[MUSIC] >> Hey there! Thanks
for joining me today. I really hope you're
having an amazing time at Ignite and enjoying all
the sessions to follow. My name is Ashvin Saminathen, I work at Yubico and today I'll be telling you about something
that we deeply care about, passwords and most importantly, how to get rid of them. Let's set the premise. Generally, when you "how to access" any restricted data or you
need to access a system, you have to authenticate yourself. You probably actually had to login to actually
watch my video today. In the market right now, the most common method
of authentication, unfortunately is the
use of a username and password combination. Passwords are interesting. To make them secured, you need to make them complex, you need to change them regularly, and you need to ascertain
that you don't use the same password across
different websites. Well, you can see
where this is going. To make it really secured, we actually make it very complex. By making it very complex, we incentivize the users to try to find ways to bypass what security
that we have put in place. Actually some users will just write down their passwords where
they can actually see, where it is, and remember it. By making it that complex, we are actually defeating
the purpose that password was supposed to give
us as an edge of security. On top of that, passwords
are quite easy to crack. They're also quite susceptible
to phishing attacks. That's the problem
and on top of that, if you think about it, well, just the fact of resetting
a password can actually put quite a lot of burden on
the IT support budgets. We get it, password sucks. Surely multi-factor authentication
can solve this problem. Well, the truth is, anything is better than using just the
username and password. But unfortunately,
multi-factor authentication, not all of them are created equal. A lot of the multi-factor
authentication methods available in the market right now
are highly susceptible to phishing attacks. Could be one time passwords, it could be mobile push, it could be SMS codes,
or e-mail codes. That leaves you quite open to phishing attack and
leave your account open to account takeover, which is pretty not good. Let me illustrate this. As usual, a phishing attack will start by getting you
to a fake website. You could be redirected there
through a link in an e-mail, an SMS, or a phone call. Nobody knows. There's so
many methods to use it. You get to that fake
web page and it has the exact look and
feel that you would expect from your regular website. You feel a sense of trust and you
start an authentication process. Now, as soon as you start putting
in your username and password, the attacker intercepts it and simultaneously starts a login
flow on the real website. Now the real website having like traditional multi-factor
authentication in place, it steals the MFA flow and you will get potentially a
mobile push or an OTP, or an SMS coming to you and you thinking that you're
actually on the real site, you will act on that. Now, of course, when you act on that, they can send you maybe
to a fake login page, which makes you feel
like you have actually succeeded in your login or we
can actually just tell you, ''Well, your login has failed
and you have to try it again.'' The problem here is, while this is happening
on your side, well, the attacker gets access
to the real system and he can go in and change whatever
he has to do on your account. This is quite of a big of a problem. Clearly usernames and
password do not work, and traditional MFA seem
to fall through as well. What should we use?
Well, in our opinion, the answer to this is
passwordless authentication. That is a form of authentication
that doesn't require you, the user, to provide
a password to log in. Generally, to make this stronger, we would try to combine
a couple of the authentication factors, something you know,
something you have, and something that you are. One of the things which
is important here to talk about is the difference
between a pin and a password. People think that
passwords and pin are not very different because
were all made of alphanumeric characters. Well, the difference is a password usually gets
sent to the service itself, whereas a pin does not. A pin is just used to authenticate yourself to the
local device that you have, for instance, a YubiKey. Or you can actually
think of credit cards, when you use them and
you put a pin code to ascertain who you are, this is used to unlock
the credit card and not the service itself. Yubico, Microsoft and
a few of actors in the industry have
combined their efforts to come up with an
authentication protocol which satisfied this need for strong
passwordless authentication. FIDO2. FIDO2 offers you a passwordless
authenticating experience which combines something you have, a YubiKey, something that you know, a pin code, or something that you
are, a fingerprint. The whole protocol is based
on public key cryptography, which makes it very highly
resistant to phishing attacks. The good news is
passwordless authentication is available for users of
Azure Active Directory. What do you need to make it work? Well, you need Microsoft Azure
