Archive

Archive for the ‘Identity and access management series’ Category

Secure access for a connected world—meet Microsoft Entra

May 31st, 2022 No comments

What could the world achieve if we had trust in every digital experience and interaction?

This question has inspired us to think differently about identity and access, and today, we’re announcing our expanded vision for how we will help provide secure access for our connected world.

Microsoft Entra is our new product family that encompasses all of Microsoft’s identity and access capabilities. The Entra family includes Microsoft Azure Active Directory (Azure AD), as well as two new product categories: Cloud Infrastructure Entitlement Management (CIEM) and decentralized identity. The products in the Entra family will help provide secure access to everything for everyone, by providing identity and access management, cloud infrastructure entitlement management, and identity verification.

The need for trust in a hyperconnected world 

Technology has transformed our lives in amazing ways. It’s reshaped how we interact with others, how we work, cultivate new skills, engage with brands, and take care of our health. It’s redefined how we do business by creating entirely new ways of serving existing needs while improving the experience, quality, speed, and cost management.

Behind the scenes of all this innovation, millions and millions of connections happen every second between people, machines, apps, and devices so that they can share and access data. These interactions create exciting opportunities for how we engage with technology and with each other—but they also create an ever-expanding attack surface with more and more vulnerabilities for people and data that need to be addressed.

It’s become increasingly important—and challenging—for organizations to address these risks as they advance their digital initiatives. They need to remove barriers to innovation, without the fear of being compromised. They need to instill trust, not only in their digital experiences and services, but in every digital interaction that powers them—every point of access between people, machines, microservices, and things.

Our expanded vision for identity and access

When the world was simpler, controlling digital access was relatively straightforward. It was just a matter of setting up the perimeter and letting only the right people in.

But that’s no longer sustainable. Organizations simply can’t put up gates around everything—their digital estates are growing, changing, and becoming boundaryless. It’s virtually impossible to anticipate and address the unlimited number of access scenarios that can occur across an organization and its supply chain, especially when it includes third-party systems, platforms, applications, and devices outside the organization’s control.

Identity is not just about directories, and access is not just about the network. Security challenges have become much broader, so we need broader solutions. We need to secure access for every customer, partner, and employee—and for every microservice, sensor, network, device, and database.

And doing this needs to be simple. Organizations don’t want to deal with incomplete and disjointed solutions that solve only one part of the problem, work in only a subset of environments, and require duct tape and bubble gum to work together. They need access decisions to be as granular as possible and to automatically adapt based on real-time assessment of risk. And they need this everywhere: on-premises, Azure AD, Amazon Web Services, Google Cloud Platform, apps, websites, devices, and whatever comes next.

This is our expanded vision for identity and access, and we will deliver it with our new product family, Microsoft Entra.

Vasu Jakkal and Joy Chik sit together and discuss new Microsoft Entra product family.

Video description: Vasu Jakkal, Corporate Vice President, Security, Compliance, Identity and Management, and Joy Chik, CVP of Identity, are unveiling Microsoft Entra, our new identity and access product family name, and are discussing the future of modern identity and access security.

Making the vision a reality: Identity as a trust fabric

To make this vision a reality, identity must evolve. Our interconnected world requires a flexible and agile model where people, organizations, apps, and even smart devices could confidently make real-time access decisions. We need to build upon and expand our capabilities to support all the scenarios that our customers are facing.

Moving forward, we’re expanding our identity and access solutions so that they can serve as a trust fabric for the entire digital ecosystem—now and long into the future.

Microsoft Entra will verify all types of identities and secure, manage, and govern their access to any resource. The new Microsoft Entra product family will:

  • Protect access to any app or resource for any user.
  • Secure and verify every identity across hybrid and multicloud environments.
  • Discover and govern permissions in multicloud environments.
  • Simplify the user experience with real-time intelligent access decisions.

This is an important step towards delivering a comprehensive set of products for identity and access needs, and we’ll continue to expand the Microsoft Entra product family.

“Identity is one of the cornerstones of our cybersecurity for the future.”

—Thomas Mueller-Lynch, Service Owner Lead for Digital Identity, Siemens

Microsoft Entra at a glance

Microsoft Azure AD, our hero identity and access management product, will be part of the Microsoft Entra family, and all its capabilities that our customers know and love, such as Conditional Access and passwordless authentication, remain unchanged. Azure AD External Identities continues to be our identity solution for customers and partners under the Microsoft Entra family.

Additionally, we are adding new solutions and announcing several product innovations as part of the Entra family.

Solutions under the Microsoft Entra product family including Microsoft Azure Active Directory, Permissions Management, and Verified ID.

Reduce access risk across clouds

The adoption of multicloud has led to a massive increase in identities, permissions, and resources across public cloud platforms. Most identities are over-provisioned, expanding organizations’ attack surface and increasing the risk of accidental or malicious permission misuse. Without visibility across cloud providers, or tools that provide a consistent experience, it’s become incredibly challenging for identity and security teams to manage permissions and enforce the principle of least privilege across their entire digital estate.

With the acquisition of CloudKnox Security last year, we are now the first major cloud provider to offer a CIEM solution: Microsoft Entra Permissions Management. It provides comprehensive visibility into permissions for all identities (both user and workload), actions, and resources across multicloud infrastructures. Permissions Management helps detect, right-size, and monitor unused and excessive permissions, and mitigates the risk of data breaches by enforcing the principle of least privilege in Azure AD, Amazon Web Services, and Google Cloud Platform. Microsoft Entra Permissions Management will be a standalone offering generally available worldwide this July 2022 and will be also integrated within the Microsoft Defender for Cloud dashboard, extending Defender for Cloud’s protection with CIEM.

Additionally, with the preview of workload identity management in Microsoft Entra, customers can assign and secure identities for any app or service hosted in Azure AD by extending the reach of access control and risk detection capabilities.

Enable secure digital interactions that respect privacy

At Microsoft, we deeply value, protect, and defend privacy, and nowhere is privacy more important than your personal identity. After several years of working alongside the decentralized identity community, we’re proud to announce a new product offering: Microsoft Entra Verified ID, based on decentralized identity standards. Verified ID implements the industry standards that make portable, self-owned identity possible. It represents our commitment to an open, trustworthy, interoperable, and standards-based decentralized identity future for individuals and organizations. Instead of granting broad consent to countless apps and services and spreading identity data across numerous providers, Verified ID allows individuals and organizations to decide what information they share, when they share it, with whom they share it, and—when necessary—take it back.

The potential scenarios for decentralized identity are endless. When we can verify the credentials of an organization in less than a second, we can conduct business-to-business and business-to-customer transactions with greater efficiency and confidence. Conducting background checks becomes faster and more reliable when individuals can digitally store and share their education and certification credentials. Managing our health becomes less stressful when both doctor and patient can verify each other’s identity and trust that their interactions are private and secure. Microsoft Entra Verified ID will be generally available in early August 2022.

“We thought, ‘Wouldn’t it be fantastic to take a world-leading technology like Microsoft Entra and implement Verified ID for employees in our own office environment?’ We easily identified business opportunities where it would help us work more efficiently.”

—Chris Tate, Chief Executive Officer, Condatis

Automate critical Identity Governance scenarios

Next, let’s focus on Identity Governance for employees and partners. It’s an enormous challenge for IT and security teams to provision new users and guest accounts and manage their access rights manually. This can have a negative impact on both IT and individual productivity. New employees often experience a slow ramp-up to full effectiveness while they wait for the access required for their jobs. Similar delays in granting necessary access to guest users undermine a smoothly functioning supply chain. Then, without formal or automated processes for reprovisioning or deactivating people’s accounts, their access rights may remain in place when they change roles or exit the organization.

Identity Governance addresses this with identity lifecycle management, which simplifies the processes for onboarding and offboarding users. Lifecycle workflows automate assigning and managing access rights, and monitoring and tracking access, as user attributes change. Lifecycle workflows in Identity Governance will enter public preview this July 2022.

“We were so reactive for so long with old technology, it was a struggle. [With Azure AD Identity Governance] we’re finally able to be proactive, and we can field some of those complex requests from the business side of our organization.”

—Sally Harrison, Workplace Modernization Consultant, Mississippi Division of Medicaid

Create possibilities, not barriers

Microsoft Entra embodies our vision for what modern secure access should be. Identity should be an entryway into a world of new possibilities, not a blockade restricting access, creating friction, and holding back innovation. We want people to explore, to collaborate, to experiment—not because they are reckless, but because they are fearless.

Visit the Microsoft Entra website to learn more about how Azure AD, Microsoft Entra Permissions Management, and Microsoft Entra Verified ID deliver secure access for our connected world.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Secure access for a connected world—meet Microsoft Entra appeared first on Microsoft Security Blog.

Streamlining employee onboarding: Microsoft’s response to the Great Reshuffle

May 31st, 2022 No comments

In 2021, workers everywhere reevaluated their professional and personal choices, leading to what became known as the Great Resignation. In 2022, a new trend that many are calling the Great Reshuffle has emerged, with 43 percent of the workforce saying they’re very likely to consider changing jobs or exiting their industry altogether in the coming year.1

As our 2022 Work Trend Index, Great Expectations: Making Hybrid Work Work, revealed, employees have a new “worth it” equation and are voting with their feet.2 As a result, employees are onboarding and offboarding more frequently. The constant flow of tasks, starting with applying for a job and navigating the first few days of employment, leaves much room for error, thus increasing stress for HR, IT, and each new employee.

Given that 73 percent of employees want to keep their work options flexible, more than three-quarters of Chief Human Resource Officers (CHROs) plan to preserve the newer hybrid work options available today and accommodate the flexibility that existing and prospective employees desire.3 Unfortunately, the complexity and cost of both onboarding and offboarding employees have increased in our new hybrid reality.

The 2022 Work Trend Index surveyed more than 31,000 people in 31 countries and found that 53 percent of people are likely to consider transitioning to hybrid work in the year ahead.

Workforce feedback and statistical studies reveal two challenges specific to credentialing:

  1. The rising cost and frustration of employee onboarding.
  2. Increased security risks of employee offboarding.

The rising costs and frustration of employee onboarding

The typical multistep process of the new hire onboarding journey became even more convoluted during the pandemic with the rise of both hybrid and fully remote work. As a result, managing the details of recruiting, interviewing, and hiring has become increasingly challenging, leading to a sharp rise in costs.

Organizations struggle with navigating the start of the employee journey for both in-person and remote workers in the most efficient and secure way possible. For example, the chart in Figure 1 summarizes the findings of a private study Microsoft conducted in 2021 to understand who’s involved in tasks associated with identity verification for new employees. Responses from 3,000 organizations show that HR and IT split these tasks almost evenly and that across the 14 industries surveyed, onboarding accounts for an astounding 14 to 31 percent of all ID verification spending.

Graph showing ID verification spend across multiple industries with finance spending leading all other industries. The K-12 education industry spends the least.

In fact, 69 percent of employees are more likely to stay with a company if they experience great onboarding.4

Traditionally, HR teams have relied on physical documents—such as a driver’s license, birth certificate, or passport—and in-person communications to verify a new employee’s identity and credentials, a semi-manual process that can cause frustrating onboarding delays, flagging a potential concern given more remote, in-person, and hybrid options available in a competitive labor market. The modern workforce expects a more automated experience that’s also more secure. In fact, 82 percent of study participants wish there was a better way to perform verification.

Fortunately, recent advances in technology are making it possible to digitize identity information in a way that’s portable and privacy-respecting for the user, while helping businesses streamline their verification processes. This new technology, called verifiable credentials, is based on a decentralized identity approach and allows organizations to verify an individual’s credentials, such as employment or education. For the background check process, employers can confirm a new hire’s identity information digitally and within seconds from an authoritative source. The business can then issue an employee ID as a verifiable credential, which the employee can store in their digital wallet and use to access other resources that require employment confirmation, such as benefits enrollment or equipment purchases.

Although these modernization efforts must still align with government regulations that require physical inspection of original documents, they have the potential to significantly transform the employee’s onboarding experience and their first days on the job, making it easier for them to access the resources they need to be immediately productive in their new role.

Microsoft Entra Verified ID will help streamline the process of credential attestation, reducing frustration and delays that HR, IT, and new employees currently experience. The chart in Figure 2 illustrates a transformed onboarding journey, and how HR and IT manage both pre-onboarding (blue) and onboarding (green) to ensure the process runs smoothly for the employee.

Verifiable credentials help streamline the onboarding process. This chart shows how easy it can be to securely onboard a new employee using Microsoft Verified ID.

As we all know, first impressions matter. By simplifying and expediting the onboarding experience, using verifiable credentials can help create a positive first impression that helps make employees feel good about joining an organization, rather than second-guessing their decision.

Increased risks of employee offboarding

When an employee leaves an organization, their access credentials—along with their access permissions—should be wiped clean to prevent valuable company information from walking out the door with them. Using modern identity governance tools such as verifiable credentials, IT can select one box to decommission a departing employee’s access to the organization’s digital assets. If HR tools are integrated with identity systems, then any changes HR makes in their systems automatically perpetuate to other IT systems, and vice versa.

