Password-less Auth using Azure AD | Best of Microsoft Ignite 2018

Password-less Auth using Azure AD | Best of Microsoft Ignite 2018


(slow techno beat) – Hello, and welcome to
Microsoft Mechanics Live. Coming up, we’re gonna join Joy Chik, the CVP of identity
engineering at Microsoft. We’re gonna look at the
approach for delivering a secure and trust and
trust identity solution really across platforms and services, including a closer look
at how we’re taking steps to eliminate passwords, and the core steps to also set all of this up with a password-less approach for your organization. But please give me a warm
welcome for Joy Chik, CVP of Identity at Microsoft. (applause) – It’s great to be here,
thanks for inviting me. – [Jeremy] Alright, so more than ever, and I think we all see it in this room, identity and access management’s really at the center of securing resources and access to data. Now how do you think of this
as the leader of the team at Microsoft’s Identity Solutions? What are we doing there? – Yeah, so I think we all can agree that the times have changed, that digital transformation is really happening everywhere. So we have moved beyond
corporate perimeters, and people can now work from anywhere, they can use their devices everywhere and are using multiple cloud applications. So, this really brings changes to how you need to think about security
to secure your resources. – [Jeremy] So what’s the
approach that we’re taking here? – [Joy] So we run some of
world’s largest cloud services, and my team, we can detect and block tens of millions attack every single day. We know that over 82% of
security breaches are caused by stolen passwords, so
identity is really the most effective control plan to make you secure. You can make sure the right people have access to the right resources and along with our machine learning and A.I. we can prevent attack
before they even happen. Because we know who you are,
where you’re coming from, what devices you are on, as
well as what applications and data you accessing. – [Jeremy] Right and most people probably say that as we impose more and more security controls that
inevitably has an impact on productivity or convenience. Aren’t those opposing things? – Not necessarily. We think as security and
productivity really should compliment each other and we
learn that in order to have security you must have a
highly productive environment. If we don’t, our users will
just work around the system. As I mention because
most of the attack are caused by stolen passwords. User often. they will reuse
their same passwords across different apps or chose weak password or simply put on a sticky note. This make it very easy to
expose your network to attack. – [Jeremy] Right, and I think
everybody here has probably seen a lot of these attack
types and these breaches. Probably everybody in this
room, myself included, have had credentials
exposed or compromised. We’ve seen some really high
profile identity breaches even in the past couple of months. – [Joy] Yeah, that’s right
and maybe breach was not disclosed or even worse it
may not even be detected. We been on a mission to
eliminate passwords all together. We’re focusing on
password-less login experience that’s both secure and user friendly. We’ve seen a lot of success
with our authenticator app for consumer, and so we’re
bringing that to Azure AD. – [Jeremy] Great so can
we see all this in action? How it works? – [Joy] Yeah, absolutely! Let me show you. I’m on a Mac, I just
launched the Office web app, so first let me choose my email. Instead of prompting me for a password, I got a notification on
my authenticator app. I choose a number I see on screen, 13, and I confirm with my fingerprint. And now magic happens… and I’m in. (applause) That’s it. – [Jeremy] Very cool. – [Joy] It’s that simple. Not a single password. – [Jeremy] And of course the
great thing is for users is most people probably have
their phones on them. It’s probably one of the most
convenient ways to login, because I can’t even leave the
house without my smart phone. – [Joy] Yeah and it’s one
of the most secure way as well, because a phone
is something you own and your fingerprint is something you are. It is a two factors in
one and it is a perfect balance between security and productivity. – So we’ve seen, in the is
case the Mac against an iPhone here, but how does this process
compare to Windows Hello? – [Joy] I’m sure most
people are familiar with Windows Hello flow, where
we use infrared camera to do facial recognition. We also have other unique factors such as fingerprint to complete
the authentication. Both Windows Hello and
authenticator app use the same industrial strength
public/private key encryption. So it is as secure as
smartcart but a lot much better user experience. – [Jeremy] Right, so you’ve
shown then, logging into Office 365, what other
apps and services can you actually log into using this process? – Yeah, so as your ID has integrated with hundreds and thousands of apps. It allows you to access
your third party SaaS app, or your line of business and web apps and of course, all
Microsoft apps that have built-in single sign-on experience. – [Jeremy] Alright, so but
what can we do in cases where maybe the users don’t have
a machine like this one with Windows Hello or your authenticator app, what can we do then to
