Enabling strong passwordless authentication at scale | OD388

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
[MUSIC] >> Hey there! Thanks for joining me today. I really hope you're having an amazing time at Ignite and enjoying all the sessions to follow. My name is Ashvin Saminathen, I work at Yubico and today I'll be telling you about something that we deeply care about, passwords and most importantly, how to get rid of them. Let's set the premise. Generally, when you "how to access" any restricted data or you need to access a system, you have to authenticate yourself. You probably actually had to login to actually watch my video today. In the market right now, the most common method of authentication, unfortunately is the use of a username and password combination. Passwords are interesting. To make them secured, you need to make them complex, you need to change them regularly, and you need to ascertain that you don't use the same password across different websites. Well, you can see where this is going. To make it really secured, we actually make it very complex. By making it very complex, we incentivize the users to try to find ways to bypass what security that we have put in place. Actually some users will just write down their passwords where they can actually see, where it is, and remember it. By making it that complex, we are actually defeating the purpose that password was supposed to give us as an edge of security. On top of that, passwords are quite easy to crack. They're also quite susceptible to phishing attacks. That's the problem and on top of that, if you think about it, well, just the fact of resetting a password can actually put quite a lot of burden on the IT support budgets. We get it, password sucks. Surely multi-factor authentication can solve this problem. Well, the truth is, anything is better than using just the username and password. But unfortunately, multi-factor authentication, not all of them are created equal. A lot of the multi-factor authentication methods available in the market right now are highly susceptible to phishing attacks. Could be one time passwords, it could be mobile push, it could be SMS codes, or e-mail codes. That leaves you quite open to phishing attack and leave your account open to account takeover, which is pretty not good. Let me illustrate this. As usual, a phishing attack will start by getting you to a fake website. You could be redirected there through a link in an e-mail, an SMS, or a phone call. Nobody knows. There's so many methods to use it. You get to that fake web page and it has the exact look and feel that you would expect from your regular website. You feel a sense of trust and you start an authentication process. Now, as soon as you start putting in your username and password, the attacker intercepts it and simultaneously starts a login flow on the real website. Now the real website having like traditional multi-factor authentication in place, it steals the MFA flow and you will get potentially a mobile push or an OTP, or an SMS coming to you and you thinking that you're actually on the real site, you will act on that. Now, of course, when you act on that, they can send you maybe to a fake login page, which makes you feel like you have actually succeeded in your login or we can actually just tell you, ''Well, your login has failed and you have to try it again.'' The problem here is, while this is happening on your side, well, the attacker gets access to the real system and he can go in and change whatever he has to do on your account. This is quite of a big of a problem. Clearly usernames and password do not work, and traditional MFA seem to fall through as well. What should we use? Well, in our opinion, the answer to this is passwordless authentication. That is a form of authentication that doesn't require you, the user, to provide a password to log in. Generally, to make this stronger, we would try to combine a couple of the authentication factors, something you know, something you have, and something that you are. One of the things which is important here to talk about is the difference between a pin and a password. People think that passwords and pin are not very different because were all made of alphanumeric characters. Well, the difference is a password usually gets sent to the service itself, whereas a pin does not. A pin is just used to authenticate yourself to the local device that you have, for instance, a YubiKey. Or you can actually think of credit cards, when you use them and you put a pin code to ascertain who you are, this is used to unlock the credit card and not the service itself. Yubico, Microsoft and a few of actors in the industry have combined their efforts to come up with an authentication protocol which satisfied this need for strong passwordless authentication. FIDO2. FIDO2 offers you a passwordless authenticating experience which combines something you have, a YubiKey, something that you know, a pin code, or something that you are, a fingerprint. The whole protocol is based on public key cryptography, which makes it very highly resistant to phishing attacks. The good news is passwordless authentication is available for users of Azure Active Directory. What do you need to make it work? Well, you need Microsoft Azure Active Directory first of all. Any edition will work, even the one included in your M365 subscription. You need a compatible web browser. The good news is, most of the commonly used web browsers, if you go on