Active Directory first of all. Any edition will work, even the one included in
your M365 subscription. You need a compatible web browser. The good news is, most of the
commonly used web browsers, if you go on their latest edition, they will be able to support a
passwordless authentication flow. You definitely need
a YubiKey of course, and if you want to extend passwordless to opening
your Windows login session, you should need at least
Windows 10, built 1903. Let's see how to enable FIDO2
authentication in Azure AD. The first thing that
you have to do is to login to portal.azure.com, then you "click" on Security, then on Authentication methods. Finally, you "click"
on FIDO2 Security Key, "select" Yes and "click" Save, and we're good to go
on the next step. The next step is to associate
the YubiKey with your account. The thing that you have to
do is first of all to launch your favorite compatible
FIDO2 browser, navigate to myprofile.Microsoft.com, login with your username and
password as you would usually do. You will probably need to input any additional code that
is required from you. Just wait a little bit for the
login process to be completed. Once you're in, you will "click" on Update Info under Security info. Takes a little bit of time to work, but when you "click" on Add
method, select Security key. Really at this point is just a matter of following the
prompts on the screen. Put in your YubiKey, touch it when you're asked
to do it and obviously, you will have to set up a pin that we have discussed a
little bit earlier. Once this is done, you will be set to actually login passwordlessly to your account the next time you want to access it. Let's try to see how
it works in real life when we're trying to
access something we're using passwordless. As usual, use your favorite
FIDO2 compatible web browser, navigate to office.com for instance. When the sign in page comes in, you can click on Sign In options
and select Security key. Again, it's quite simple, just follow the on-screen
prompts and put in your pin code when it's
required and voila, you will be logged in quite easily, and have access to all of your
web application that you wanted. As you have seen, using FIDO2
passwordless authentication can be set up and used with
quite a little effort. It's quite easy to put in place and even users find
it quite easy to use. Where should we use
it in an enterprise? Well, really passwordless
authentication can be used in multiple scenarios. We can use it to secure
privileged account. That could be administrators
or executive in your account who have access
to very critical information. We can also use it to protect
access to shared workstation. For instance, if we're talking about firstline workers who have
to share the same device, it's very easy for them to login using a YubiKey with
the passwordless mode. Obviously, we can also use a YubiKey with FIDO2 passwordless in
mobile restricted environments, if we're talking about, for instance, a call center. Definitely, it can also be
used for your office workers, just your regular office workers, or even for people working from home, as we know these days most people are actually working from home. We can also use the
passwordless authentication to secure authentication from
third party contractors, that might be working in
our company right now. Last but not least, well, you have the possibility
of implementing passwordless authentication
for your end customers. Be it like bank customers
or retail customers, this is possible to be done. Now that we have talked
about passwordless, we do understand what moving to a completely passwordless
world will take some time. This is why when we
created the YubiKey, we made it so that it can
be the perfect bridge to passwordless. What I mean by that is
that the same YubiKey that you have can be used with your existing environment
on-premise with everything that you
might be having inside your organization. Active Directory, for instance, Active Directory
Certificate Services. But the same YubiKey can
actually help you go towards the Cloud and the passwordless future without having to change
the authenticator. Usually when we get a question about how do I authenticate this? How do we get it to all our users? Well, Yubico came out with
two services which we call YubiEnterprise Services: YubiEnterprise Subscription
and YubiEnterprise Delivery. What those two services
can give you is the ability to get the
keys in the hands of your users across the world in a predictable and
hassle-free manner. What's next? Well, first of all, we would like to get some feedback. Tell us what you enjoyed
about this session and what we can probably improve. Visit the Yubico website to learn more or a little bit
about what we're doing, the innovation we're driving, and what else is on
the roadmap for us. You can also join our
developer program to get access to passwordless
integration resource. If you want to add passwordless authentication
to your own website, well, you can get the, I would say, starter kit to
help you on this journey. But most importantly, try it out. Get in touch with us and we
will be able to help you on the passwordless journey together with Yubico. Thank you very much.
