Raiders of the lost password

At Microsoft Ignite this year, a conference for IT support partners, I decided to focus on security. This is a boardroom conversation right now and as I type various news stories exist about major companies who have been breached – and I imagine, a lot more stories exist than are published! 

The first session I attended was called “Raiders of the Lost Password” which was all about protecting your user logins and choosing your authentication methods. 

It’s easy to assume, as technologists, that everyone out there has already deployed a 2-factor system, but a quick show of hands in the session proved this simply isn’t true! There are a lot of misconceptions out there about securing logins, the most common reasons I have heard for avoiding it are already being addressed by Microsoft:   

• “It’s too complicated” or “it slows down my users” – push notifications on your smart phone take seconds to approve, and we already use Conditional Access to limit the situation where 2-factor applies, so the impact is only felt when it should be. 
• “My users don’t have corporate devices” or “my users refuse to provide their phone number” – with self-enrolment, your business and/or IT department don’t receive the number, and if you choose to use the Microsoft authentication app, it is free to install on your device, you don’t need to provide the number – AND you can even use it for your personal accounts, such as Facebook and Hotmail! 

Recently, I’ve even heard “my users don’t want to provide their fingerprints or face for the biometrics as they don’t trust the vendor.” While this is a complex scenario, Microsoft is working hard to address it – they already publish their policies on the governance and ethics surrounding storage and use of biometric data, and I believe this will become far more regulated and commonplace in the coming years.  That said, it is key as an individual to understand your own rights on this – it’s your data, data about you!  See a blog of mine from last year at Dell Technology World around AI for more on this!

Traditional

The big headline for this session is “PASSWORDS ARE DEAD“, highlighting the fact that all your password really does is prove that you know the username and password – it doesn’t prove that you are the individual to whom they were issued. 

Your first factor is typically “something you know” your username and password, the legacy. This had the other purpose of telling the system WHO we are trying to authenticate.  Unfortunately for all those people NOT using the 2nd factor, the same problems with username and password that have existed for 20 years, still exist. Social engineering, 20-year-old software tools and man-in-the-middle attacks, to name but a few. 

Now

Enter the new way – or for around 50% of us apparently, the existing way!  Our 2nd factor needs to be something else, typically we use “something you have“:   

• A Physical key – an RSA token for example 
• Receiving a PIN through a phone call or text message 
• Mobile applications – for example, the Microsoft Authenticator 

The pros of these methods are that they increase security, they prevent people from taking advantage of passwords, by doing this they reduce corporate risk – which always makes the purse holders happy!  The cons are unavoidable – as a physical device, which needs to be remembered!  It could be left somewhere, stolen, lost etc.  

Along comes the next factor and it’s already commonplace among Smartphone holders now – biometrics, something completely unique to you.  You can’t forget, lose or have your fingerprint/face stolen – not easily anyway. Still, though, you do need to provide the first factor, and in theory with some special social engineering – they can still get your password and username.   

Next (although in some cases, now…!)

The next step, according to industry experts is password-less authentication!  Essentially, this new and highly secure factor becomes your ONLY factor.  This factor is validated in a number of ways – but essentially, we are separating that validation away from the authentication process.  The simplest example is advanced biometrics. 

When biometrics first came out, you could literally hold up a black and white photo of your face and it would let you in!  Today, facial recognition (and fingerprint to a degree) use an ever-increasing array of techniques like a thermal signature to improve recognition and liveness detection. It’s checking to see that you are in fact a human, enhanced with AI – so rather than just being a replacement password, this factor contains who you are as a user, but also validates that you are that individual – simultaneously. 

Microsoft uses this to their advantage by completing these checks at a corporate level and using certificate backing to replace the passing of passwords. Meaning you don’t need to type the password at all if you don’t want to.   

The only remaining downside is that the password and everything about that authentication stays within the session. Under the hood, nothing has really changed – the password is still present.   

The next level

Now we come to the highlight, FIDO2 – Fast IDentity Online.  Created by a group of vendors, this new standard enables your users (or you) to use a physical token, your key, which contains YOUR identity.  This is completely independent of the resource you are trying to access, it never passes the credentials through the session but generates a private key that is passed – informing the resource vendor of who you are, and that you have been authenticated as that individual. 
  
This concept kind of flips authentication on its head for me, instead of the vendor issuing you with credentials, you tell the vendor in advance who you are – then you verify that each time you interact.  Your biometric data stays with you, and so do your credentials.  

Yubico is the most commonly supported and mass-marketed product right now.  They provide a selection of options from a simple key with a PIN code, to a version with a full-blown fingerprint sensor on board and NFC so you don’t need to plug it in (although that option is still available).   

In summary

When I say “the next level“, it’s actually here today – true passwordless authentication. Right now, it is in preview on Azure AD, but given the interest in the consumer market and the way Microsoft is pushing it, combined with the marketing forces of companies like Yubico, I doubt it will be long before it is GA.   

On the question of “so what should I do with my authentication today?” a key point to remember is it’s not just the good guys that have all the technology mentioned above, the bad guys also have it too; Machine Learning, AI, cognitive services etc. So we as businesses NEED to continually review, innovate and improve our security in order to stay ahead of the very real threats out there today. 

For more information about business security, contact us today. We’re happy to help.