Laura E. Hunter discusses finding a balance between security and usability in enterprise authentication. She describes Microsoft IT's transition from physical smart cards to multi-factor authentication using any phone, noting important considerations like policy before technology and user expectations. Hunter outlines an example "balanced" policy and "immutable laws of phone authentication," and discusses ongoing efforts to enforce strong authentication more broadly while improving the user experience.
CIS14: Zen and the Art of Cloud Adoption—a Practitioner’s Viewpoint on Finding Balance
1. Zen & the Art of Enterprise Authentication:
A Practitioner’s Viewpoint on Finding
Balance
Laura E. Hunter
Identity Management Architect
Microsoft IT
@adfskitteh
9. Physical Smart Cards @ Microsoft Today
u Walk into Building 92
u Present your driver’s license/passport
u Get your picture taken
u Pick a PIN
u Walk out with a smart card
u Don’t live in Redmond? We’ll mail it to your
address of record.
u What’s that? You’re travelling? Uhh…too bad, so sad?
12. Multi-Factor
Authentication Using
Any Phone
• Works with the user’s existing phone, anywhere in the
world
• Offers out-of-band protection from malware threats
• Verifies user logins, financial transactions, and more
• Features built-in support for leading on-premises
applications
and cloud services
• Streamlines user management and enrollment
• Backed by a scalable cloud service
13. What Microsoft IT Has Learned So Far…
u Policy before technology
u “What is the assurance level of Phone Factor?”
u OOB registration experience == username & password
u Existing strong authenticators – physical/virtual smart cards
u “So how do we proof the phone number?”
u Security – Physical smart card
u Usability – “Nobody likes to use smart cards!”
15. “Immutable Laws of Phone Authentication”
u The user must be expecting the challenge
u Otherwise, the user gets trained to always
succeed the auth, thus defeating the point of
strong auth entirely
u Corollary: the user must not be subjected
to numerous auth requests in a row
16. “Immutable Laws of Phone Authentication”
u The calling system must be reasonably
assured of the user’s identity before initiating
Phone Authentication
u Phone Authentication is a secondary
authenticator, not primary, otherwise it’s trivial
for an attacker to make a victim’s phone ring
at 3:00 AM knowing only his or her username
17. Other Fun Factors
u Be sure that “2FA” means what you think it means
u Soft phones
u Call forwarding
u PIN protection
u Think about international costs
u Free in the US, inbound/outbound charges elsewhere
u Phone call vs data plan vs SMS
19. Passwords Aren’t Quite Dead Yet…
u How does the user authenticate
to the portal?
u Single-factor vs Dual-factor
u Dual-factor does not
prevent phishing, but
mitigates the results of a
successful phish
u Who controls the password?
u “What do you mean you’ve
taken FaceBook off my
phone?”
u “Why do I have to give my
Twitter password to IT?”
u “@adfskitteh isn’t corporate,
it’s mine!”
20. Looking Ahead…
u Now that strong auth is easy(-ier), enforce it more
broadly
u Client support “shims” where needed…
u Get rid of that “bag of passwords”
u Or at least ask really nicely…
u Focus on device protection
u Registration, health, “device as smart card”