The offboarding governance process may include revoking any employer-issued verifiable credentials used to grant access to organizational programs, such as employee discounts, or employee-only resources. Verifiable credentials also give employees a new level of control over their personal information. They can revoke permissions they’ve given their former employer to access verifiable credentials that share educational history, government-issued identity numbers, and other sensitive data. And with the introduction of Microsoft Entra Verified ID, it’s now possible to allow individuals, organizations, and devices to decide what information they share with whom, and to take it back if necessary.

The benefits of using verifiable credentials

According to the 2021 Employee Experience Survey Highlights, organizations that provide digitally transformed experiences are nearly three times more likely to report higher productivity than their industry peers, and 90 percent more likely to report lower annual turnover.5

Using verifiable credentials creates tangible benefits for HR and IT departments and the employees they support:

  • Faster, easier, and less expensive processes. HR can start replacing some paper-based or in-person identity or credential verification processes to reduce onboarding time and get new hires productive sooner. IT can easily integrate verifiable credentials into existing systems without writing any custom code. 
  • Compliance with ever-changing global privacy regulations. IT can implement decentralized identity solutions based on open standards that allow HR to verify an employee’s skills, certifications, education, and career history in a privacy-respecting manner.
  • A better employee experience that strengthens recruiting and retention. Today’s employees expect easy, convenient, and contactless digital experiences that protect their privacy. Verifiable credentials provide a secure way for individuals to share their personal information with their employers and revoke access when they leave.

Avanade, a leading professional services and technology provider, is using Microsoft Azure Active Directory (Azure AD) verified ID to streamline credentialing processes and facilitate collaboration among employees, vendors, and clients.

Navigating the path ahead

The Great Reshuffle is the living, evolving proof that organizations need to pay closer attention to the employee experience. HR and IT business leaders must therefore respond to employee expectations for flexibility, safety, security, and support for their overall wellbeing. This response must start with a smoother onboarding process, in which verifiable credentials can significantly simplify and streamline.

Learn more about how Microsoft and verified ID can help your organization navigate the Great Reshuffle.

Read more information on the solution and open standards initiative with decentralized identities.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.


12022 Work Trend Index: Annual Report, Microsoft. March 16, 2022.

2Great Expectations: Making Hybrid Work Work, Work Trend Index 2022, Microsoft.

3The Next Great Disruption Is Hybrid Work – Are We Ready?, Work Trend Index 2021, Microsoft. March 22, 2021.

4Don’t Underestimate the importance of good onboarding, SHRM. 2017.

52021 Employee Experience Survey, WTW. July 20, 2021.

The post Streamlining employee onboarding: Microsoft’s response to the Great Reshuffle appeared first on Microsoft Security Blog.

This World Password Day consider ditching passwords altogether

May 5th, 2022 No comments

Did you know that May 5, 2022, is World Password Day?1 Created by cybersecurity professionals in 2013 and designated as the first Thursday every May, World Password Day is meant to foster good password habits that help keep our online lives secure. It might seem strange to have a day set aside to honor something almost no one wants to deal with—like having a holiday for filing your income taxes (actually, that might be a good idea). But in today’s world of online work, school, shopping, healthcare, and almost everything else, keeping our accounts secure is more important than ever. Passwords are not only hard to remember and keep track of, but they’re also one of the most common entry points for attackers. In fact, there are 921 password attacks every secondnearly doubling in frequency over the past 12 months.2

But what if you didn’t have to deal with passwords at all? Last fall, we announced that anyone can completely remove the password from their Microsoft account. If you’re like me and happy to ditch passwords completely, read on to learn how Microsoft is making it possible to start enjoying a passwordless life today. Still, we know not everyone is ready to say goodbye to passwords, and it’s not possible for all your online accounts. We’ll also go over some easy ways to improve your password hygiene, as well as share some exciting news from our collaboration with the FIDO Alliance about a new way to sign in without a password.  

Free yourself with passwordless sign-in

Yes, you can now enjoy secure access to your Microsoft account without a password. By using the Microsoft Authenticator app, Windows Hello, a security key, or a verification code sent to your phone or email, you can go passwordless with any of your Microsoft apps and services. Just follow these five steps:

  1. Download and install Microsoft Authenticator (linked to your personal Microsoft account).
  2. Sign in to your Microsoft account.
  3. Choose Security. Under Advanced security options, you’ll see Passwordless account in the section titled Additional security.
  4. Select Turn on.
  5. Approve the notification from Authenticator.
User interface of Microsoft Authenticator app providing instructions on how to turn on passwordless account option.
Notification from Microsoft Authenticator app confirming user's password has been removed.

Once you approve the notification, you’ll no longer need a password to access your Microsoft accounts. If you decide you prefer using a password, you can always go back and turn off the passwordless feature. Here at Microsoft, nearly 100 percent of our employees use passwordless options to log into their corporate accounts.

Strengthen security with multifactor authentication

One simple step we can all take to protect our accounts today is adding multifactor authentication, which blocks 99.9 percent of account compromise attacks. The Microsoft Authenticator app is free and provides multiple options for authentication, including time-based one-time passcodes (TOTP), push notifications, and passwordless sign-in—all of which work for any site that supports multifactor authentication. Authenticator is available for Android and iOS and gives you the option to turn two-step verification on or off. For your Microsoft Account, multifactor authentication is usually only needed the first time you sign in or after changing your password. Once your device is recognized, you’ll just need your primary sign-in.

Microsoft Authenticator screen showing different accounts, including: Microsoft, Contoso Corporation, and Facebook.

Make sure your password isn’t the weak link

Rather than keeping attackers out, weak passwords often provide a way in. Using and reusing simple passwords across different accounts might make our online life easier, but it also leaves the door open. Attackers regularly scroll social media accounts looking for birthdates, vacation spots, pet names and other personal information they know people use to create easy-to-remember passwords. A recent study found that 68 percent of people use the same password for different accounts.3 For example, once a password and email combination has been compromised, it’s often sold on the dark web for use in additional attacks. As my friend Bret Arsenault, our Chief Information Security Officer (CISO) here at Microsoft, likes to say, “Hackers don’t break in, they log in.”

Some basics to remember—make sure your password is:

  • At least 12 characters long.
  • A combination of uppercase and lowercase letters, numbers, and symbols.
  • Not a word that can be found in a dictionary, or the name of a person, product, or organization.
  • Completely different from your previous passwords.
  • Changed immediately if you suspect it may have been compromised.

Tip: Consider using a password manager. Microsoft Edge and Microsoft Authenticator can create (and remember) strong passwords using Password Generator, and then automatically fill them in when accessing your accounts. Also, keep these other tips in mind:

  • Only share personal information in real-time—in person or by phone. (Be careful on social media.)
  • Be skeptical of messages with links, especially those asking for personal information.
  • Be on guard against messages with attached files, even from people or organizations you trust.
  • Enable the lock feature on all your mobile devices (fingerprint, PIN, or facial recognition).
  • Ensure all the apps on your device are legitimate (only from your device’s official app store).
  • Keep your browser updated, browse in incognito mode, and enable Pop-Up Blocker.
  • Use Windows 11 and turn on Tamper Protection to protect your security settings.

Tip: When answering security questions, provide an unrelated answer. For example, Q: “Where were you born?” A: “Green.” This helps throw off attackers who might use information skimmed from your social media accounts to hack your passwords. (Just be sure the unrelated answers are something you’ll remember.)

Passwordless authentication is becoming commonplace

As part of a historic collaboration, the FIDO Alliance, Microsoft, Apple, and Google have announced plans to expand support for a common passwordless sign-in standard. Commonly referred to as passkeys, these multi-device FIDO credentials offer users a platform-native way to safely and quickly sign in to any of their devices without a password. Virtually unable to be phished and available across all your devices, a passkey lets you sign in simply by authenticating with your face, fingerprint, or device PIN.

In addition to a consistent user experience and enhanced security, these new credentials offer two other compelling benefits:

  1. Users can automatically access their passkeys on many of their devices without having to re-enroll for each account. Simply authenticate with your platform on your new device and your passkeys will be there ready to use—protecting you against device loss and simplifying device upgrade scenarios.
  2. With passkeys on your mobile device, you’re able to sign in to an app or service on nearly any device, regardless of the platform or browser the device is running. For example, users can sign in on a Google Chrome browser that’s running on Microsoft Windows, using a passkey on an Apple device.

These new capabilities are expected to become available across Microsoft, Apple, and Google platforms starting in the next year. This type of Web Authentication (WebAuthn) credential represents a new era of authentication, and we’re thrilled to join the FIDO Alliance and others in the industry in supporting a common standard for a safe, consistent authentication experience. Learn more about this open-standards collaboration and exciting passwordless capabilities coming for Microsoft Azure Active Directory in a blog post from Alex Simons, Vice President, Identity Program Management.

Helping you stay secure year-round

Read more about Microsoft’s journey to provide passwordless authentication in a blog post by Joy Chik, Corporate Vice President of Identity. You can also read the complete guide to setting up your passwordless account with Microsoft, including FAQs and download links. And be sure to visit Security Insider for interviews with cybersecurity thought leaders, news on the latest cyberthreats, and lots more.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.


1World Password Day, National Day Calendar.

2According to Microsoft Azure Active Directory (Azure AD) authentication log data. 2022.

3America’s Password Habits 2021, Security.org. October 1, 2021.

The post This World Password Day consider ditching passwords altogether appeared first on Microsoft Security Blog.

This World Password Day consider ditching passwords altogether

May 5th, 2022 No comments

Did you know that May 5, 2022, is World Password Day?1 Created by cybersecurity professionals in 2013 and designated as the first Thursday every May, World Password Day is meant to foster good password habits that help keep our online lives secure. It might seem strange to have a day set aside to honor something almost no one wants to deal with—like having a holiday for filing your income taxes (actually, that might be a good idea). But in today’s world of online work, school, shopping, healthcare, and almost everything else, keeping our accounts secure is more important than ever. Passwords are not only hard to remember and keep track of, but they’re also one of the most common entry points for attackers. In fact, there are 921 password attacks every secondnearly doubling in frequency over the past 12 months.2

But what if you didn’t have to deal with passwords at all? Last fall, we announced that anyone can completely remove the password from their Microsoft account. If you’re like me and happy to ditch passwords completely, read on to learn how Microsoft is making it possible to start enjoying a passwordless life today. Still, we know not everyone is ready to say goodbye to passwords, and it’s not possible for all your online accounts. We’ll also go over some easy ways to improve your password hygiene, as well as share some exciting news from our collaboration with the FIDO Alliance about a new way to sign in without a password.  

Free yourself with passwordless sign-in

Yes, you can now enjoy secure access to your Microsoft account without a password. By using the Microsoft Authenticator app, Windows Hello, a security key, or a verification code sent to your phone or email, you can go passwordless with any of your Microsoft apps and services. Just follow these five steps:

  1. Download and install Microsoft Authenticator (linked to your personal Microsoft account).
  2. Sign in to your Microsoft account.
  3. Choose Security. Under Advanced security options, you’ll see Passwordless account in the section titled Additional security.
  4. Select Turn on.
  5. Approve the notification from Authenticator.
User interface of Microsoft Authenticator app providing instructions on how to turn on passwordless account option.
Notification from Microsoft Authenticator app confirming user's password has been removed.

Once you approve the notification, you’ll no longer need a password to access your Microsoft accounts. If you decide you prefer using a password, you can always go back and turn off the passwordless feature. Here at Microsoft, nearly 100 percent of our employees use passwordless options to log into their corporate accounts.

Strengthen security with multifactor authentication

One simple step we can all take to protect our accounts today is adding multifactor authentication, which blocks 99.9 percent of account compromise attacks. The Microsoft Authenticator app is free and provides multiple options for authentication, including time-based one-time passcodes (TOTP), push notifications, and passwordless sign-in—all of which work for any site that supports multifactor authentication. Authenticator is available for Android and iOS and gives you the option to turn two-step verification on or off. For your Microsoft Account, multifactor authentication is usually only needed the first time you sign in or after changing your password. Once your device is recognized, you’ll just need your primary sign-in.

Microsoft Authenticator screen showing different accounts, including: Microsoft, Contoso Corporation, and Facebook.

Make sure your password isn’t the weak link

Rather than keeping attackers out, weak passwords often provide a way in. Using and reusing simple passwords across different accounts might make our online life easier, but it also leaves the door open. Attackers regularly scroll social media accounts looking for birthdates, vacation spots, pet names and other personal information they know people use to create easy-to-remember passwords. A recent study found that 68 percent of people use the same password for different accounts.3 For example, once a password and email combination has been compromised, it’s often sold on the dark web for use in additional attacks. As my friend Bret Arsenault, our Chief Information Security Officer (CISO) here at Microsoft, likes to say, “Hackers don’t break in, they log in.”

Some basics to remember—make sure your password is:

  • At least 12 characters long.
  • A combination of uppercase and lowercase letters, numbers, and symbols.
  • Not a word that can be found in a dictionary, or the name of a person, product, or organization.
  • Completely different from your previous passwords.
  • Changed immediately if you suspect it may have been compromised.

