standards it's  technically a set of protocols that's developed by   fido alliance to enable these passwordless  authentication use cases two most important   protocols for us to look at today would be  webauthn and ctap what is webauthn webauthn   has become a standard for web authentication  and technically it's a browser-based api   to trigger fido client so it's basically exposed  in the browser think about any modern browser that   has a fido client in it embedded fido client  to reach that fido client all these browser   vendors provide an api an api is called webauthn  it's a javascript based api to trigger a request   to fido client ctap is a communication protocol  between authenticator and fido client so a   fido client embedded in the web browser  can be communicating with authenticator   in this case ctap is a secure protocol to achieve  that we have authenticators of two types external   such as a mobile phone supporting embedded fido  client or authenticator can be a platform-based   authenticator such as thumbprint reader  on a less laptop device or desktop device let's see how all these protocols fit  architecturally together to deliver passwordless   use case on this diagram you can see  the three major components right for   a browser-based passwordless authentication  on the left-hand side we have a fido server   so fido server is the server with which you  enroll your authenticators for a specific user   right for instance i have my ub key and i'm going  to enroll my ub key with fido server and associate   ub key with that ub key with the private key  stored on it with identity of Nikolay in the   middle we can see a browser browser is basically  serve as a middle point for communicating between   fido server and the authenticator as you can see  that browser has embedded fido client in it and   that browser is exposed using javascript but with  an api so fido server can reach out to fido client   in the browser using that webauthn api and on the  right hand side we can see an authenticator in the   form of a usb key which supports a ctap protocol  it can basically allow communication between   uh fido client in the browser and that  authenticator so fido is a proper and secure   way to authenticate without any passwords  and it's based on asymmetric cryptography   so the private key and the station key are stored  on on on authenticator and when you register your   authenticator with the fido server you  basically generate that public key and   um store it on the fido server so that  you can achieve this authenticator   using authentication using asymmetric cryptography let's see how we're implementing fido and webauthn  as part of Workspace ONE Access for browser-based   passwordless flows in this case let's take a look  at the at the high level flow first and then we go   into a little bit more technical details to give  you a snapshot of visibility into what's happening   behind the scenes in this particular use case user  is accessing a salesforce application salesforce   application is federated with Workspace ONE Access  and in Workspace ONE Access we have a policy that   says for sensitive applications such as salesforce  we need to authenticate using fido protocol   user is going to be redirected to  Workspace ONE Access Workspace ONE Access   through the browser is gonna trigger a  registered authenticator such as a ub key   and when the user provides the biometric and  the ub key or inserts the ub key the user is   to have access to salesforce so using this flow  through the browser for web-based launches we   can achieve a passwordless authentication for  users let's go into a little bit more detail   to understand how that flow works behind  the scenes as you can see a browser has a   webauthn client embedded and access has a fido  server that we implemented so when the user   accesses salesforce and he's redirected to  Workspace ONE Access Workspace ONE Access will   reach out to find a client in the browser using  fido protocol and using javascript webauthn api   which in turn is going to reach out to  authenticator using ctap protocol and send   the challenge to authenticator authenticator is  going to sign that challenge with the private key   and send it back to fido server which  will then validate that sign challenge   using the public key which belongs  to which was registered for Nikolay   and in that case Nikolay will have  access to salesforce application in this case the two important uh  components of the flow to remember   would be registration and authentication in terms  of registering your fido keys with Workspace ONE   Access we will provide two options the first one  is user generated authentication at the point of   Workspace ONE at the point of accessing salesforce  if the user doesn't have an authenticator   registered Workspace ONE Access will provide that  option to automatically register an authenticator   which can be a ub key which can be any security  key which can be a bluetooth enabled android   device or can be something else and the other flow  that we will enable will be admin driven flows   where an administrator can go to Workspace ONE  Access select a certain user and then pre-register   a fido based authenticator for that user they  can name it they can delete it they can block it   and then when the user starts with the company  that user can get or employee can get a laptop   a mobile device and an authenticator he will  be using to achieve passwordless authentication   so to summarize we are we have enabled  the browser-based flows for achieving   passwordless authentication using fido and  webauthn protocols in Workspace ONE Access   at this point i'm going to hand it back  to Peter who is going to summarize what   we discussed today and wrap the session up thank  you so much thank you very much Nikolay so to wrap   this session up i just wanted to make sure that  you are aware about our euc.techzone.vmware.com   which is where we post all our technical  enablement materials such as white papers   how-to guides the reference architecture so please  make sure that you visit euc-techzone.vmware.com   and throughout vmworld we have hopefully  many more interesting sessions so here's a   a short list of recommendations if  you're interested in this particular   topic that we have discussed in this session and  then please take the advantage to a book meet the   expert roundtables to discuss more in detail  with our product specialists and with that i   hope you enjoyed this session and please fill in  the survey and thank you very much for watching
Info
Channel: VMware End-User Computing
Views: 670
Rating: 5 out of 5
Keywords: vmware, euc, end-user computing
Id: l3QTYL0_wao
Channel Id: undefined
Length: 34min 5sec (2045 seconds)
Published: Thu Dec 10 2020
Related Videos
Attacking BeyondCorp with Daniel Cuthbert & Steve Manzuik V2 - Duo Tech Talk
Duo Security
2.4K
OpenID Connect and WebAuthN – Strong Passwordless Authentication | Gil Kirkpatrick
Semperis
579
How To Generate Ed25519 SSH Keys, Install Them, and Configure Secure Passwordless Authentication
Lawrence Systems
17K
Single Sign On | What it is How it works Why you need it
Azure Academy
6.2K
Why You Should Turn On Two Factor Authentication
Tom Scott
1.5M
USENIX Enigma 2020 - BeyondProd: The Origin of Cloud-Native Security at Google
USENIX Enigma Conference
945
Google BeyondCorp (Zero Trust) - SSH Over Websockets Demo
TomCopeProductions
417
Authenticate Ubuntu against Active Directory
Nerd on the Street
34K
Enabling strong passwordless authentication at scale | OD388
Microsoft Ignite
801
Getting Started with Horizon Automation Tools (Community Series: Episode 5)
VMware End-User Computing
855
VMware vRealize Automation 7 Spotlight Overview and Demo
VMware CloudManagement
78K
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.