- Good afternoon, everyone.
It's great to see such a big crowd
at 4:30, on a Wednesday, but I'm really glad you guys came.
I'm Manini, I am a Product Manager at Azure Identity
and I'm here to talk to you today about Microsoft Strategy
for going passwordless.
So, it is 20 minutes, so it will be brief,
and I will try to have fun demos to keep things exciting
and if you have any questions you can let me know later on.
So, instead of boring you about why passwords suck;
I suspect that, because you are in this session,
you know why passwords are crappy.
But I'd still like to give you three evocative statistics
about why passwords are really bad.
So the first one is around the fact that
security incidents are increasing in
enterprises, year by year.
So, from the previous year to last year,
the security incidents grew by 279 percent
and our-- essentially,
Brad Smith yesterday in his session said that
security is really the new battlefield.
And it's because it is
increasingly becoming a problem for people.
And then, the next statistic is around
the hacking related breaches.
When attacks result into an actual hack,
81 percent of them leverage stolen or weak passwords.
And the reason why this happens is because usernames
and passwords are such a hassle for users to remember.
They just reuse the same ones over and over again
and when one gets compromised, they all get compromised.
And lastly, it's also a cost problem.
So, 20 percent of support costs
for enterprise IT departments
are for supporting forgotten passwords.
So it's not only a security problem, a user problem,
but also, at the end of the day, it costs money.
So, no one likes passwords.
Well, no one likes traditional 2FA either.
And by traditional 2FA, what I mean is
passwords where you have to type in a username, a password
and then on top of that, fish out your phone
or go into your email, grab a number, type it in.
So the added hassle of remembering a password,
now you have to do this extra step.
No one likes that either.
So when we think about really the search for the better,
passwords fall in somewhere between convenient and
inconvenient if you remember it or not,
and then passwords plus standard 2FA -
it's more secure but definitely not more convenient.
So, essentially the only way we are going to get
real adoption from users,
and topple the institution of passwords
is if we have a solution that's not only secure,
but also convenient.
So that's where passwordless comes in.
So how's Microsoft approaching passwordless?
Well, so, one thing we're doing is that
we're striving towards the north star,
which is comprised of two promises.
So, the first one is a user promise,
which is around the fact that
any user shouldn't have to deal with passwords
on a day to day basis.
But we can't call the job done until
the security promise is achieved.
Which is that the actual credentials cannot be cracked,
breached or fished.
And the real true way of doing that,
is actually to eliminate passwords
from the Directory itself.
So, how do we think we're gonna get there?
Well so what we have been doing
over the past few years, is we have been developing
alternative credentials to passwords.
So, Windows Hello is a good example of that.
And the idea is that, as we have developed it,
we have deployed and piloted
all these different alternative credentials
so that our users can start giving us feedback
about what works well and what doesn't.
And as we're deploying and piloting,
what we're doing is,
we're trying to simplify our credential management story.
Cause, even if we come up with
really great passwordless solutions,
it's not going to work until users have an
easy time provisioning it
and enterprises have an easy time deploying it.
So the idea is that this is very iterative,
and we have to work with our customers to
achieve a good solution
so that eventually when we get there,
we can eliminate passwords.
So, it's very iterative.
I wish I could come here
and give you four simple steps to doing it,
but it's messy, and that's really the point
of this very iterative cycle.
So, the way that I want to talk to you about
our passwordless story,
is really with three different platform stories.
And the reason is we think that
at any given point a user, or an organization,
will most likely have at least two of these
types of devices.
So, let's start with Windows 10.
The three main solutions,
passwordless solutions, we offer in Windows 10
are Microsoft Authenticator App,
Windows Hello and then the new FIDO security keys
that allow you to sign into Windows Hello.
So, let's start with the Authenticator App.
So how many of you have actually used
the Authenticator App before?
Okay, so not a lot.
So, I really encourage you to use the Authenticator App,
because it's a great way to get passwordless
right now and it's really something that's available now,
so for a consumer accounts, you can already get signed into
your account without a password
and we're bringing in the
support for Azure Active Directory very soon.
So, I'll quickly give you a demo.
I've never done this demo before,
but I'll sign into my work account at Microsoft
using the Microsoft Authenticator App.
Let's just hope the Wifi
and the Internet gods are with me here.
So this my work email account.
So, it sent me a notification to my phone,
and then, it's going to be--
Oh, sorry.