Tip: Consider using a password manager. Microsoft Edge and Microsoft Authenticator can create (and remember) strong passwords using Password Generator, and then automatically fill them in when accessing your accounts. Also, keep these other tips in mind:

  • Only share personal information in real-time—in person or by phone. (Be careful on social media.)
  • Be skeptical of messages with links, especially those asking for personal information.
  • Be on guard against messages with attached files, even from people or organizations you trust.
  • Enable the lock feature on all your mobile devices (fingerprint, PIN, or facial recognition).
  • Ensure all the apps on your device are legitimate (only from your device’s official app store).
  • Keep your browser updated, browse in incognito mode, and enable Pop-Up Blocker.
  • Use Windows 11 and turn on Tamper Protection to protect your security settings.

Tip: When answering security questions, provide an unrelated answer. For example, Q: “Where were you born?” A: “Green.” This helps throw off attackers who might use information skimmed from your social media accounts to hack your passwords. (Just be sure the unrelated answers are something you’ll remember.)

Passwordless authentication is becoming commonplace

As part of a historic collaboration, the FIDO Alliance, Microsoft, Apple, and Google have announced plans to expand support for a common passwordless sign-in standard. Commonly referred to as passkeys, these multi-device FIDO credentials offer users a platform-native way to safely and quickly sign in to any of their devices without a password. Virtually unable to be phished and available across all your devices, a passkey lets you sign in simply by authenticating with your face, fingerprint, or device PIN.

In addition to a consistent user experience and enhanced security, these new credentials offer two other compelling benefits:

  1. Users can automatically access their passkeys on many of their devices without having to re-enroll for each account. Simply authenticate with your platform on your new device and your passkeys will be there ready to use—protecting you against device loss and simplifying device upgrade scenarios.
  2. With passkeys on your mobile device, you’re able to sign in to an app or service on nearly any device, regardless of the platform or browser the device is running. For example, users can sign in on a Google Chrome browser that’s running on Microsoft Windows, using a passkey on an Apple device.

These new capabilities are expected to become available across Microsoft, Apple, and Google platforms starting in the next year. This type of Web Authentication (WebAuthn) credential represents a new era of authentication, and we’re thrilled to join the FIDO Alliance and others in the industry in supporting a common standard for a safe, consistent authentication experience. Learn more about this open-standards collaboration and exciting passwordless capabilities coming for Microsoft Azure Active Directory in a blog post from Alex Simons, Vice President, Identity Program Management.

Helping you stay secure year-round

Read more about Microsoft’s journey to provide passwordless authentication in a blog post by Joy Chik, Corporate Vice President of Identity. You can also read the complete guide to setting up your passwordless account with Microsoft, including FAQs and download links. And be sure to visit Security Insider for interviews with cybersecurity thought leaders, news on the latest cyberthreats, and lots more.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.


1World Password Day, National Day Calendar.

2According to Microsoft Azure Active Directory (Azure AD) authentication log data. 2022.

3America’s Password Habits 2021, Security.org. October 1, 2021.

The post This World Password Day consider ditching passwords altogether appeared first on Microsoft Security Blog.

How a leading Microsoft engineer extends culture to service resiliency

March 23rd, 2022 No comments

It’s hard to underestimate the impact that people can have on us in our formative years. Huiwen Ru, who spent several years working in identity and access management and is now a Principal Software Engineering Manager on the Singularity team at Microsoft, is a living example of how important mentorship and allyship are to the future of our industry. Young people who have unique and extraordinary talents don’t always get the inspiration and support they need to develop them, but stories like Huiwen’s give me hope. From an early age, Huiwen loved math. With encouragement from her family, teachers, and friends, Huiwen channeled her love for math into an amazing education and a trailblazing career at Microsoft.

In some ways our stories are parallel. We both emigrated from China to study computer science in the United States and joined Microsoft full-time to work on technology that was just getting started—I worked on Remote Desktop while she worked on real-time communications. We both got to experience what it’s like to build a business over many years and then transition our skills to a very different area. Until recently, Huiwen led a group working on one of the most critical aspects of our service: platform resilience. She shares her expertise and experience with the next generation by mentoring them in math.

Huiwen’s interview with Nadim took place before she moved to her new role. It has been edited for clarity and length. We’ve included some video snippets so you can learn more about her personal journey, the work she did for Microsoft identity and access management, and why she finds being a mentor so fulfilling.

Nadim: Huiwen, I’m very pleased to share your experiences of getting into computer science, getting into the industry, and the work you do at Microsoft. What first got you into computer science?

Huiwen: When I was a little girl, I had always been good at math. In both middle and high school, I really enjoyed participating in math competitions. When I applied for college, since math was my best subject, I thought, “I’m just going to study math.” But then my brother said, “No, math is too boring and it’s too hard. Look at how many girls study math. It’s not a great path for you, and other new fields are booming. You should try computer science.” I listened to him, and I’ve never regretted it.

Nadim: What was the first programming language you learned that showed you how much you liked development and coding?

Huiwen: I learned BASIC in high school. Then I entered Tsinghua University, which was ranked both number one in engineering and in computer science in China. The first programming language we learned was Pascal.

Nadim: Cool. So, you went to the number one school, did computer science, and you liked it. What was your journey from there to Microsoft?

Huiwen: At that time, the top students in China would come to the United States for advanced study after graduating. I worked for Motorola China for a couple of years first. Then I came to the University of North Carolina at Chapel Hill for my PhD degree. The job market was so good that instead of doing my PhD I started working at a company in Newport Beach, California. But then a college classmate from Tsinghua University who had joined Microsoft submitted my resume. That’s how I came to Microsoft.

Nadim: And you worked on a number of products before you got to Azure Active Directory (Azure AD)?

Huiwen: I joined Windows networking 22 years ago in 1999 and soon transferred to Office real-time communications. That team merged into Windows networking, which also had a real-time communications group. I think it was called the Office Communications Server, which evolved into Lync Server. Today, it’s Skype services. I was in this group for 15 or 16 years.

When I joined, the product was almost starting from zero. It was like a startup. Back then people relied heavily on email, but people with insight saw the importance of real-time communication over chat, as well as video and audio for meetings and collaboration integrated with your presence, status availability, and all of that. This was the future of communication. So, from version one to version two, through many different milestones, we quickly evolved into a billion-dollar business. I stayed in this team for a very long time, but though it’s just one team, the experience was pretty rich because we grew from a very small business into a very large one, from an on-premises service that shipped once every two to three years to an online service.

Nadim: It’s an interesting journey and certainly one that speaks to the variety of experiences that are possible even in one space, because the space itself evolves so much. You grew and developed a whole set of skills, including transitioning from on-premises software to cloud. You now work on one of the world’s largest services and certainly the world’s largest commercial identity system, Azure AD. Tell us about your role.

Huiwen:
I came over three years ago. I was working in cloud services as part of Office 365. It was all bare metal machines with 32 cores, but the deployment and everything was super slow. So, I wanted to get a real taste of Azure, where things are fast and there are virtual machines. And that’s why I landed here.

I saw the job posted on the career website looking for the skills I had, so I applied. I was very fortunate to land a job working on a service called evolved security token service (ESTS), which is a token service for authentication security. It’s one of the most critical services for identity, and there are a lot of interesting problems to solve! I own the fundamentals area, which can be pretty broad. It covers performance, cost of goods sold (COGS), and also some key architectural migration. Basically, my team is in charge of how we run the service effectively with high reliability and at a low cost. This includes the tooling, frameworks, and pipelines.

Nadim: You were one of the people who led a fundamental restructuring of this service to improve its reliability. Could you tell us about the work you did on cell-based architecture? First of all, what is cell-based architecture and why is it so important?

Huiwen: Before this architecture–at least for ESTS, which is one of the largest identity services—we had over 10,000 nodes worldwide on any given day. And these nodes were separated into about 12 regions in three major geographies. Some larger regions had 2,000 nodes and some smaller regions had maybe 600 nodes. A customer’s request could hit any of the nodes in a particular region. This is a very coarse-grained isolation of the service. Now, if a misbehaving application or some data corruption on the backend causes a retry storm in a tenant, you’ll suddenly have millions of requests coming at you, which can destroy your entire capacity in that region. Before I joined, some of our largest tenants were hit by this issue.

With the cell-based architecture, we try to divide tenants into smaller cells, so that each tenant is only handled in one cell. If a tenant has a misbehaving app, then at worst it impacts co-tenants in the same cell while the other cells stay intact. So far, we have divided all the tenants into over 100 cells. This is a very significant improvement in our reliability and resilience.

Nadim: No more than 2 percent of users in our system are in any one cell. This is a unique capability, given the scale we run at, and it’s an example of the innovation that we’re continuing to drive. So, thank you for your leadership on that project and many others like it.

Switching topics, I heard you mentor and coach people even outside of work.

Huiwen: I had been a mentor with my previous team, in some cases for female employees and in others for my fellow Chinese employees. They have had quite good career growth—some are now managers or are going into senior or principal levels.

Then I started coaching math students. It started with 10 kids, most of them girls. It grew to 20 to 30 kids from my son’s school and other schools in the same school district. They formed math clubs and went to math competitions. This lasted for four years. I feel very lucky that I’m a Microsoft employee because we did the weekend classes in Microsoft buildings. We used Microsoft conference rooms with very nice large whiteboards. The kids all liked to have classes at Microsoft. It was really fun.

Nadim: That’s wonderful.

Huiwen: And I have more good news to share. This past summer, when I met with some of my students, they told me they started a math workshop for younger kids. One student used the materials I used when I taught her in my math class. I found this really rewarding.

I do feel kind of obligated to help the people who need help, especially back in my home country. I have given time and money for many years to an organization in China that helps kids in rural areas finish their education, sends them from high school through college, and provides guidance to the direction of their career or answers their questions about what to do in college to prepare themselves for their careers.

Nadim: What gets you excited to come to work every day?

Huiwen: I’d say it’s the impact we have on people around the world through the product we deliver. The work is really, really critical. Even my son signs in through our service to do his schoolwork in Microsoft Teams. This sense of impact and its importance is really rewarding. I’m also a first-tier manager. I see how working with junior team members as their mentor or coach influences their early careers. The impact I have on their career growth is very, very important to me.

Nadim: That’s very near and dear to my heart as well, including the criticality of what we work on and the responsibility we have to our customers. Thanks for sharing your story.

Huiwen: Thank you, Nadim. I’m very honored to have the opportunity.

Learn more

Learn more about Microsoft identity and access management.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post How a leading Microsoft engineer extends culture to service resiliency appeared first on Microsoft Security Blog.

Why decentralization is the future of digital identities

March 10th, 2022 No comments

Our identity is increasingly becoming digitized—more of our hard copy credentials are converting into digital formats. We use these digital credentials to work, learn, play, socialize, shop, and consume services online and offline every day. It’s so convenient and expected now to be able to have these aspects of life accessible at our fingertips. More than half the global economy is based on or influenced by digital.1 Digital information becomes fluid and interconnected across services. However, it’s not always under our control as individuals.

Digital identity is now on the verge of a major transformation into one that is more secure, privacy-respecting, and portable. Identity was not fundamentally built into the internet, which has resulted in companies building singular relationships with each of us. The development of these separate accounts, each stored in central databases owned by different companies, has led to an increased risk of security and privacy breaches. Simply digitizing a business process or physical ID doesn’t reduce these risks. We need an identity system that brings our identity together, owned by the individual, and makes digital identities portable in a way that is trusted and secure.

Two phones displaying a woman's driver license. First image shares all information on the card. Second image only shares the name and age.

To illustrate, consider a plastic driver license. Digitizing a driver license replaces a plastic card with a digital card in your smartphone wallet, for example. If you want to use your license to prove your age, a digital license makes it convenient to share with retailers and service providers, but at the same time, it also becomes easier for companies to see all the information printed on your ID, such as birthdate and gender, thus opening the door to tracking and privacy concerns. When done right though it can improve privacy and security. Instead of simply digitizing the license and moving all the information printed on your ID to an image on a phone, a decentralized approach where you own the identity and can show the information was verified, allows you to share the information that is necessary from your driver’s license and revoke it when needed.

Let’s go through some of the differences between digitization and decentralization of credentials.

Security and your digital identity

Digitizing an identity simply makes a digital representation of an asset, but it doesn’t necessarily mean that it has the same assurance level as the original file or document. While it may be digitized and issued by an official source, the verifier could make a digital copy and store it, which you don’t have control over. Attributes of the credential are often relied on by apps, which are also susceptible to data breaches. To solve for proving the person is who they say they are, we’ve leaned on authentication methods such as usernames and passwords. When an account is hacked, a person is at the mercy of the company to reclaim their account and personal data that is rightfully theirs. With decentralization, you can prove the person is the genuine owner of the real-world identity by verifying their digital signed credentials. Individuals can use a secure, encrypted wallet to store their identity data and easily control access to it. A decentralized identity could replace the need for usernames and passwords altogether and work with other forms of authentication to provide the required level of attestation.

