Archive for the ‘Identity’ Category

The passwordless future is here for your Microsoft account

September 15th, 2021 No comments

Nobody likes passwords. They’re inconvenient. They’re a prime target for attacks. Yet for years they’ve been the most important layer of security for everything in our digital lives—from email to bank accounts, shopping carts to video games.

We are expected to create complex and unique passwords, remember them, and change them frequently, but nobody likes doing that either. In a recent Microsoft Twitter poll, one in five people reported they would rather accidentally “reply all”—which can be monumentally embarrassing—than reset a password.

But what alternative do we have?

For the past couple of years, we’ve been saying that the future is passwordless, and today I am excited to announce the next step in that vision. In March 2021, we announced that passwordless sign in was generally available for commercial users, bringing the feature to enterprise organizations around the world.

Beginning today, you can now completely remove the password from your Microsoft account. Use the Microsoft Authenticator app, Windows Hello, a security key, or a verification code sent to your phone or email to sign in to your favorite apps and services, such as Microsoft Outlook, Microsoft OneDrive, Microsoft Family Safety, and more. This feature will be rolled out over the coming weeks.

The problem with passwords

My friend, Bret Arsenault, our Chief Information Security Officer (CISO) here at Microsoft likes to say, “Hackers don’t break in, they log in.” That has stuck with me ever since I first heard him say it because it’s so true.

Weak passwords are the entry point for the majority of attacks across enterprise and consumer accounts. There are a whopping 579 password attacks every second—that’s 18 billion every year.

Why are passwords so vulnerable? There are two big reasons.

Human nature

Except for auto-generated passwords that are nearly impossible to remember, we largely create our own passwords. But, given the vulnerability of passwords, requirements for them have gotten increasingly complex in recent years, including multiple symbols, numbers, case sensitivity, and disallowing previous passwords. Updates are often required on a regular basis, yet to create passwords that are both secure enough and memorable enough is a challenge. Passwords are incredibly inconvenient to create, remember, and manage across all the accounts in our lives.

Graphic depicting how new passwords that are secure enough are hard to remember.

Graphic depicting how a new password that is easy to remember is not secure enough.

Forgetting a password can be painful too. I was shocked to learn that nearly a third of people say they completely stop using an account or service rather than dealing with a lost password. That’s not only a problem for the person stuck in the password cycle, but also for businesses losing customers.

To solve these problems and create passwords we can remember, we try and make things easier for ourselves. We often rely on known and personal words and phrases. One of our recent surveys found that 15 percent of people use their pets’ names for password inspiration. Other common answers included family names and important dates like birthdays. We also found 1 in 10 people admitted reusing passwords across sites, and 40 percent say they’ve used a formula for their passwords, like Fall2021, which eventually becomes Winter2021 or Spring2022.

Hacker nature

Unfortunately, while such passwords may be easier to remember, they are also easier for a hacker to guess. A quick look at someone’s social media can give any hacker a head start on logging into their personal accounts. Once that password and email combination has been compromised, it’s often sold on the dark web for use in any number of attacks.

Hackers also have a lot of tools and techniques. They can use automated password spraying to try many possibilities quickly. They can use phishing to trick you into putting your credentials into a fake website. These tactics are relatively unsophisticated and have been in play for decades, but they continue to work because passwords continue to be created by humans.

Go passwordless today with a few quick clicks

First, ensure you have the Microsoft Authenticator app installed and linked to your personal Microsoft account.

Next, visit your Microsoft account, sign in, and choose Advanced Security Options. Under Additional Security Options, you’ll see Passwordless Account. Select Turn on.

Microsoft Authenticator screen showing the option to go passwordless.

Finally, follow the on-screen prompts, and then approve the notification from your Authenticator app. Once you’ve approved, you’re free from your password!

Microsoft Authenticator screen showing password has been successfully removed.

If you decide you prefer using a password, you can always add it back to your account. But I hope you’ll give passwordless a try—I don’t think you’ll want to go back.

Learn more about going passwordless

We’ve heard great feedback from our enterprise customers who have been on the passwordless journey with us. In fact, Microsoft itself is a great test case—nearly 100 percent of our employees use passwordless options to log in to their corporate accounts.

You can read more about our passwordless journey in a blog from Joy Chik, Corporate Vice President of Identity, or hear more about the benefits for people using Edge or Microsoft 365 apps from Liat Ben-Zur. To learn more about how Microsoft solutions, such as Microsoft Azure Active Directory and Microsoft Authenticator, are allowing users in organizations to forget their passwords while staying protected, join our digital event Your Passwordless Future Starts Now on October 13, 2021.

Learn more about enabling passwordless sign-in with the Microsoft Authenticator app here.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post The passwordless future is here for your Microsoft account appeared first on Microsoft Security Blog.

Categories: cybersecurity, Identity Tags:

Guiding principles of our identity strategy: staying ahead of evolving customer needs

July 27th, 2020 No comments

Last June, when I shared the 5 principles driving a customer-obsessed identity strategy at Microsoft, many of you had embraced the idea of a boundaryless environment, but relatively few had implemented it in practice. A global pandemic made remote access essential and forced many of you to accelerate your digital transformation plans.

The new reality requires not only supporting secure remote productivity and collaboration, but also other remote operations, such as onboarding, offboarding, and training employees. And this reality will continue for the near future. According to our most recent Work Life Index, 71 percent of employees and managers (Information Workers) reported a desire to continue working from home at least part-time post-pandemic.

Your experiences and insights have helped shape the investments we’re making in our identity services for the coming year and beyond. Today, I’m sharing with you the updated set of guiding principles we’re following to deliver a secure and scalable identity solution that’s seamless for your end-users.