their latest edition, they will be able to support a passwordless authentication flow. You definitely need a YubiKey of course, and if you want to extend passwordless to opening your Windows login session, you should need at least Windows 10, built 1903. Let's see how to enable FIDO2 authentication in Azure AD. The first thing that you have to do is to login to portal.azure.com, then you "click" on Security, then on Authentication methods. Finally, you "click" on FIDO2 Security Key, "select" Yes and "click" Save, and we're good to go on the next step. The next step is to associate the YubiKey with your account. The thing that you have to do is first of all to launch your favorite compatible FIDO2 browser, navigate to myprofile.Microsoft.com, login with your username and password as you would usually do. You will probably need to input any additional code that is required from you. Just wait a little bit for the login process to be completed. Once you're in, you will "click" on Update Info under Security info. Takes a little bit of time to work, but when you "click" on Add method, select Security key. Really at this point is just a matter of following the prompts on the screen. Put in your YubiKey, touch it when you're asked to do it and obviously, you will have to set up a pin that we have discussed a little bit earlier. Once this is done, you will be set to actually login passwordlessly to your account the next time you want to access it. Let's try to see how it works in real life when we're trying to access something we're using passwordless. As usual, use your favorite FIDO2 compatible web browser, navigate to office.com for instance. When the sign in page comes in, you can click on Sign In options and select Security key. Again, it's quite simple, just follow the on-screen prompts and put in your pin code when it's required and voila, you will be logged in quite easily, and have access to all of your web application that you wanted. As you have seen, using FIDO2 passwordless authentication can be set up and used with quite a little effort. It's quite easy to put in place and even users find it quite easy to use. Where should we use it in an enterprise? Well, really passwordless authentication can be used in multiple scenarios. We can use it to secure privileged account. That could be administrators or executive in your account who have access to very critical information. We can also use it to protect access to shared workstation. For instance, if we're talking about firstline workers who have to share the same device, it's very easy for them to login using a YubiKey with the passwordless mode. Obviously, we can also use a YubiKey with FIDO2 passwordless in mobile restricted environments, if we're talking about, for instance, a call center. Definitely, it can also be used for your office workers, just your regular office workers, or even for people working from home, as we know these days most people are actually working from home. We can also use the passwordless authentication to secure authentication from third party contractors, that might be working in our company right now. Last but not least, well, you have the possibility of implementing passwordless authentication for your end customers. Be it like bank customers or retail customers, this is possible to be done. Now that we have talked about passwordless, we do understand what moving to a completely passwordless world will take some time. This is why when we created the YubiKey, we made it so that it can be the perfect bridge to passwordless. What I mean by that is that the same YubiKey that you have can be used with your existing environment on-premise with everything that you might be having inside your organization. Active Directory, for instance, Active Directory Certificate Services. But the same YubiKey can actually help you go towards the Cloud and the passwordless future without having to change the authenticator. Usually when we get a question about how do I authenticate this? How do we get it to all our users? Well, Yubico came out with two services which we call YubiEnterprise Services: YubiEnterprise Subscription and YubiEnterprise Delivery. What those two services can give you is the ability to get the keys in the hands of your users across the world in a predictable and hassle-free manner. What's next? Well, first of all, we would like to get some feedback. Tell us what you enjoyed about this session and what we can probably improve. Visit the Yubico website to learn more or a little bit about what we're doing, the innovation we're driving, and what else is on the roadmap for us. You can also join our developer program to get access to passwordless integration resource. If you want to add passwordless authentication to your own website, well, you can get the, I would say, starter kit to help you on this journey. But most importantly, try it out. Get in touch with us and we will be able to help you on the passwordless journey together with Yubico. Thank you very much.
Info
Channel: Microsoft Ignite
Views: 688
Rating: 5 out of 5
Keywords: igfy21q3, ignite, ignite 2021, microsoft ignite 2021, microsoft ignite, microsoft, msft ignite 2021, msft ignite, ms ignite 2021, ms ignite, OD388, Enabling strong passwordless authentication at scale | OD388, Security, Session, Akiko Honda, Ashvin Saminathen, CISSP
Id: A4esec02n-o
Channel Id: undefined
Length: 12min 21sec (741 seconds)
Published: Thu Mar 04 2021
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.