Privacy and data protection

With the increase in digitization, privacy concerns are front and center. People are increasingly aware of the amount of data organizations are collecting and profiting from them, causing some people to turn to VPNs or share false information to devalue the data collected from them.2 Data protection laws, such as General Data Protection Regulation (GDPR), aim to put more control into the hands of users to see and manage their information, but it doesn’t solve the problem entirely. Rather than companies taking copies of your identity data, they could gain permission from the individual to access the required information and verify the data digitally without storing it. New standardized concepts being developed include zero-knowledge proofs, where one party can prove to another party that a given statement is true or false, such as proving your age or citizenship. This limits the data shared to only what is needed. For organizations, it can reduce the burden of managing personally identifiable information (PII) by providing users with complete control over what they share and becoming the stewards of their own data. We believe selective disclosure and minimizing data travel are critical requirements for decentralizing identity.

Portability and visibility

Remember sharing copies of documents through email, before you could store them in the cloud? It created multiple copies of the same document, making it hard to keep track of changes and which one was the most recent file. With decentralization, people can store the original piece of identity data as a credential on their own device, cryptographically signed with their own private key, and share the record with any organization. Then the organization can verify that it came from an authoritative source with a simple check on the ledger. The user retains visibility of how that information was used and for how long the organization has access to it. The use of open standards specifications, such as verifiable credentials from the World Wide Web Consortium (W3C), make it easy for people and companies to receive and present credentials across platforms and services. It allows people to build relationships with organizations that are mutually beneficial.

Next Steps

Turning credentials into digital form isn’t new, but decentralizing identity goes beyond that. It gives individuals the ability to verify their credentials once and use them anywhere as proof of attestation. With the nexus of control shifting to users, they can manage exactly what they want to share and for how long, and safeguard their data locked in their own digital wallet.

Standards for decentralization are still being formalized and tested but it’s not too early to start exploring use cases. Think of areas where the benefits of decentralization can help your business, such as onboarding employees and contractors quickly, or to provide extra assurance for granting access to high-value applications, or recovering an account. With the momentum around decentralization of the internet, currency, assets, and more, we see a decentralized identity system as a crucial component to enable trust and security for the future.

Learn more about Microsoft’s decentralized identity solutions.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.


1IDC FutureScape Webcast: Worldwide Digital Transformation 2022 Predictions, Shawn Fitzgerald, Robert Parker, IDC. November 2021.

2What Are Data Brokers – And What Is Your Data Worth?, WebFX Team, WebFX. March 16, 2020.

The post Why decentralization is the future of digital identities appeared first on Microsoft Security Blog.

The importance of identity and Microsoft Azure Active Directory resilience

November 16th, 2021 No comments

I love hearing my colleagues explain how they came to the industry because so many of their stories are unusual. I’m surprised how often I hear that people got into computer science by some fortuitous accident. Although he loved computers from the time he was a kid, Oren Melzer never expected to work in the software industry. Today, he’s a Principal Group Engineering Manager in the Identity and Network Access organization, working on one of our team’s most important efforts: resilience.

When he was growing up, Oren’s business-minded parents encouraged him to develop an entrepreneurial spirit. And he did. Oren’s journey reminds us that entrepreneurship isn’t limited to building a new business from scratch, where you start off doing everything yourself. Even though he’s worked in a large organization in a large company for the past several years, Oren has enjoyed participating in many entrepreneurial efforts, including his groundbreaking work on making cloud services resilient, as he tells Nadim Abdo, Corporate Vice President of Identity and Network Access Engineering.

Oren’s interview with Nadim has been edited for clarity and length. We’ve included some video snippets so you can learn more about Oren’s personal journey and his views on the work he does.

Nadim: Oren, I’d like to start by asking what got you into the industry and computers?

Oren: It all started when I was really young. My parents were immigrants from Israel to Louisville, Kentucky. Not a ton of Israelis in Kentucky! My dad was an engineer, so we had computers super early. I’m dating myself, but we had a Commodore that ran Microsoft Disk Operating System (MS-DOS). I was probably five or six, tinkering around on that thing. When my dad showed me Quick Basic interpreter (QBasic), I created a simple little program that would ask, “What is your name?” And you’d say, “Oren.” And it would say, “Hello, Oren.” I remember thinking, “That’s the coolest thing in the world. I can make a computer program that I can talk to!” I loved doing stuff on computers from then on.

Nadim: I have fond memories of QBasic as well. That integrated development environment (IDE) and debugger were pretty awesome. So, you wrote programs from an early age—do you remember any other programs you did?

Oren: Three months after I was born, my parents started a food manufacturing company, which they still run. It’s a family business, so after a few years, they put me to work. But they realized pretty quickly that this computer thing was probably more useful than me putting cans in boxes. So, I became the company computer guy.

They had software to do all their accounting and inventory, and there was a production planning module that cost $40,000. They asked me what I thought, and I said that, with what I knew, I could write it for a lot less money. I was a high schooler, and they basically threw me into this problem. I didn’t have anybody to tell me what to do or how to do it. I wrote a bunch of Visual Basic macros that pulled data from the system, pulled up some editable forms, and then popped out a production plan. That was an entire summer project, 20-plus years ago, and their company still runs on that software to this day. I actually still get tech support calls to fix random bugs.

Nadim: That’s amazing! You must’ve learned the value of customer obsession from that experience. And obviously, this segues to how you now work on some of the most critical services in the entire industry. What learnings from that experience really carried through?

Oren: First, you have to build something that works. I wrote this software when I was 16 or 17 years old, and if it breaks, they can’t produce—30 or 40 people on a factory floor don’t know what to run or they’re scrambling to try to do the same thing manually.

I didn’t know about source control then, but I learned early on to make a backup copy when making changes. If something broke, I’d copy in the one from yesterday that worked. And there’d be weird edge cases, like some new item that the string was too long to fit into how many characters I assumed it could be. So, I learned to be very fault-tolerant, catch errors, and keep on going.

Nadim: When you went to college, what did you choose as your focus? 

Oren: I was convinced that software was something everybody was doing. And I like to do things that other people aren’t doing. So, I went into college as a biomedical engineering major. I really wanted to combine the computer thing with biology, another passion I had in high school. I wanted to build medical devices and software for medical devices, pacemakers, and so forth.

A couple of things got me into software. Early on, I met another computer science major, and he became a good friend. He’s actually at Microsoft now. We started a book business together, which we wrote software for.

Video 1: Oren talks about the book business he started in college with a friend.

For a while, I actually thought this thing could be my career, but during our downtime one summer, I looked for a biomedical internship. I couldn’t find one, but who showed up at our company fair? Microsoft. I had my first internship in the identity organization after that. I loved it so much I changed my major. I ended up getting a master’s in computer science and came to Microsoft full-time. I’ve been in identity ever since.

Nadim: That’s wonderful! What do you like best about working in the identity space?

Oren: What’s cool about identity is how foundational it is, like the electric company. Very few people wake up in the morning and say, “I want to use my identity today.” But whatever you do want to do—when you look at all the Microsoft products and applications at any number of businesses—the very first question you always need to ask is, who are you? What is your identity?

Identity enables all those experiences. And when it doesn’t work, people can’t work. I tell people, “I challenge you to find another job where you can impact more people in a day than our identity system does.” We throw around numbers like “billions of authentications” like it’s nothing. That level of impact—that level of making a difference for practically every working person, and many people in college, all over the world—is practically unmatched anywhere else at Microsoft or in the industry, as far as I know.

Nadim: That’s right. The scale is certainly incredible, as is the criticality and security. With that kind of scale, there are obviously enormous technical challenges. And you’ve worked on a number of different areas within identity, right?

Oren: I started on a product called Windows CardSpace, formerly known as InfoCard. It was an identity selector in Windows, where somebody could issue you an identity to use online. To some extent, we were ahead of our time, and eventually, that project was shelved. I moved to developer frameworks and worked on Windows Identity Foundation, which became part of the Microsoft .NET Framework. I also worked on Active Directory Federation Services (AD FS).

My first entry into cloud services was the Access Control Service, which allowed admins to configure federated authentication for their apps. You could authenticate using Microsoft accounts and Google accounts and also secure your application. It was one of the identity organization’s first modern services. And it was really interesting to move from shipping software in a box, which people can download or not, to shipping something that runs all the time and is critical to day-to-day life.

Nadim: And certainly, an absolutely critical journey as part of cloud transformation with everybody using these services. Tell me about your role and what you like best about it?

Oren: I now own an area called “authentication resilience” in identity. We could build the best services in the world, with the most features, but if they’re not up all day, every day, we’re basically failing our customers. And the impact of that is enormous. We’ve learned hard lessons over the years on what can go wrong in a distributed system, so we’ve developed systems that enable us to operate, and continue to operate, in case all kinds of outages occur, whether from networking problems somewhere in Microsoft Azure, a bug that gets released in our system, or key management problems.

We’re building, number one, a set of components to ensure that if the core identity system goes down, users won’t notice. We do that by allowing sessions to live longer, while also being more secure, and to react in real-time. Secondly, we built an entire decorrelated backup authentication stack where we can continue to serve authentications even if the primary system goes down completely. The vast majority of users can stay productive and have no idea that anything has gone wrong.

The goal is to prevent the outage from happening, but if a partial outage does occur, to minimize the impact.

Video 2: Oren describes his job to his parents.

Nadim: How would you say that Microsoft is differentiating our offerings in terms of resilience?

Oren: When we started on this resilience journey a couple of years ago, we weren’t aware of any cross-industry efforts on service resilience. Existing identity standards just assume everything is going to work. With OAuth and security assertion markup language (SAML), you make a request, you get a response. There was no playbook or roadmap for figuring out how to build the next level of real-time signals, more resilience, or backup systems. We weren’t going to wait for one, so we just built it. Ultimately, a working group formed in the OpenID Foundation called Shared Signals and Events, and we actively participated. I went to many of those early meetings, trying to figure out how to build a real-time resilient identity system.

It’s one thing to talk about theory. It’s another to say, “We’ve built this already. Here’s what it looks like.” As a big believer in open standards, I’m proud that we didn’t just say, “The standard must be exactly like what we built, otherwise we’re not going to be on it.” We have actually adapted our implementation to the industry standard. And we’ve been able to get our partners elsewhere in the industry—people who build other software that works with Microsoft Azure Active Directory (Azure AD)—to adopt this standard as well. Now we can say that we have resilience and continuous access, not just for Microsoft properties, but also for many other long-tail apps, built by other people, that we know our customers rely on every day.

Nadim: One of the things that’s awesome about our team is we have so many different individuals with so much talent, with different interests, passions, and ways of looking at the world. How would you describe yourself, your approach, and your strengths?

Oren: People think of software engineers hunched over in a dark room in front of a desk, pounding on a keyboard, looking at ones and zeros on a screen. I like code as much as anybody, but I am a people person. I really thrive on human interaction, on enabling somebody to be successful, and on finding the right project for someone working for me who may be struggling a bit.

The same is true when I think about the impact of the software we build. I don’t just think about the billion requests our backup systems serve today. I think about a billion people who might’ve been frustrated because they couldn’t check their email. And now they can because this backup system kicked in. What motivates me is the people—both the ones I can see in the office and the ones I can’t see. I know they’re there. Knowing that the work I do can make a difference for those people, both in terms of the technology I build and of the people I manage, is extremely motivational for me.

Video 3: Oren shares what he likes best about his job.

Learn more

Learn more about cloud resilience.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post The importance of identity and Microsoft Azure Active Directory resilience appeared first on Microsoft Security Blog.

Protect your business from password sprays with Microsoft DART recommendations

October 26th, 2021 No comments

Over the past year, the Microsoft Detection and Response Team (DART), along with Microsoft’s threat intelligence teams, have observed an uptick in the use of password sprays as an attack vector. This threat is a moving target with techniques and tools always changing, and Microsoft continues to find new ways to detect these types of attacks and help protect its customers.

In this blog, we are going to define what password sprays are, detail DART’s investigation techniques and approach to responding to password spray attacks, and outline our recommendations for protecting against them.

Why are identity-based attacks suddenly so popular?

Previously, threat actors focused on attacking computers to gain access into an environment. As software becomes more intelligent at detecting abnormal programs and vulnerabilities, attacks against our customers are rapidly becoming more focused on breaking into identities rather than breaking into a network.

The approach to securing user accounts is well-intentioned, but it is often incomplete, with a large investment that typically goes into areas such as complex password policies and limiting access to resources from networks perceived as secure. While these mitigations are necessary best practices, in the case of a compromised trusted user, they are ineffective at preventing unauthorized access.

This is why identity attacks have become so popular. Once attackers have gained the credentials to an account, they can access any sensitive resources that users can access and have the malicious activity appear as normal. This creates a repeating cycle attack pattern, where one compromised account can lead to access to resources where additional credentials can be harvested, and thus even further resource access.

Graphic shows a repeating identity-based attack lifecycle pattern.