I don't know why you're not seeing it.
Do you know why it's not--
cause on my screen it's doing that.
- That's the computer you want to see?
Now you're on. You're seeing what --
- Let me duplicate maybe.
Okay
So I typed in my email address
and what I got is a notification to my phone,
and then on the phone it's asking me to type in that number
so I can prove I'm actually here.
And then after I type in this number
it's asking me for my touch ID.
I wish I could show this to you on the big screen,
but it's asking me for my touch ID
and once I use this,
it's actually going to sign into my work account.
And I haven't actually used a password at any point.
And ya, it's gonna ask me
if I want to stay signed in
so I get Single Sign-On to all my resources.
So, this is something that we
anticipate is coming very soon.
We believe around the June time frame.
So anyone who has the Microsoft Authenticator App
rolled out for their organization today
for multifactor authentication will just get this for free.
I will go back to my--
Okay, so that was the Auth. App.
Next is Windows Hello.
So how many of you have used Windows Hello?
Okay, so, Windows Hello's great.
It's been there for a few years now
and it gives you biometric and pin authentication to
Windows, the device itself, the web, as well as apps
and Hello for Business gives you all of that,
with the addition of giving Single Sign-On
to your on-prem. resources
as well as some really great customizable features
like being able to do multifactorial authentication unlock.
But, when we think about Windows Hello,
it's great for the designated PC scenario,
where there's a one-to-one relationship between
your device and the employee who's using it.
So for example, I use Windows Hello every day.
I really don't ever use a password.
But, when you think of shared PC scenarios
where you have either a retail store
that requires many employees to sign into one device,
or one person to have to sign into many different devices;
Windows Hello isn't really a great option
as it stands today.
So, that's where FIDO comes in.
So, actually, I will actually call on
Alex from Yubico to come up
and demo FIDO
with the Yubikey.
- So, I have two scenarios.
I can do the key or no key.
- Key. I think do the key.
- Key with pin?
- Key with pin, ya.
- Okay.
I have three keys that have been provisioned to my..
So ya. I have three keys that have been provisioned to my..
Can you hear my better now?
Okay. I have three keys that have been provisioned
to my Microsoft Active Directory domain connected account.
So this device has been connected with
our Yubico. Labs account
and I can do one with a pin and one with just the key.
So I'll show you, it's super simple.
If you can hold this for me..
So, it's hard to see it up here
but it's saying just take an action on the key
I've inserted it into the USB-A port,
I touched the gold contact, which is touch capacitive.
So I've tested user presence and then I'm logged in.
If you need higher assurance,
you can also add a pin with it.
So again, I'm going to insert the key into the USB-A port.
Sign out first.
So it comes up, I'm signed out.
It's going to pop up and ask me to enter my pin
which is alphanumeric in this case.
I hit enter, and then it asks me to take action on the key.
And now it's in.
- So ya, thanks Alex.
So I'll...
Yay.
So, I'll do another version of these two.
So this one is..
So this one is with another key vendor, FAtion.
So this is a biometric Yubi key.
So I plug it in
And it's going to ask me to take action,
and then, what I do, is I use my finger print
that's provisioned
sorry
and then I sign into my account
with this.
If I had more time
I would actually ask one of you to come
try to sign in with your finger print
and it wouldn't work I assure you.
But the idea is that once I sign in,
and this is my actual work account,
I can get Single Sign-On to all my office apps.
And all my cloud resources essentially.
I'll give it a second, and if it doesn't load
then I'll just move on.
But anyways, you get Single Sign-On
to all your cloud resources.
I cannot hear you.
- So there is a question here.
Is this, the devices - the FIDO and all those things right,
is this supportable only for Microsoft applications
or anything else? Any applications?
- So actually, if you give me..
You jumped right ahead of me.
So I'm going to go back to my presentation and
I will answer your question very shortly.
So, what you just saw
what you just saw actually is a FIDO 2 key.
What FIDO is, is it's actually
an open standard for passwordless authentication.
So the idea is that
Microsoft, Google, PayPal, Yubico and a group of companies
essentially got together
and we decided that hey, passwordless only works well
if it doesn't just work solely with
one type of device or one type of identity provider.
It's got to work with everybody, so the point is
it needs to be as compatible as a password is, right?
So that's what FIDO is.
So, to answer your question, no.
