Zen & the Art of Enterprise Authentication:
A Practitioner’s Viewpoint on Finding
Balance
Laura E. Hunter
Identity Managem...
But Security is No Laughing Matter…
It’s All About Managing Expectations
“Why Can’t I Use Facebook to Log Onto Payroll?”
“Employees Must Use Smart Cards At All Times!”
“We Don’t Allow Personal Devices On Our Network.”
Physical Smart Cards @ Microsoft Today
u  Walk into Building 92
u  Present your driver’s license/passport
u  Get your p...
We need to make access easy
and secure!
Multi-Factor
Authentication Using
Any Phone
•  Works with the user’s existing phone, anywhere in the
world
•  Offers out-o...
What Microsoft IT Has Learned So Far…
u  Policy before technology
u  “What is the assurance level of Phone Factor?”
u  ...
Example of a “Balanced” Policy
“Immutable Laws of Phone Authentication”
u The user must be expecting the challenge
u Otherwise, the user gets trained t...
“Immutable Laws of Phone Authentication”
u The calling system must be reasonably
assured of the user’s identity before in...
Other Fun Factors
u  Be sure that “2FA” means what you think it means
u  Soft phones
u  Call forwarding
u  PIN protect...
About Those Pesky Twitter Accounts…
Passwords Aren’t Quite Dead Yet…
u  How does the user authenticate
to the portal?
u  Single-factor vs Dual-factor
u  Du...
Looking Ahead…
u  Now that strong auth is easy(-ier), enforce it more
broadly
u Client support “shims” where needed…
u ...
THANK YOU!
@ADFSKITTEH
© 2010 Microsoft Corporation. All rights reserved.
This presentation is for informational purposes only. Microsoft makes n...
CIS14: Zen and the Art of Cloud Adoption—a Practitioner’s Viewpoint on Finding Balance
CIS14: Zen and the Art of Cloud Adoption—a Practitioner’s Viewpoint on Finding Balance
CIS14: Zen and the Art of Cloud Adoption—a Practitioner’s Viewpoint on Finding Balance
CIS14: Zen and the Art of Cloud Adoption—a Practitioner’s Viewpoint on Finding Balance
Upcoming SlideShare
Loading in …5
×

CIS14: Zen and the Art of Cloud Adoption—a Practitioner’s Viewpoint on Finding Balance

627 views
330 views

Published on

Laura E. Hunter, Microsoft

Real-life tales from the trenches about how Microsoft IT is working to strike the right balance between enterprise requirements for security, privacy, control, and compliance, and creating a great experience for their users and customers who want to stay connected and productive no matter where they are or what device they’re using.

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
627
On SlideShare
0
From Embeds
0
Number of Embeds
3
Actions
Shares
0
Downloads
16
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

CIS14: Zen and the Art of Cloud Adoption—a Practitioner’s Viewpoint on Finding Balance

  1. 1. Zen & the Art of Enterprise Authentication: A Practitioner’s Viewpoint on Finding Balance Laura E. Hunter Identity Management Architect Microsoft IT @adfskitteh
  2. 2. But Security is No Laughing Matter…
  3. 3. It’s All About Managing Expectations
  4. 4. “Why Can’t I Use Facebook to Log Onto Payroll?”
  5. 5. “Employees Must Use Smart Cards At All Times!”
  6. 6. “We Don’t Allow Personal Devices On Our Network.”
  7. 7. Physical Smart Cards @ Microsoft Today u  Walk into Building 92 u  Present your driver’s license/passport u  Get your picture taken u  Pick a PIN u  Walk out with a smart card u  Don’t live in Redmond? We’ll mail it to your address of record. u  What’s that? You’re travelling? Uhh…too bad, so sad?
  8. 8. We need to make access easy and secure!
  9. 9. Multi-Factor Authentication Using Any Phone •  Works with the user’s existing phone, anywhere in the world •  Offers out-of-band protection from malware threats •  Verifies user logins, financial transactions, and more •  Features built-in support for leading on-premises applications and cloud services •  Streamlines user management and enrollment •  Backed by a scalable cloud service
  10. 10. What Microsoft IT Has Learned So Far… u  Policy before technology u  “What is the assurance level of Phone Factor?” u  OOB registration experience == username & password u  Existing strong authenticators – physical/virtual smart cards u  “So how do we proof the phone number?” u  Security – Physical smart card u  Usability – “Nobody likes to use smart cards!”
  11. 11. Example of a “Balanced” Policy
  12. 12. “Immutable Laws of Phone Authentication” u The user must be expecting the challenge u Otherwise, the user gets trained to always succeed the auth, thus defeating the point of strong auth entirely u Corollary: the user must not be subjected to numerous auth requests in a row
  13. 13. “Immutable Laws of Phone Authentication” u The calling system must be reasonably assured of the user’s identity before initiating Phone Authentication u Phone Authentication is a secondary authenticator, not primary, otherwise it’s trivial for an attacker to make a victim’s phone ring at 3:00 AM knowing only his or her username
  14. 14. Other Fun Factors u  Be sure that “2FA” means what you think it means u  Soft phones u  Call forwarding u  PIN protection u  Think about international costs u  Free in the US, inbound/outbound charges elsewhere u  Phone call vs data plan vs SMS
  15. 15. About Those Pesky Twitter Accounts…
  16. 16. Passwords Aren’t Quite Dead Yet… u  How does the user authenticate to the portal? u  Single-factor vs Dual-factor u  Dual-factor does not prevent phishing, but mitigates the results of a successful phish u  Who controls the password? u  “What do you mean you’ve taken FaceBook off my phone?” u  “Why do I have to give my Twitter password to IT?” u  “@adfskitteh isn’t corporate, it’s mine!”
  17. 17. Looking Ahead… u  Now that strong auth is easy(-ier), enforce it more broadly u Client support “shims” where needed… u  Get rid of that “bag of passwords” u Or at least ask really nicely… u  Focus on device protection u Registration, health, “device as smart card”
  18. 18. THANK YOU! @ADFSKITTEH
  19. 19. © 2010 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

×