Figure 1. Identity-based attack lifecycle.

The anatomy of a password spray attack

To understand how to protect against, and investigate a password spray attack, it is important to understand what it is. Password spray attacks are authentication attacks that employ a large list of usernames and pair them with common passwords in an attempt to “guess” the correct combination for as many users as possible. These are different from brute-force attacks, which involve attackers using a custom dictionary or wordlist and attempting to attack a small number of user accounts.

Sophisticated password spray techniques include some of the following qualities:

Password spray methods:

  • Low and slow: Patience is key for a determined threat actor. The most sophisticated password sprays will use several individual IP addresses to attack multiple accounts at the same time with a limited number of curated password guesses.
  • Availability and reuse: With a new breach being announced publicly every month, the amount of compromised credentials posted on the dark web is rising rapidly. Attackers can utilize this tactic, also called “credential stuffing,” to easily gain entry because it relies on people reusing passwords and usernames across sites.

Password spray identifiers:

  • User agents: This is not an immutable variable and is simple to spoof, so don’t always rely on the user agent string to tell the truth. That said, some example user agents often seen during a password spray are:
    • BAV2ROPC / CBAinPROD / CBAinTAR: These user agent strings represent a connection from a client that uses legacy authentication, a popular tool for a password spray attack.
    • Firefox/Chrome: More sophisticated password sprays using REST APIs often use headless browsers [a browser that doesn’t have a graphical user interface (GUI)] to target the API endpoints.
    • Python requests package: This is an automation library that can be used to generate requests to a website without user interaction.
  • Targets: Password sprays have often targeted applications that are unsecured and use legacy authentication protocols. This is due to the fact that these protocols don’t offer a rich audit trail and are not able to enforce a multifactor authentication (MFA) requirement. More recently, things have changed somewhat, and we are seeing attackers switch to targeting applications that utilize the REST API, often considered to be more secure. Some commonly targeted applications are:
    • Exchange ActiveSync
    • IMAP, POP3, SMTP Auth
    • Exchange Autodiscover

Microsoft has implemented new and improved password spray detections over the last year to help continue to address password spray attacks.

Help! I’ve been sprayed!

DART is no stranger to password spray attacks. When it comes to investigating cybersecurity incidents, our team’s primary goal is to establish the facts and see where they lead us. Here are some of the questions our team typically considers at the start of each password spray attack incident:

  • “Was the password spray successful?” This is perhaps the most important question to ask because it determines whether there is potential unauthorized access present in the environment. If it was determined to be successful, the investigator can continue down the list to gain additional information to understand how to proceed.
  • “Which users are affected?” Enumerating the users that were victims of the password spray attack can change the direction of our investigation. For example, if the list of users affected is particularly targeted (maybe just in one department or all the staff members of a particular project), we can assume our threat actor knows what they are looking for and has done their research. This helps us adapt an action plan based on the permissions and access rights that a particular user has. We call this “scoping” the incident—in other words, understanding what machines and resources the attackers accessed, and determining the number of compromised users. This knowledge helps us with remediation and preventing attackers from entering the environment again in the future.
  • “Were administrative accounts compromised?” If administrative control over a tenant is lost, the situation changes. A compromised tenant is a very different situation from a compromised user and has the potential to be much more damaging, so this is an important distinction for us to make.
  • “What indicators do we have?” Information such as the time the spray was conducted, targeted user agent and endpoint, IP addresses, and other identifying information can help us understand if this was carried out by an opportunistic attacker or determined human adversary. There is also the possibility that we can use our threat intelligence to identify some potential next steps our adversary may have taken and the overall scope of compromise.

Our password spray investigations playbook contains in-depth guidance around investigating password spray attacks and offers information about Microsoft Active Directory Federation Services (ADFS), Microsoft’s solution for single sign-on (SSO), and web-based authentication.

Am I a target?

It’s important to understand the targets of the password spray to correctly determine the scope of the potential compromise. Recently, DART has seen an uptick in cloud administrator accounts being targeted in password spray attacks, so understanding the targets is a good place to start. Enumerate the users with the below permissions as the initial list to investigate, and then add users to it as the analysis proceeds:

  • Security administrator
  • Exchange service administrator
  • Global administrator
  • Conditional Access administrator
  • SharePoint administrator
  • Helpdesk administrator
  • Billing administrator
  • User administrator
  • Authentication administrator
  • Company administrator

In addition to privileged accounts such as these, identities with a high profile (such as C-level executives), or identities with access to sensitive data are also popular targets. It is easy to make exceptions to policy for staff who are in executive positions, but in reality, these are the most targeted accounts. Be sure to apply protection in a democratic way to avoid creating weak spots in configuration.

How can I check for suspicious activity?

To perform a thorough cloud investigation, exportation of logs and installation of PowerShell modules is inevitable and discussed in detail in our password spray investigation playbook, but there are other methods to gain insights quickly.

Microsoft Cloud App Security

The Microsoft Cloud App Security portal is a great first place to check for suspicious activity. If you have Cloud App Security enabled, follow these steps to check for suspicious activity.

  1. Go to the Cloud App Security portal and sign in with the Security Administrator credentials.
  2. Go to Alerts.
  3. Filter for the users that you enumerated in the first step, check for any alerts associated with these users.

Screenshot showing sample alerts in the Microsoft Cloud App Security alerts page.

Figure 2. Sample alerts in Cloud App Security related to possible password spray attacks.

Here are some alerts that could be associated with a password spray incident:

  • Activity from anonymous IP address.
  • Activity from infrequent country.
  • Activity from suspicious IP address.
  • Impossible travel.

We describe additional Cloud App Security alerts in our documentation.

User investigation priority

For the accounts of interest, check the Cloud App Security investigation priority by navigating to the account under Users and accounts. The investigation priority score is based on security alerts, abnormal activities, and potential business and asset impact related to each user to help you assess how urgent it is to investigate each specific user.

  1. Go to the Cloud App Security portal.
  2. Go to Investigate then Users and accounts.
  3. Check the investigation priority for all users of interest and, if needed, view related activity.

Screenshot displays a sample investigation priority page in Microsoft Cloud App Security.

Figure 3. The user page in Cloud App Security shows the investigation priority.

Azure Active Directory

Microsoft Azure Active Directory (Azure AD) incorporates behavioral analysis algorithms into its detection logic natively, so there is a chance that an alert already exists about a password spray attack. Below are several places to check within the portals before going through the hassle of log exporting. Use the indicators of compromise (IOCs) from these alerts to further pivot such as user, IP address, time range, and more.

Identity Protection

Identity Protection is a tool in Azure AD designed to identify potential risky behavior surrounding authentication events. Users with an Azure AD Premium P2 license may follow these steps to check for suspicious activity:

  1. Go to the Microsoft Azure portal.
  2. Use the search bar to locate Azure AD.
  3. Select Security from the left blade.
  4. Review the reports under Risky sign-ins and Risky users for any of the users that you enumerated from the list.

Screenshot shows the risky sign-ins page in the Microsoft Azure portal.

Figure 4. Azure AD can display a list of risky sign-ins to identify potential risky behavior.

Revoke user access

If an identity is considered compromised, action should be taken immediately to ensure that access is revoked. This should include disabling the user’s device(s), a password reset, account disablement, and token revocation in Azure AD.

Recommendations for protecting against password sprays

Password sprays are worrisome but when we look at the statistics according to the Digital Shadows report “From Exposure to Takeover,” there are over five billion unique credential pairs available for sale worldwide, with new caches of credentials being exposed on a regular basis.1 This kind of volume tells us that we should assume that a breach will occur and consider that a compromised username or password in any given organization is inevitable.

This doesn’t mean we should give up on passwords altogether, but the rabbit hole of password policies, and the potentially endless discussions about complexity, length, and “correct battery horse staple” (Don’t know what we are talking about? Look it up!) should be avoided in favor of applying Zero Trust logic to identity and authentication. This includes areas like:

  • MFA and legacy authentication: You have probably heard this recommendation before: disabling legacy authentication and enabling MFA for all users is a critical step in securing your identity infrastructure and should be a priority if it has not already been done.
  • Rethinking the password policy: The future is a world without passwords because it is too common that people reuse them between applications or create easily discoverable passwords. Passwordless authentication methods such as the Microsoft Authenticator App, Windows Hello for Business, and Fast Identity Online (FIDO) keys help improve both the user experience and security level of an authentication event. If a password must be used, ensure that the password policy does not allow key phrases related to the organization or commonly used passwords. Having a password policy of eight characters with an uppercase, lowercase, number, and symbol, is no longer secure with today’s graphics processing unit (GPU) capabilities. Attackers can crack a password with these elements in a matter of hours. 20-character small sentences may be easy for users to remember and are more secure than a complex 8-character password!
  • MFA registration: The most effective way to protect against a password spray leading to a successful authentication is by using MFA. However, if the user is enabled for MFA, but never completes the registration process, they are left unprotected. Even worse, if a threat actor signs in and is prompted for MFA, they can register their own MFA details. This is an excellent cover for a threat actor because the authentication event is much less suspicious when MFA is satisfied. DART doesn’t recommend using location-based MFA policies (like only applying MFA when outside the corporate network) as this leaves room for this kind of loophole. Additionally, DART recommends that customers configure an MFA registration policy if possible to ensure that all enabled users register for MFA.
  • Mailbox auditing: Use this script to ensure that the recommended mailbox auditing actions are configured on every mailbox in the organization. This ensures that post-exploitation auditing is as robust as possible, allowing for a more effective investigation.
  • Administrative accounts: These are the keys to the kingdom and should have an extra level of protection. Ensure that administrative accounts are cloud-only and are not synchronized from Activity Directory. MFA should always be applied, and emergency access accounts should be created also.
  • Policy gaps: Ensuring that weaknesses do not exist in your identity policies and processes is critical. All too often, DART finds that small misconfigurations can lead to an entry point for a threat actor. Let’s explore this idea further:
    • Conditional Access policies: These policies are a great way to apply access control logic to complex environments, helping customers walk the tightrope between protecting the organization and allowing staff to get on with their jobs. With complexity comes risk, and as previously mentioned, misconfigurations are all too common. Some pitfalls to watch out for:
      • Cloud Apps: Let’s look at a real-world example. A DART customer experienced a cloud identity breach and had in place an MFA policy for administrative accounts, applied to the Office 365 cloud app. However, the threat actor used the Azure Service Management API to connect to the environment. This cloud app was outside of the scope of the MFA Conditional Access policy, giving the threat actor access to the environment without requiring MFA. Make sure to have in place a Conditional Access policy that covers all cloud apps and applies MFA to give you a base level of protection.

Screenshot showing how to configure the Conditional Access policy in Azure AD.

Figure 5. Conditional Access policy in Azure AD.

      • Policy exceptions: During day-to-day operations, changes are often made to a product configuration to facilitate business functions. One typical example of this kind of change is an account being removed or exempted from a security policy. This is something to be careful of—policy exceptions often begin as a temporary change but end up being permanent for one reason or another. It is also not uncommon for DART to observe exceptions for sensitive or high-profile accounts; the very type of account that makes an ideal target for cybercriminals. Use processes and technical solutions to ensure those policy exceptions are temporary and tracked. If they must remain, put in place some mitigating controls to reduce the attack surface of that particular account.

Assume breach

Password spray attacks are the perfect combination of low effort and high value for attackers, and even the most secure companies are likely to fall victim to them. However, preventing catastrophic damage is not a hopeless endeavor. By assessing both sides of the situation, the protection against the attack as well as the capabilities to investigate and remediate an attack, you can ensure a substantial amount of coverage against password spray destruction.

DART utilizes these strategies for everyday investigations. We encourage our customers to adopt passwordless technology and enable MFA, regardless of the provider. While attackers are most likely continuously exploring new ways to break into an environment, by assuming breach, we can help to safeguard against inevitable detrimental harm.

Learn more

Want to learn more about DART? Read our past blog posts.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

 


1From Exposure to Takeover: The 15 billion stolen credentials allowing account takeover, Digital Shadows Photon Research Team, Digital Shadows.

The post Protect your business from password sprays with Microsoft DART recommendations appeared first on Microsoft Security Blog.

3 trends shaping identity as the center of modern security

September 21st, 2021 No comments

I recently returned from Kenya, where I visited our Microsoft Nairobi development center. Like many of you, I’ve mostly worked from home for the past year and more, so it was refreshing to meet members of our global team and inspiring to feel their passion for our mission: delivering identity solutions that secure access to everything for everyone.

This mission has never been more important, given that identity has become the focal point of our digital society. Identity enabled us to rapidly shift to remote models when the pandemic first hit, and identity will help sustain the trend toward more permanent remote and hybrid models moving forward. But other emerging trends will also have a major impact on our digital society. Our team at Microsoft, as well as the identity community at large, is working hard to make sure you have the tools and technologies you need to navigate them safely and securely.

