It’s a really nice and sunny winter day in Sweden today and I just got back from an inspiring lunch walk in a nearby forest from where I live. I always listen to something when I walk and today it was the latest episode of The Endpoint Zone with Brad Anderson, corporate vice president of Microsoft. This blog post is my take on what Microsoft is doing around password-less authentication and Conditional Access.
Brad and his co-host Simon May interviews Chief Information Security Officer, Bret Arsenault on how Microsoft implemented Conditional Access. For me, this was very interesting to hear since CA is one of my favorite topics nowadays and I try to spread knowledge and a good understanding in what Conditional Access is and how it is one of the most important security features in Azure AD.
Brad and Simon demonstrates some of the lesser known CA features like how to allow unmanaged devices to access corporate data without the ability to download or locally store anything on the device. This CA feature is called App Enforced Restrictions and I’ve previously shown how to implement this feature in my Azure AD Conditional Access Policy Design Baseline.
Bret explains in the video how Microsoft made their journey from a parameter based security strategy to an identity based one and he boils it down to three very important functions to implement:
- MFA for everyone
- Conditional Access
- Password-less Authentication
Password-less Multi-Factor Authentication
MFA has been around for many years now and I heard somewhere that an account that is MFA protected is 99.9% more secure than an account just protected by a username and password. I believe this is true since a hacker would also need the other factors like a phone, fingerprint or face to get access.
So, everyone should use MFA! Everyone, not only administrators!
The next step is to implement Conditional Access. If you haven’t implemented CA yet and don’t have a clue on how to set it up, feel free to use my baseline as a starting point for your implementation.
The third step is to get rid of all passwords and Microsoft has just released the possibility to login to Azure AD without the need for a password. Instead, you use the Microsoft Authenticator App with a PIN or bio metrics to confirm that you are who you say you are. Microsoft has collected information about password-less here.
And just to make things clear, passwords and PINs are not the same thing. Passwords are stored in Azure AD and Active Directory while PINs are local to the device. PINs can’t be used for remote access which makes them a lot more secure.
As an alternative, Microsoft also recently announced that they now support FIDO2 security keys like the Yubico in Windows Hello for Business. In this scenario you use your physical security key and bio metrics to authenticate.
The Future of Authentication
I’m a big fan of password-less and together with Conditional Access you can raise your security bar a whole bunch of lot. I say, push for password-less and get rid of this 50 year old security thing that’s caused us all so much pain!
Educate your users on why passwords are bad and why we need new ways to get to our applications and data. Make sure they understand why MFA is important and use CA to challenge for MFA only when it makes sense.
Please follow me here, on LinkedIn and on Twitter!