Secure adaptive access

An identity system that is secure from the ground up continues to drive our product investments. In a recent survey of over 500 security executives, achieving a high level of protection without impeding user productivity was rated the number one challenge. Using risk-based Conditional Access policies in Azure AD, you can protect sensitive data with minimal friction to your end-users. This combines the power of Identity Protection with Conditional Access to only prompt users when the sign-in is considered risky. 

To enhance identity security, we’re investing in compromise prevention technologies such as security defaults, attack blocking, and password protection, as well as reputation and anti-abuse systems. Security mechanisms like end-user notifications and in-line interrupts can help everyone defend themselves from malicious actors. Every day, our data scientists and investigators evaluate the threat and log data to gather real-world insights, so they can adjust our machine learning algorithms to recognize and protect our customers from the latest threats.   

Our product and ecosystem investments are guided by embracing Zero Trust security strategy as our worldview. We build Azure AD on the principles of Zero Trust to make implementing this model across your entire digital estate achievable at scale. 

Seamless user experiences

When your employees need to get things done, delivering a great user experience is essential. Employees who interact directly with customers, patients, and citizens need tools that are simple to learn and use. Because an easy, fast sign-in experience can make all the difference for your users—and your Help Desk—we’re continuing our investments in Firstline Worker scenarios to address the challenges they face, for example, by providing seamless handoffs of shared mobile devices and enhancing tools and workflows for managers. 

We’ve seen more interest than ever in minimizing the use of passwords and eliminating them completely. We continue our commitment to identity standards that help scale the technology and make it more useful and accessible for everyone. We’re also developing easy-to-use self-service options for end-users, such as managing security information, requesting access to apps and groups, and getting automatic recommendations for approved applications based on what peers are using most.  

Your customers, business partners, and suppliers also deserve a great, consumer-grade sign-in and collaboration experience. With the External Identities feature in Azure AD, we are investing in making it easier for organizations and developers to secure, manage, and build apps that connect with different users outside your organization.  

We’re also looking ahead to technologies that respect everyone’s privacy, such as decentralized identity systems and verifiable credentials, that can verify information about an individual without requiring another username and password. Verifiable credentials are based on open standards from W3C and leverage the OIDC protocol, so you will be able to incorporate them into your existing systems. 

Unified identity management

It’s hard to scale and manage security when you have overlapping products from multiple vendors that need to work together. You have a portfolio of on-premises and cloud-based applications that you need to manage and provide secure access to your users. We are simplifying these experiences in Azure AD, making it easier to manage all your applications for all your users in a single place. We’re also consolidating our APIs into Microsoft Graph to unify programmatic access to and management of data across workloads in Microsoft 365, including Azure AD. 

By embracing open standards, we can help you more easily manage and secure your hybrid environment. We’re working with partners like Box and Workday to further deepen our product integrations and streamline identity processes. Azure AD is pre-integrated with thousands of SaaS applications, and more to come, so you can provide users one set of credentials for secure access to any applicationWe are continuing to extend capabilities in Azure AD so that you can migrate access for all your applications to be managed the cloud. 

Simplified identity governance

While having the ability to control access requests, approvals, and privileges in a timely and efficient manner is key, traditional identity governance and privileged access management solutions can be cumbersome and inflexible. This is true particularly now that these workflows are more often done remotely than in person. Providing every user access to the apps and files they need should be as simple as defining access packages and group assignments upfront. Onboarding and offboarding employees then become easy with an automated solution connected to your HR system. 

We want to help more companies adopt these scenarios and incorporate our machine learning technology in Azure AD to provide better recommendations and alerts in response to unusual behavior or too many unnecessary privileges. Our goal is for these capabilities to span both employee and external identity scenarios, built in the cloud for maximum benefit. This will help strengthen your overall security, efficiency, and compliance.  

The last several months have been a whirlwind for all of us. We’re in it with you, committed to helping you on your digital transformation journey. Whatever happens, you can be sure that we’ll continue to listen to your feedback and input, so we can evolve our engineering priorities and principles to help you stay ahead and prepare for what comes next. Thank you for your continued trust!   

To learn more about Microsoft Security solutions visit our website.  Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Guiding principles of our identity strategy: staying ahead of evolving customer needs appeared first on Microsoft Security.

Announcing the Microsoft Identity Research Project Grant

January 9th, 2020 No comments

We are excited to announce the Microsoft Identity Research Project Grant a new opportunity in partnership with the security community to help protect Microsoft customers. This project grant awards up to $75,000 USD for approved research proposals that improve the security of the Microsoft Identity solutions in new ways for both Consumers (Microsoft Account) and Enterprise (Azure Active Directory).

The post Announcing the Microsoft Identity Research Project Grant appeared first on Microsoft Security Response Center.

BlueHat Seattle videos are online!

November 13th, 2019 No comments

Were you unable to attend BlueHat Seattle, or wanted to see a session again? We have good news. If you have been waiting for the videos from BlueHat Seattle last month, the wait is over. All videos which the presenter authorized to be recorded are now online and available to anyone. We are also happy …

BlueHat Seattle videos are online! Read More »

The post BlueHat Seattle videos are online! appeared first on Microsoft Security Response Center.

Time for day 2 of briefings at BlueHat Seattle!

October 25th, 2019 No comments

We hope you enjoyed the first day of our BlueHat briefings and the Bytes of BlueHat reception in our glamping tent (complete with toasted marshmallows). Yesterday, we learned a lot about how XboxOne hardware security has advanced the state of hardware security elsewhere, we heard some surprising correlations between vuln severity, age, and time to …

Time for day 2 of briefings at BlueHat Seattle! Read More »

The post Time for day 2 of briefings at BlueHat Seattle! appeared first on Microsoft Security Response Center.

Microsoft Identity Bounty Improvements

October 23rd, 2019 No comments