1. Cybercrime has become cyberwarfare

The sophistication and pervasiveness of cyberattacks have culminated in a moment of reckoning for our industry. Attacks from nation-states and global syndicates are on the rise, putting our economies and our very lives at risk as they target critical infrastructure. These attacks are methodically organized and exploit multiple vulnerabilities to gain access to trusted technologies and valuable data.

A Zero Trust security approach with identity as its foundation is the only way to survive this onslaught. Many of you have already started adopting Zero Trust principles, but blocking advanced, ever-evolving attack vectors requires applying these principles across your entire digital estate. It’s on the security ecosystem, including the identity community, to ensure that our services share signals and interoperate well with your entire infrastructure to enable an end-to-end Zero Trust strategy, with identity as a cohesive security control plane.

2. Multi-cloud is the new normal

As the cyber battle has escalated, so too has the complexity of your infrastructure. On-premises has given way to hybrid, then cloud-first, and now multi-cloud as a new normal. Cloud-based tools have enabled unprecedented automation and scale, as well as the exponential growth of non-human identities—but not without risk. A one-line automated script can topple your infrastructure in milliseconds. Machine objects and scripts can now elevate access privileges to complete administrative tasks, but if compromised, they can be misused.

Since each non-human entity has its own identity, access management becomes a key factor for protecting complex multi-cloud environments. We need services that ensure automation is trustworthy, easily managed, and fully visible so we can assess and control risk. To meet this challenge, the discipline of Cloud Infrastructure Entitlement Management (CIEM) has emerged to help manage the lifecycle and governance of multi-cloud environments. Microsoft has embraced this new category by acquiring CloudKnox.

3. Ubiquitous, decentralized computing requires a new trust fabric

As identity steps up to solve new challenges in an evolving security landscape, the core model for identity itself will become decentralized. This shift is part of a larger evolution to ubiquitous decentralized computing, where datacenters serve as the intelligent cloud facilitating interaction with smart devices and services on the intelligent edge. A decentralized identity model is the only way to achieve the speed required to authorize so many services and things at scale.

The independent nature of a decentralized model makes identity portable. When individuals can take their identities (and the personal information attached to them) with them wherever they conduct digital transactions, they gain more control over their privacy while benefiting from faster and more trustworthy transactions. This will change the world for so many industries, including finance, retail, healthcare, and others. Just a few years into this journey, proofs of concept have already accelerated demand for more convenient, secure, and private ways to interact at work, at home, and at play.

Looking forward

This is our commitment to you: the identity community will continue to collaborate closely in the coming years to help organizations everywhere stay ahead of these trends, which are daunting but exciting.

I recently shared my thoughts on these trends and ideas on practical steps our community can take to continue progress on this monumental undertaking at the 2021 European Identity and Cloud Conference. Please watch my session Identity’s evolving role in cloud security to learn more.

To learn more about Microsoft identity solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post 3 trends shaping identity as the center of modern security appeared first on Microsoft Security Blog.

How user experience is shaping verifiable credentials and identity

May 26th, 2021 No comments

Since 2017, Microsoft has been working with the identity community on two groundbreaking technologies designed from the ground up to make digital privacy convenient and practical: decentralized identifiers and verifiable credentials. We believe verifiable credentials will revolutionize the way we exchange personal information, shifting ownership and control of identity and personal data back to individuals.

To develop our implementation, Frank Chiachiere and other members of our team conducted pilots with industry leaders in healthcare, the public sector, financial services, retail, professional sports, and education. As Frank explains in the below interview with Alex Simons, the team started with optimistic ideas that evolved into a tangible working model, now in preview.

What I love most about Frank’s story is that he came to our team with an unusual background that trained him not only on technology but also on empathizing with people to understand what motivates them. This training helps him collaborate broadly on designing natural, responsive, and inviting user experiences that seamlessly integrate into familiar workflows and habits.

Frank’s interview with Alex has been edited for clarity and length. We’ve included some video snippets so you can learn more about Frank’s journey and his UX design philosophy.

Alex: Frank, you’ve been working on some of the coolest stuff in the division. But before we get to that, I’d love for you to share your background, because it’s not the traditional way to get into high-tech.

Frank: True. I was a bit of a boomerang story. In college, I was studying cognitive science—a mixture of psychology and computer science. But I totally abandoned it because I fell in love with the theater. I moved across the country here to the Northwest and found myself in a theater company doing amateur acting and directing. And I really enjoyed it. I met some of the best friends of my life doing it, including my now wife.

Then as I got older, I decided it was time to do a career change. I still really loved technology. And as I found my way back to school at the University of Washington, poking around for what I could do, I discovered that user experience design actually marries a lot of my interests.

As an actor, the most exciting thing was to bring life to somebody by trying to understand what drives them to do the things they do. And that weird core instinct and competency you develop as an actor, I found, ended up being shockingly relevant when I wanted to get back into technology.

I said, “This is what I have to be doing.” That led me toward consulting for a while, and then eventually, in the last six years, here at Microsoft on the Identity and Network Access Team.

Alex: I don’t know how many people we have who joined from the theater, but I just think that’s super cool.

Frank: I know program managers who worked as stage managers.

Theater teaches you how to work really effectively with other people and as we know, working in tech is super collaborative. The theater teaches you how to be creative on a deadline. I really appreciate learning that. It helps me be more empathetic with my teammates to understand how we can all work together better and support each other.

Alex: You’ve been working on one of our most amazing, future-looking areas. Can you tell us what it is, what it does, and why it matters to the world?

Frank: For the last couple of years, we’ve been working on the problem of decentralized identity. We’re trying to bring things we take for granted in the real world into the digital world in a more authentic and transparent way. Because of COVID-19, we’ve had to do a lot less in-person. We’ve had new challenges of how to bring trust, verifiability, and accountability to the online space when it comes to proving things about yourself. You can think of examples like digital driver’s licenses or passports, ways to reduce fraud, or applying for loans.

Right now, we still fax and scan. I’ve got my COVID-19 vaccination record here, this attestation or proof that I’ve gone and done something. This paper card somehow makes this authentic. Try thinking about this in the digital world. We haven’t really had a good way to do it. We see people not being able to verify things about one another. We see privacy breaches. We see hacks. We know we have to get better at control and ownership of personal data.

A couple of changes in the last few years have allowed us to innovate in this space in a way that Microsoft is uniquely positioned to do. First, we have a rise of open standards. Everyone has mobile phones now that are biometrically secured, so we can store more sensitive data on them. And we have new technologies like Blockchain, which allows for decentralized verifiability so that I can prove something about you without having to go through some central authority. All this allows us to think about new ways of proving and verifying things about yourself and your identity online and sharing that with other parties.

At the heart of the challenge is how do we educate people? How do we give them the level of security, power, and control they desire, without making the experience way too simple or way too complicated?

It’s really on us as communicators and product designers to say, “How can we make it clear that we’re not storing this data in some central server, that this is yours and it travels with you? This bit of information is just stored locally on your phone, so you’ve got to back it up.” It can increase trust that people own their data, but it can also be scary because then they think, “What happens if my phone goes in the lake or gets stolen?”

We’re also thinking about how much friction to put in front of somebody to evoke a moment of realization. We accept terms and conditions and cookies all the time because we want to get to the things that are important and valuable to us. A lot of times, we don’t even think about what we’re giving away. We want to restore people’s power to make that decision, but we also don’t want to give them button fatigue, where they’re always just clicking yes, accept, accept, accept because they don’t want to deal with all of these boxes in their way.

Graphic of presentation and verification UX design stages on an iPhone screen.

Figure 1: Permission and verification UX design.

Alex: I’ve really enjoyed watching how many different iterations of the design you’ve gone through. Can you tell us more about that iterative design approach?

Frank: As the designer, I always start with, “What are we trying to communicate here? What are the words? What’s the data? How will it be used and shared?”

You’re trying to marry content and users with an effective design. When you design something, you think will be used everywhere, it’s hard to drill down to specific use cases and get crisp about requirements. So, the early days were driven by our initial pilot customers.

We started by imagining how our early adopters would use the product and the kind of data they could store and share. For us, it was really about paring back. “What does it look like to have a credential and share that credential? What do I need to see about the credential? When do I need to see it? And how can we make that as simple as possible so we can learn?”

Because really, we’re going to learn so much more from putting this in front of people than by trying to refine the design over and over. “What’s the simple product that is clean and crisp, that will allow us to get the most data, and allow those use cases and requirements to evolve? How can we make something that’s elegant and familiar?”

We said, “Okay, it’s going to have to be cards in the wallet because that’s what people will recognize.” The driver’s license example comes to mind. A lot of people think in those terms, and so that really helped drive us towards that iteration. But I can show you some designs where we had QR codes on the front. We had lots of different data. We were making these things very, very elaborate. And I’d love to get there someday. We’re going to let the use cases drive that as time goes on.

Alex: I love the work you’ve done to show people receipts for all the places they use their credentials. I feel like it’s one of those little “aha” kind of things that almost brings some sense of joy or exceeds expectations.

Frank: One of the great features of these credentials is that you can understand where you’ve been using them. If I ever want to share my credential, I have a history.

Now once I give it to somebody, there’s nothing I can do about the fact that they have it. I can tell them later, “I don’t want you to use this anymore,” but once they’ve made a copy of it, it’s theirs. At the very least, we have this concept of, “Here’s the date, here’s the reason I gave it to you, and here’s the reason you asked for it.”

A lot of the current single sign-on experiences involve signing in with a third-party identity provider. I’m granting blanket permission here. You can use my email address and have access to my contacts and email. And there’s no expiration date on any of that. There’s no understanding of what they grabbed and when. For us, it was very important to create visibility for users to understand, “This is what I shared, why, and when.”

Alex: Your team has come up with such a simple, understandable user experience, but also one that’s even better in some ways than the physical world, because I get that running record of all the places that I’ve used a credential and what I do with it.

Frank: Right. It’s what we’d expect out of something digital. That’s what makes it better.

Alex: So Frank, if someone reading this blog wants to get into the profession and think about UX design the way you do, any advice on how to get started?

Frank: I’m a bit envious of the college undergraduates today. They have actual programs that didn’t exist when I was in school. But still, one of the great things about UX design is people come to it from all different backgrounds: computer science, theater, journalism, graphic design. The most important thing is curiosity and empathy. It really is about understanding what motivates people and being a voice in the room for the end-user. And I know we’re all preaching that it’s everybody’s responsibility, but we can always make sure we put in that extra effort to bring clarity and a desire to see the way things could be, not just the way they are today.

Alex: Well, Frank, I appreciate your taking the time today and the wonderful work you’ve been doing. And I’m looking forward to all the new things that we’re going to learn while Azure Active Directory (Azure AD) verifiable credentials is in preview.

Learn more

Learn more about verifiable credentials.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post How user experience is shaping verifiable credentials and identity appeared first on Microsoft Security.

Identity at Microsoft Ignite: Strengthening Zero Trust defenses in the era of hybrid work

March 2nd, 2021 No comments

We’re now a year into our new reality, and two trends stand out. First, people need even more flexibility as we work, learn, and collaborate in a world without perimeters. And second, bad actors are getting even more sophisticated. They’re adding new attack vectors and combining them in new creative ways, as we just saw with Solorigate.

In January, I shared our top five identity priorities for 2021 to help you strengthen security and accelerate your transition to the new hybrid work era. More than ever, organizations need to strengthen their defenses to give employees, partners, and customers the flexibility to work from anywhere using apps that live inside and outside the traditional corporate network perimeter. That’s why Zero Trust, a security strategy that combines maximum flexibility with maximum security, is so crucial.

For IT pros and security professionals, the implementation of Zero Trust should be simple and straightforward. For users, it should never get in the way, and it should fit into familiar workflows and habits. This week, on the virtual Microsoft Ignite stage, I’m announcing several Azure Active Directory (Azure AD) innovations that will help make life easier for you and your employees now—and help you stay prepared for whatever comes next.

Give your employees a secure and seamless user experience

As part of our commitment to making security as seamless as possible, passwordless authentication is now generally available for organizations to deploy at scale. Your IT admins, employees, and partners can benefit from increased security and simplicity. We’ve made it easy to roll out passwordless at scale with expanded policies that define which authentication methods specific users or groups can use. New reporting capabilities allow you to see the usage and adoption of passwordless authentication methods across your organization. To help you simplify and secure remote access, we’ve also released the preview of Temporary Access Pass, a time-limited code used to set up and recover a passwordless credential.

Azure AD Temporary Access Pass

Microsoft already has more than 200 million passwordless users across our consumer and enterprise services. We’re excited to see even more customers adopting passwordless each day. Axiata Group is the first company in Southeast Asia to eliminate passwords for their employees. They went passwordless using Windows Hello for Business and the Microsoft Authenticator app. Abid Adam, group chief risk and compliance officer at Axiata Group said, “Rather than make their lives miserable with long passwords that create risk for the organization, we turned to biometrics. Now with Windows Hello, security is baked into our ecosystem, and we have better access to information with greater barriers to bad actors. It’s a win-win for our security team, our employees, and the company.” Similarly, in Europe, Umeå municipality wanted to strengthen security and eliminate the use of passwords. With help from Onevinn and Yubico partners, they were able to roll out their first passwordless deployment in less than 10 days. Watch my interview on Microsoft Mechanics to see passwordless in action.