actually protect those users and the data on those devices? – [Joy] Yeah, we’ve been
working with industry to develop Phyto 2.0 standards, so it
enables a whole eco-system of authenticators such as
the hardware security key, or fingerprint readers and much more. All coming very soon. – Very cool, so let’s talk
through the components to get this all up and running. One of the steps we need
to do to set all this up? – So the first thing you need to do is enable MFA for everyone. If you have not done that
yet, you should start with your admin accounts. We have details, like
default setting to enable you to set up for them, but we
also have detailed deployment guide to help with your
entire organization to set up MFA at the link that’s shown. I recommend that part of
that set-up you also roll out your authenticator app to all
your users, so that they can install and get their
phone registered securely. Of course, users can also
download their authenticator app from their app store so
that they can get to go in. – [Jeremy] Right and as
admins, and of course we can use things like
Intune to enforce the installation of these on mobile devices. So you can get the installation that you would expect then using MDM. – [Joy] Yeah, and during
public preview you can also have to use a power shell to
add this new authenticator map for the tenant, but much better
experience when we have the full feature rolled out
for general availability. – [Jeremy] Right, just this
one Azure AD policy is used. It’s very quick to get
that set up but just temporarily during the preview. – [Joy] Yeah and last but not least, users with authenticator
app also need to do an additional step which is enabling phone sign-in for their MFA account. But it’s pretty straight forward, you can get detailed guides for both admin and users set up at the link that’s shown. – Okay, so we’ve seen password-less now, what if you’re not ready to
actually get this enabled and start using password-less auth. – Well, MFA should be your first step, because MFA alone reduces
the rick of attack by 99.9% – [Jeremy] 99.9% is pretty
impressive, I think. Most people here, ’cause they’re
raising their hands earlier are using MFA and they
realize the protection that you get there. It’s pretty eye-opening though
with that kind of protection. – Exactly, not turning
on MFA is pretty much like driving without seat belt. I know none of you would
do that in the audience. – Right , so regardless of
where you’re at, then we should be turning on MFA, that’s
something that’s super important. – [Joy] Yeah, and the
conditional access a well. – [Jeremy] So now with conditional access, this is something else that we
can do to really set this up. Let me show you how conditional
access works because if you’re new to it, it’s part
of Azure Active Directory. So here I’ve got a policy, I’ve got some conditional access
policies already set up. I’m just going to scroll
over and show that I’ve got a baseline policy which
is new right now as well. That actually controls MFA for
admin accounts, for example, and here you can see with
conditional access we can look at which apps are included
as part of that policy. The conditions that we want to apply, so we have everything from sign-in risk, like what’s the risk of that
user account effectively and the policy’s going to
apply to that device platform so I can lock out specific
versions of android or iOS. Location, so how risky is the
location I’m logging in from, are there specific IP
addresses that I trust. The client apps as well, something that’s brand new in terms of what
apps do I trust and protocols. And then finally, is this a
managed device or known to me or not, so all these
great options that we have to be able to get
conditional access running. But, it does have some
good side benefits as well. – [Joy] Yeah, and because
of the benefits of conditional access is it can help you to reduce the number of prompts for MFA. By combining users, devices,
locations and applications as well a risk, and along
with our data and A.I., you know our conditional
access engine can really know when we should allow,
or block or ask for MFA. It gives you the better
user experience while still keep the security promise. – Very cool, it’s powerful
and really underscores the importance of protecting our credentials and really moving away from
these single factor passwords. And getting modern identity
access management all in place. It’s really a must at this point in time. So given everything we’ve shown today, where’s the best place to get started? – [Joy] There are three
things that I would recommend all of you to do right away. First is turn on MFA
for yourself, as well, for your entire organization, because you can reduce risks by 99.9%. Second is protect all
your apps with actually, the conditional access. And now, enable password-less
come the journey with us. – Very cool, thanks for
joining us today Joy, and also thank for
showing us the future of authentication with password-less auth. Of course keep watching
Microsoft Mechanics for the latest updates across Microsoft. Hit the subscribe button
and follow us on Twitter. Thanks for watching,
we’ll see you next time. – [Joy] Thank you! (applause) (slow techno beat)

About the author

Leave a Reply

Your email address will not be published. Required fields are marked *