The idea is that any platform can support FIDO,
and any device can become FIDO compatible
and that could be the little dongle you saw
or it could be a phone, or it could be a watch
or a wearable.
So really any device that abides by the standard
could be a FIDO compatible device.
And it's strong authentication by nature,
cause it combines something you have
with either something you are,
like the biometric app I used,
or something you know, like the pin that Alex used.
And, the idea is that Windows is
a platform that supports FIDO
and browsers can also support FIDO.
Does that answer your question?
Okay, so, what we have available now,
in terms of what you can try
is the sign in to Windows with FIDO preview.
So, essentially the limitation is,
that you have to sign into an Azure Active Directory
joined PC with a FIDO security key.
You have an admin based provisioning experience,
because your IT admin has to run
a powershell script to provision these keys,
and you need to apply your provisioning package to enable
the FIDO credential provider that I used to sign in.
So if you are interested in trying this pilot,
I'll show you, at the end of this presentation,
an alias that you can email.
And then, what we have coming soon
in the near future
is the ability to sign into Azure Active Directory
on browsers that are FIDO compliant using FIDO.
We'll bring an improved provisioning story
and then lastly, we're also bringing hybrid support.
So that was our Windows 10 story.
For mobile, really, we have three options.
The first one is the Microsoft Authenticator App
that you saw me sign into. That works great on mobile.
The next one is a remote sign in with Session ID.
So the way that this works is that,
say I'm trying to sign into this phone
with a smart card or a FIDO key,
and I have no way to actually insert the key into this,
the way it works, is I can get a Session ID that I can use,
and then go to a device that I do sign into
with my FIDO device and I would join the two sessions
with some sort of an ID.
And then I'd sign into this guy,
and it'd actually sign me into this device.
And then from there, that point onward,
I'd get Single Sign-On .
So that's the other thing that we offer.
And then lastly, as I mentioned, FIDO is an open standard.
So we do predict that it would come to phones in the future
we just don't have a timeline for that yet.
And then, well, there's also people
that have legacy Windows OS's as well as MAC's.
So how do you go passwordless on that?
Well, the idea is that us as a company,
we're not really investing heavily
in our legacy Winsows OS's.
We're putting all the latest and greatest in Windows 10.
And MAC is an OS we don't control,
so the idea is that on a browser
Microsoft Authenticator App would still work.
So the demo I showed you, would work on any OS,
cause it's not tied to the OS or the platform,
but rather it's working through the website itself.
So that should just work.
And then the idea's that since FIDO is a standard,
if Apple adopts it,
then Apple would have their own implementation of FIDO
in their MACS.
So that's kind of the idea.
So what I recommend for getting started
on your passwordless journey is really four steps.
The first one is to enable multifactor authentication
and self service password reset.
Multifactor Authentication is
really important at the moment,
because even if it's leveraging a password,
it's protecting your resources
and it's also getting users into the habit
of realizing a password alone is not enough.
Why I also advise to enable self service password reset
is cause the more you start
deploying passwordless solutions,
the more users start to forget their password
when they need it.
So you need a very good way to actually
reset the password when you need it.
For example, at Microsoft, we barely ever use our password
so any time we actually have to remember it
in the odd chance, we reset it.
That's just the reality.
So that's why I say that's step one.
Step two is to adopt Windows Hello, and Hello for Business,
and Microsoft Authenticator App.
The reason why I say that is,
while it's not definitely
the complete passwordless solution yet
it gets your users into the habit
of not using passwords day to day.
And that's really the first step to to getting passwordless.
Not necessarily getting rid of it all at once,
but getting rid of it slowly.
Getting feedback from your users,
and making sure you give us feedback about
what's working well and what's not.
The third one is around deploying a FIDO
proof of concept with your organization for FIDO.
Cause the idea is that we're working on this
and we're enabling all features in the future.
So the idea is, if you get involved now, with us,
you can give us feedback which will feed directly
into the product development.
So it's actually a great time to get started.
And then lastly, I already mentioned it;
give us feedback on what's working and what's not working.
And that will really,
we can work together to go to production
and make sure that we're bringing the right features in
and not necessarily just trying to guess on our end
what our users want.
So that's really all I have.
So, if you're interested on getting on the FIDO wait list,
please email this alias.
And, ya, if you want to connect with me,
there's my twitter handle and you can add me on LinkedIn.
Well that's it. Thank you.
Không có nhận xét nào:
Đăng nhận xét