Going passwordless not only simplifies the user experience but also strengthens your security posture. And thanks to Azure AD Conditional Access, you no longer need to request multifactor authentication every time someone accesses an app that touches sensitive data. Instead, you can step up authentication based on what the user is trying to do within the app—for example, downloading a highly confidential document. With Azure AD Conditional Access authentication context, now in preview, you can move away from one-size-fits-all security and adopt more granular policies that protect resources with the right level of controls based on user actions or the data they are trying to access.

Azure AD Conditional Access authentication context

Announcements:

  • General availability of passwordless authentication.
  • Preview of Temporary Access Pass.
  • Preview of Azure AD Conditional Access authentication context.

Secure access to all apps

Most of you manage multi-cloud environments. Your developers are building apps that are distributed across Microsoft Azure, Amazon Web Services (AWS), and Google Cloud Platform. They need to sign in to each cloud with only one set of credentials. So that you can quickly configure single-sign-on (SSO) and user provisioning, we’re constantly expanding the Azure AD app gallery with as many pre-integrations as possible—even with our competitors.

AWS Single Sign-On app is now pre-integrated with Azure AD and available in the app gallery. This integration lets you connect Azure AD to AWS SSO, a cloud-based service that simplifies SSO access across multiple AWS accounts and resources. You can centralize management of user access to AWS, while your employees can gain access using their Azure AD credentials.

AWS SSO pre-integrated with Azure AD

During the past year, many organizations have relied on our Azure AD App Proxy service to help employees secure remote access to on-premises apps. Usage grew more than 100 percent last year, helping organizations move away from VPN solutions. Today, we’re adding two new features to help you get the most out of App Proxy. First, native support for header-based authentication with App Proxy is now generally available. Second, traffic optimization by region for App Proxy is now in preview. This new feature lets you designate which region your App Proxy service connector group should use and select the same region as your apps. This new feature helps reduce latency and improve performance.

Azure AD App Proxy support for header-based authentication apps

To protect your legacy, on-premises applications, we’re expanding the list of our secure hybrid access partnerships to include Datawiza, Perimeter 81, Silverfort, and Strata. In addition to connecting your on-premises apps, partners like Datawiza, Strata, and Silverfort can help you discover and prioritize apps and resources to migrate to Azure AD. “Silverfort is thrilled to be able to collaborate with Azure AD to enable unified secure access to legacy, on-premises apps, and resources,” said Ron Rasin, vice president of product and strategic alliances at Silverfort. “Identity has become the primary security control plane making it critical that organizations can discover, prioritize, and migrate the apps and resources to a central identity solution like Azure AD.”

Solorigate taught us that in many cases, cloud environments are more secure than on-premises. To strengthen your defenses, it’s critical to minimize your on-premises footprint and manage all your apps from the cloud. The process of discovering applications across different environments and prioritizing them for cloud modernization can be daunting, however. To make it easier, we’re announcing the general availability of Active Directory Federation Services (AD FS) activity and insights report. This report assesses all AD FS applications for compatibility with Azure AD, checks for any issues, and provides guidance on preparing individual applications for migration to Azure AD.

AD FS activity and insights report

Announcements:

  • AWS Single Sign-On now available in Azure AD app gallery.
  • General availability of AD FS activity and insights report.
  • New secure hybrid access partnerships with Datawiza, Perimeter 81, Silverfort, and Strata.
  • General availability of Azure AD App Proxy support for header-based authentication apps.
  • Preview of Azure AD App Proxy support for traffic optimization by region.

Secure your customers and partners

A strong Zero Trust approach requires that we treat access requests from customers, partners, and vendors just like requests from employees: verify every request, allow users to access the data they need only when they need it, and don’t let guests overstay their welcome. With Azure AD, you can apply consistent access policies to all types of external users.

Generally available starting this month, Azure AD External Identities is a set of capabilities for securing and managing identity and access for customers and partners. Self-service sign-up user flows in Azure AD apps make it easy to create, manage, and customize onboarding experiences for external users, with little to no application code. You can integrate support for sign-in using Google and Facebook IDs and extend the flow with powerful API connectors. Using Azure AD Identity Protection, you can protect your business-to-business (B2B) and business-to-consumer (B2C) apps and users with adaptive, machine learning–driven security.

Azure AD External Identities admin portal and user experience

With automated guest access reviews for Microsoft Teams and Microsoft 365 groups, now generally available, Azure AD will prompt you to review and update access permissions for all guests added to new or existing Teams or groups on a regular schedule. The process of cleaning up access to sensitive resources that your guest users no longer need will become less manual—and less neglected.

Announcements:

  • General availability of Azure AD External Identities.
  • General availability of Azure AD access reviews for all guests in Teams and Microsoft 365 groups.

The future of identity is bright

While 2020 was a challenging year, we have much to look forward to in 2021, with innovations that will deliver more security, transparency, and privacy for users. Last Microsoft Ignite, I talked about verifiable credentials and our commitment to empowering every person to own their own identity thanks to decentralized identifiers. I’m happy to share that Azure AD verifiable credentials is entering preview in just a few weeks. Developers will get an SDK, with quick-start guides, for building apps that request and verify credentials, just like they do with usernames and passwords. I’m also excited to announce that we are partnering with some of the leading ID verification partners—Acuant, Au10tix, Idemia, Jumio, Socure, Onfido, Vu Security—to improve verifiability and secure information exchange.

Verifiable credentials let organizations confirm information about someone—like their education and professional certifications—without collecting and storing their personal data. This will revolutionize the way we grant permissions to access our information. Organizations will be able to issue digital versions of a variety of credentials such as physical badges, loyalty cards, and government-issued paper documents based on open standards. Because the digital information is verified by a known party, it’s more trustworthy, and verification will only take minutes instead of days or weeks.

Azure AD verifiable credentials

Individuals get more control over what information they share with whom, and they can restrict access to that shared information at any time. They only have to verify a credential once to use it everywhere. To manage their credentials, they can use the Microsoft Authenticator app and other wallet apps that support open standards, such as the pilot application built by Keio University for their students.

Announcement:

  • Preview of Azure AD verifiable credentials.

And finally, I’m happy to share that we’re releasing a new Microsoft Identity and Access Administrator Certification, which you can find at the Microsoft Security Resources portal. This training helps admins design, implement, and operate Azure AD as the organization’s security control plane.

Announcement:

  • Release of the Microsoft Identity and Access Administrator Certification.

The new features announced at Microsoft Ignite will make it easier to provide seamless user experiences in the hybrid workplace and to strengthen your defenses against attacks that are increasingly sophisticated. As you try these new tools, please send us your feedback so we can continue to build advancements that help you keep your employees secure, connected, and productive.

Let’s make 2021 the Year of Passwordless!

To see these features in action when I take the Microsoft Ignite stage tomorrow, register for free at Microsoft Ignite and watch my session starting at 5 PM Pacific Time. Follow Microsoft Identity at @AzureAD on Twitter for more news and best practices.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security Blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Identity at Microsoft Ignite: Strengthening Zero Trust defenses in the era of hybrid work appeared first on Microsoft Security.

Identity governance: The power of “Why not?”

January 25th, 2021 No comments

Innovation requires the courage to take risks and the leadership skills to show others that risks are worth taking. That’s why I love working with people like Joe Dadzie, a partner group program manager in identity governance. Joe has a long history of championing disruptive technology breakthroughs and delivering for our customers. He’s never shied away from pushing boundaries or breaking free from “the way we’ve always done things” to build better solutions. By his example, he inspires fearlessness in his team and in those he mentors. Joe’s achievements remind all of us in identity that when we focus on the needs of our customers, everyone wins. I hope you enjoy his remarkable story. 

The power of “Why not?” 

A profile headshot of Joe Dadzie, wearing a grey shirt against a cream-colored wall.

The first time Joe Dadzie traveled outside his native Ghana, in 1991, he flew to Boston on a one-way ticket. “I had no freaking clue what the U.S. was like,” he laughs. Inspired by a U.S. State Department advisor whose husband was the first Ghanaian ever to attend Dartmouth, Joe was heading to the New Hampshire-based college to study engineering. “I didn’t know anything about computers,” he admits. “And I had no idea New Hampshire would be so cold!” 

Thirty years later, Joe works in a warmer climate, designing governance technologies in the identity division at Microsoft. “Organizations have security and compliance requirements,” he explains. “They need to reduce the risk of data loss or leakage, and if they’re in regulated industries, they have to pass audits. At the same time, they need to empower their employees to work effectively, with the fewest possible constraints. My team designs tools to help them.” 

Every project Joe’s ever worked on started the same way—with some customer challenge he became fixated on solving. “I’m never going to be a computer science dude,” the twenty-five-year software industry veteran confesses. He finds “super hard problems” infinitely more fascinating than technology. “Utility is more interesting to me because when I look at the groundbreaking technologies I’ve worked on over the years, they rose up, and now some of them are gone.”  

The successive extinctions of technology paradigms in favor of the “hottest new thing” form the mile markers of Joe’s career: from floppies to CDs, from the FAT file system to NTFS, from shrink-wrapped software to cloud-based services. He not only takes change in stride, he pushes it, leading more than one manager to question his sanity. 

“When we proposed Windows Update, the whole notion that you could install things over the Internet didn’t exist,” he recalls. People worried about the optics of taking control of people’s machines for automatic updates. “Are you guys crazy? Nobody wants that!” he remembers his colleagues shrieking. 

“When we did that first Windows service pack, 250 megabytes over the internet, that was revolutionary,” Joe asserts. “Were we going to bring the internet down? We didn’t. And now, Windows Update is baked in for securing users around the world. It just happens.” Software updates that once started with tearing the plastic off the latest release and inserting a disk happen today whenever someone launches a program. Twenty years after Windows Update first started patching PCs, the whole world goes “crazy” every day. 

The “try it” spirit 

Joe is not, in fact, crazy. He’s simply incurably optimistic, responding to each no-one-has-done-this-before challenge with an unassuming “Why not?”  

He’s greeted challenges this way since an early age. “Where I grew up, nobody applied to the top high schools,” Joe says. “I thought it was weird. Why does the teacher say that nobody from our elementary school should apply to this high school? Why not? I think I’m smart enough.” Joe did apply, and he ended up at a top high school in Ghana, where he became a top student—one of the few who achieved a perfect score on the national Ordinary Level General Certificate of Education exam. 

He credits his parents with instilling in him the “you should be able to try stuff” spirit that got him where he is today. “Both of them actually left Ghana to study,” Joe says. “They took this leap of going to England to try something new, did okay, and came back.” Following their lead, Joe applied to colleges in the United States with support from local mentors. The U.S. State Department advisor reassured him that scholarships would cover the tuition he couldn’t afford. An eye surgeon and Stanford University professor who worked with his mom, a nurse, covered his SAT test and college application fees.  

“I got into Dartmouth and told myself to take the leap of faith,” Joe recalls. “Try this. I may not know where it goes, but what’s the worst that could happen? I would go back to Ghana.” 

Maximizing opportunity 

Before matriculating at Dartmouth, Joe had never used computers. He was stunned to learn that the engineering department required all students to buy one—a Mac. “I was like, what the heck is this thing?” he jokes. While other students arrived already knowing how to code, Joe started with basic computer science classes, his sense of obligation fueling his work ethic. 

“I was conscious of not wasting the opportunity that I had,” Joe says. He literally did the math, calculating how much a skipped class would cost in scholarship dollars—a lot of money when converted to Ghanaian currency. “Look,” he reasons, “if you’ve got into someplace through the help of others, maximize it and focus on performance.” 

At first, Joe had no interest in the software industry. “I did a project with a physics professor that ended up being a computer project,” he says. That project, listed on Joe’s resume, caught the eye of a recruiter who encouraged him to attend an info session about Microsoft’s summer internship program. Intrigued by the prospect of visiting the American West Coast, he applied. “Hey, I may not get it because I’m not a computer science guy, but why not try it out?” he told himself. He flew to Redmond, did the interview, and got an offer. 

His summer project—figuring out how to make the software setup process easier for customers—established the tone for the rest of his career. “That internship was fun,” he reminisces. “I got to learn new things, didn’t have to dress up for work, and got to play soccer every lunchtime.” By the end of the internship, Joe was sold on a career in software. He turned down higher-paying offers from consulting and Wall Street firms to return to Microsoft, casual attire, and lunchtime scrimmages.  

Advocating for customers 

In 2000, after working on Windows Update for several months, Joe proposed a corporate version in a paper he submitted for Bill Gates’ ThinkWeek“Enterprise customers were telling us that they wanted a way to manage updates themselves. I got an email about ThinkWeek that said anybody can submit an idea. I said, ‘Okay, let’s submit something.’ I didn’t know if anyone would read it, but I wanted to respond to customer feedback, and the ThinkWeek paper seemed like an opportunity to do that.”  

