Moving on from passwords to strong authentication and adaptive access policies is key to improving security without hurting productivity, especially given the increase in remote working.
Data breaches, phishing, ransomware: the specifics may change, but stolen credentials are behind 80% of attacks. “Usernames and passwords are just inherently not secure,” CVP of Microsoft’s Identity Division Joy Chik tells TechRepublic. Plus, no one actually likes passwords — we just put up with them.
“The better way to protect the user is to provide a more intuitive, more friendly experience and a more secure way through passwordless,” Chik says.
MFA (multi-factor authentication) has been available for Azure AD accounts since 2014, but adoption has been slow. “MFA — that’s username, password and another factor — is hard for users to adopt; it’s complex and the password is still there, so at many of our enterprise customers, IT just doesn’t turn on MFA,” says Chik. “Turning on passwordless makes management much simpler, it reduces the cost; it makes the adoption of what’s basically multi-factor authentication more secure and with a better user experience.”
Now that biometrics like Windows Hello cameras are in many laptops, authenticator apps are common on smartphones and smartwatches, and Apple has at last announced support for FIDO 2, interest is increasing. In November 2019, 100 million Microsoft consumer and enterprise accounts were using passwordless authentication; by May 2020, that was up to 150 million.
As many as 90% of Microsoft’s own 150,000-plus employees have opted in to passwordless logins. “That illustrates that it’s not just a top-down IT push, but also because the users love it — and it’s more secure.” That’s a rare combination, Chik stresses.
It’s also a way to save money, Chik adds: “People don’t remember passwords, and there’s so much IT cost just in helping users reset passwords.” When Microsoft switched to passwordless, the support cost of managing passwords internally went down by 80%.
Secure but convenient
Remote working is a core scenario for Microsoft customers in enterprise, government and education for the rest of this calendar year, the next 12 months and likely beyond, Chik notes: “71% of employees and managers want to continue to work from home, especially when we don’t have COVID vaccination, but even in a post-pandemic world, people want the flexibility of being able to work from home.” That’s helping to put security, identity and MFA in the top five investment areas for security leaders, although CISOs need to improve security for remote workers without reducing their productivity.
Adoption of MFA is already increasing, Chik says: “We try to encourage all our enterprise customers to turn on MFA; we even have a free MFA offering. We also worked really hard at getting customer feedback on how to simplify some of the deployment guidance and the deployment choices for admins.”
That’s helped MFA usage by Microsoft’s commercial customers increase by over 25%. “We started in the low single digits, and now it’s in the double digits — it’s not where we want to be, but the good news is that MFA is turned on by default for all the new tenants created in Azure A,” he says.
Chik hopes that more organisations will move to the Security Defaults that have been automatically applied to new Azure AD tenants since October 2019, and are available for all Azure AD tenants (including the free tier). Look under Manage/Properties/Manage Security Defaults in your Azure AD tenant configuration.
As well as turning on MFA for all users (using the Authenticator app rather than SMS), the defaults add extra verifications for key admin roles (and anyone accessing the Azure portal, CLI or Azure PowerShell) and block legacy authentication from older clients (like Office 2010 and POP3 applications), which stops password-spraying attacks.
More sophisticated customers will still use conditional access policies and the very few organisations that have opted out of Security Defaults on a new tenant have done it to turn on conditional access. “They’re using identity-based policy and granular controls instead of the traditional VPN policy, so that they can set — based on the users, their devices and network — what applications they are allowed to access and what sensitive documents they are allowed to access,” Chik tells TechRepublic.
Enabling access to legacy applications has often been the blocker for turning on MFA; the challenges of COVID and the economy mean that remote work and reducing costs are both pushing organisations to deal with that issue by using Azure AD to move the authentication for those legacy systems to the cloud. “Efficiently consolidating different systems is something they’re eager to do,” Chik explains. “Because we provide platform support for passwordless, customers who are connecting to the applications using Azure AD don’t even need to reimplement their applications; passwordless would just work.”
The Microsoft 365 and Office 365 Secure Score feature also acts as an incentive by offering a comparison to similar organisations in the same industry sector, Chik says. “We say ‘hey, your peer group is at this Secure Score level’ and I think that helps them say ‘as a CSO, as an identity architect, why is my company below that average, and what things do I need to do to improve that?’ With Security Defaults, when we turn on MFA we already turn the knobs that get them to a Secure Score that’s comparable to the range of their own peer group. Now we give them a simplified recipe they can quickly deploy and they have the ability to customise conditional access policies on top of that.”
That wasn’t me
Another new feature encourages users to opt in.
Giving you a way of seeing whether someone is trying to attack your account — the way some online banking sites show the date and time of your last successful login and the most recent failed attempt to get into the account — is such a useful idea it’s surprising that it’s not more common. Many people assume that their account and their company aren’t important enough for anyone to attack, but new Azure AD My Sign-ins feature is a bit of a wake-up call: in the last five days alone, there have been failed attempts from Ecuador, Russia, Zurich and Amsterdam to access my Office 365 account.
The idea isn’t to scare people into changing the password, unless the attacker actually managed to log in; instead, if you click the link to say you don’t recognise an unsuccessful login attempt, you’re prompted to review the way you sign in and maybe switch to MFA. Particularly suspicious account access will show up at the top of the list, and you can mark any false positives so you don’t keep getting warned if it’s just that you’ve started going back to the coffee shop instead of working at home all the time.
Attacks are still possible with passwordless authentication; instead of tricking users into giving up passwords (or taking advantage of how many people pick weak passwords or reuse strong passwords they’ve gone to the effort of memorising), attackers will have to extract and replay tokens.
“We’ll continue to work with the industry on that, as well as building into the platform how to make sure that the access token itself is able to be bound — ideally — to the device, but also binding it to the applications and the network conditions,” Chik says.
“We’ll continue to push on that button, but by embracing passwordless with MFA support, [our telemetry in Azure AD shows] we can increase the security posture [of an organization] by 99.9%.”