Reviewers, including Gates, liked the idea of what became the Software Update Service (SUS). Within six months, Joe and his small team of “one other program manager and two or three developers” shipped a beta. Customers responded to SUS with a request that Microsoft extend it to help them manage updates to devices for remote employees and road warriors. Thus, Intune was born. Joe proudly recalls the “awesome customer feedback” they received when Intune shipped. “They wanted to use it!” he enthuses. 

A decade later, Joe returned to Ghana for his sabbatical. “It was 2011. When I talked to people, I realized that I was way too Microsoft-insular.” He noticed, for example, that much of the technology others now used had no Microsoft bits in them. When he returned to work, he struggled to reconcile what customers were telling him they wanted with the strategy his leaders wanted to follow. His father’s death in February 2012 forced him to reassess his priorities, and after seventeen years at Microsoft, he left. 

With no clear plans on what to do next, Joe spent the next two years on a soccer field, training with his pre-teen son, and “learning the non-Microsoft stack” by developing an app for managing soccer teams. For about a year, he also worked on the loyalty platform for a major retailer. 

Then serendipity struck again. 

A new mission 

A Facebook post from a Microsoft friend that said, “When your CEO asks you to take on a new job, you can’t say no,” piqued Joe’s curiosity. “I had been hearing people say that Satya was changing the Microsoft culture,” he says. “So, I reached out.” After talking with several Microsoft managers about potential roles, he decided to take another leap of faith: rejoining the company. 

Although he had an offer from one of his previous teams, Joe liked the identity division’s customer-centric culture and the allure of the unfamiliar. He missed the thrill of seeing a new product area come to life. “All of my previous successes had come from listening to customers, and I liked the idea of taking an unknown thing, then pulling in disparate data to figure it out, plan, and just go solve it.”  

When Joe joined the identity effort, he inherited a single program manager and an on-premises governance tool, Microsoft Identity Manager (MIM). The first thing he did was to resurrect the process that had served him so well in the past: listen to customers, spot the trend, and propose big bold solutions to address it.  

“I knew nothing about identity, so I was like, okay, go on a listening tour,” Joe muses. “What issues did people have with this tool that I own? All the customers were saying, ‘It requires a bunch of consultants. The UI is complicated,’ et cetera.” Microsoft partners told Joe they didn’t use any of the governance capabilities in MIM because they were too complex and not fully integrated. “But even though people complained about MIM, almost every large company had deployed it in some critical area,” Joe reveals. “We concluded that making governance tools easier to use and more integrated would probably solve their problems.” 

An integrated approach  

When Joe embarked on his new mission, the industry had been treating identity governance as separate from access management. Joe doesn’t feel an obligation to preserve their dictionary definitions by insisting the two functions stay separate. “If you focus on the customer problem that governance is a means to help reduce access risk in an organization,” he contends, “then all the things you need in access management and governance have to form a continuum. It cannot be two separate things. 

“The customer is trying to solve a problem that these tools will come together to solve,” he insists. “It’s an end-to-end problem that’s not just about compliance. We also have to enable productivity.” This means simplifying the process of granting people access to resources when they need them and removing access when they don’t while ensuring that IT managers have a complete history they can easily report to regulators.  

“In the governance space, we are trying to help organizations answer four basic questions,” Joe says. “Who has or should have access to resources? What can they do with their access? Should they continue to have that access? And how do you prove that? 

Customers, whether end-users or IT managers, shouldn’t have to “worry,” Joe emphasizes. The system should provide answers automatically. “If there’s a regulatory need to insist that people get approval before accessing a particular resource, then we’ll provide those tools,” he says. “We make it easy for employees to go to the resource, request access, and get that access quickly. Then we automatically remove access when the project ends.” 

Embracing serendipity 

Joe’s Microsoft career has been a series of challenges, choices, and serendipitous opportunities to work on pioneering projects: CD boot, unattended install, common installers, patch updates, Microsoft Intune, and now identity governance. He’s tackled them all with the same aplomb that got him into the high school his teachers had said wasn’t meant for students like him.  

“If you focus on the customer problem, most of the time you get it right,” he offers. “And if things get screwed up, you can fix it and move forward. So why panic and get all riled up?” 

Reflecting back on his career path, he says, “Sometimes it’s about not being afraid of serendipitous opportunities to go learn something new and experience the good things that come out of it.”  

He shares his own story to encourage others to take on new challenges. “My experiences may help other people do more than they think they’re capable of,” he says. Recalling his first flight out of Ghana, when he was a teenager heading to college in a strange land, he asks his mentees, “What’s the worst that could happen? You may fail and have to start over. Or maybe you will change the world. So…Why not?” 

To learn more about Microsoft Identity solutions, visit our website.  Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @AzureAD and @MSFTSecurity for the latest news and updates on cybersecurity. 

The post Identity governance: The power of “Why not?” appeared first on Microsoft Security.

A breakthrough year for passwordless technology

December 17th, 2020 No comments

As 2020 draws to a close, most of us are looking forward to putting this year in the rearview mirror. Since we depend even more on getting online for everything in our lives, we’re more than ready to be done with passwords. Passwords are a hassle to use, and they present security risks for users and organizations of all sizes, with an average of one in every 250 corporate accounts compromised each month. According to the Gartner Group, 20 to 50 percent of all help desk calls are for password resets. The World Economic Forum (WEF) estimates that cybercrime costs the global economy $2.9 million every minute, with roughly 80 percent of those attacks directed at passwords.

In November 2019 at Microsoft Ignite, we shared that more than 100 million people were already using Microsoft’s passwordless sign-in each month. In May of 2020, just in time for World Password Day, that number had already grown to more than 150 million people, and the use of biometrics to access work accounts is now almost double what it was then. We’ve drawn strength from our customers’ determination this year and are set to make passwordless access a reality for all our customers in 2021.

2020: A banner year for passwordless technology

Infograph describing the passwordless technology achievements in 2020

February: We announced a preview of Azure Active Directory support for FIDO2 security keys in hybrid environments. The Fast Identity Online (FIDO) Alliance is a “cross-industry consortia providing standards, certifications, and market adoption programs to replace passwords with simpler, stronger authentication.” Following the latest FIDO spec, FIDO2, we enabled users with security keys to access their Hybrid Azure Active Directory (Azure AD) Windows 10 devices with seamless sign-in, providing secure access to on-premises and cloud resources using a strong hardware-backed public and private-key credential. This expansion of Microsoft’s passwordless capabilities followed 2019’s preview of FIDO2 support for Azure Active Directory joined devices and browser sign-ins.

June: I gave a keynote speech at Identiverse Virtual 2020 where I got to talk about how Microsoft’s FIDO2 implementation highlights the importance of industry standards in implementing Zero Trust security and is crucial to enabling secure ongoing remote work across industries. Nitika Gupta, Principal Program Manager of Identity Security in our team, showed how Zero Trust is more important than ever for securing data and resources and provided actionable steps that organizations can take to start their Zero Trust journey.

September: At Microsoft Ignite, the company revealed the new passwordless wizard available through the Microsoft 365 Admin Center. Delivering a streamlined user sign-in experience in Windows 10, Windows Hello for Business replaces passwords by combining strong MFA for an enrolled device with a PIN or user biometric (fingerprint or facial recognition). This approach gives you, our customers, the ability to deliver great user experiences for your employees, customers, and partners without compromising your security posture.

November: Authenticate 2020, “the first conference dedicated to who, what, why and how of user authentication,” featured my boss, Joy Chik, CVP of Identity at Microsoft, as the keynote speaker. Joy talked about how FIDO2 is a critical part of Microsoft’s passwordless vision, and the importance of the whole industry working toward great user experiences, interoperability, and having apps everywhere support passwordless authentication. November also saw Microsoft once again recognized by Gartner as a “Leader” in identity and access management (IAM).

MISA members lead the way

The Microsoft Intelligent Security Association (MISA) is an ecosystem of security partners who have integrated their solutions with Microsoft to better defend against increasingly sophisticated cyber threats. Four MISA members—YubiKey, HID Global, Trustkey, and AuthenTrend—stood out this year for their efforts in driving passwordless technology adoption across industries.

Yubico created the passwordless YubiKey hardware to help businesses achieve the highest level of security at scale.

“We’re providing users with a convenient, simple, authentication solution for Azure Active Directory.”—Derek Hanson, VP of Solutions Architecture and Alliances, Yubico

HID Global engineered the HID Crescendo family of FIDO-enabled smart cards and USB keys to streamline access for IT and physical workspaces—enabling passwordless authentication anywhere.

“Organizations can now secure access to laptops and cloud apps with the same credentials employees use to open the door to their office.”—Julian Lovelock, VP of Global Business Segment Identity and Access Management Solutions, HID

TrustKey provides FIDO2 hardware and software solutions for enterprises who want to deploy passwordless authentication with Azure Active Directory because: “Users often find innovative ways to circumvent difficult policies,” comments Andrew Jun, VP of Product Development at TrustKey, “which inadvertently creates security holes.”

AuthenTrend applied fingerprint-authentication technology to the FIDO2 security key and aspires to replace all passwords with biometrics to help people take back ownership of their credentials.

Next steps for passwordless in 2021

Our team has been working hard this year to join these partners in making passwords a thing of the past. Along with new UX and APIs for managing FIDO2 security keys enabling customers to develop custom solutions and tools, we plan to release a converged registration portal in 2021, where all users can seamlessly manage passwordless credentials via the My Apps portal.

We’re excited about the metrics we tracked in 2020, which show a growing acceptance of passwordless among organizations and users:

  • Passwordless usage in Azure Active Directory is up by more than 50 percent for Windows Hello for Business, passwordless phone sign-in with Microsoft Authenticator, and FIDO2 security keys.
  • More than 150 million total passwordless users across Azure Active Directory and Microsoft consumer accounts.
  • The number of consumers using Windows Hello to sign in to Windows 10 devices instead of a password grew to 84.7 percent from 69.4 percent in 2019.

We’re all hoping the coming year will bring a return to normal and that passwordless access will at least make our online lives a little easier.

Learn more about Microsoft’s passwordless story. To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post A breakthrough year for passwordless technology appeared first on Microsoft Security.

Microsoft Azure Active Directory again a “Leader” in Gartner Magic Quadrant for Access Management

November 24th, 2020 No comments

Howdy folks,

I’m proud to announce that for the fourth year in a row, Microsoft Azure Active Directory (Azure AD) has been recognized as a “Leader” in Gartner Magic Quadrant for Access Management, Worldwide.

Earlier this year, my boss, Joy Chik, CVP of Identity Engineering shared Microsoft’s guiding principles of our identity and access management (IAM) strategy, emphasizing our commitment to delivering a secure and scalable identity solution. Azure AD safeguards access to your apps by enforcing strong authentication and adaptive risk-based access policies, providing seamless user access with single sign-on (SSO) and reduced IT costs. We envision Azure AD as the key to embracing a Zero Trust security model, enabling secure application access and greater productivity across users, apps, and devices.

Consistently landing in Gartner Magic Quadrant for the past four years tells us that we’re executing on our vision and making a difference for you, our customers.

We’ve learned from your resilience in adapting to remote work over the past year, and your direct feedback has shaped our advancements in several areas:

  • Adaptive security: Azure AD natively offers comprehensive logging, dashboard, and reporting capabilities, as well as identity analytics with Azure AD Identity Protection.
  • Secure application access: Azure AD supports out-of-the-box single sign-on (SSO) and provisioning connectors to thousands of SaaS apps, as well as authentication for legacy on-premises applications through App Proxy and secure hybrid-access partnerships.
  • Report-only mode: The report-only (or audit-only) mode enables administrators to evaluate the impact of Conditional Access policies before enabling them for users.
  • Web Content Accessibility Guidelines: We’re proud of our commitment to inclusion and accessibility by design, which goes beyond meeting Web Content Accessibility Guidelines (WCAG) compliance to providing a positive experience for all users.
  • API access control: We offer built-in centralized policy management, management of security tokens, token translation, and developer self-service support. In addition, Azure AD offers native integration with the Azure API Management service or with third-party API gateway products for more advanced API security.
  • Open standards: Azure AD offers support for all major identity standards, including SAML 2.0, WS-Fed, OIDC, OAuth 2.0, and password vaulting with JavaScript-based login form filling.

We’re honored to place this well for the fourth time and believe it reflects the energy and passion we’ve put into partnering with our customers to help them successfully digital transform their businesses. That said, there’s lots more work to do, and we look forward to continuing to partner with you, our customers, to assure the products we build keep your organizations secure and productive. We’re grateful for your trust, and I look forward to seeing what we can accomplish together in the coming year.

To learn more about Microsoft Identity solutions visit our website.  Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @AzureAD and @MSFTSecurity for the latest news and updates on identity and cybersecurity.

This graphic was published by Gartner, Inc. as part of a larger research document and should be evaluated in the context of the entire document. The Gartner document is available upon request from Microsoft.

Gartner does not endorse any vendor, product, or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.

The post Microsoft Azure Active Directory again a “Leader” in Gartner Magic Quadrant for Access Management appeared first on Microsoft Security.