Where is the sweet spot between “Password123” and “Ij8@1m%l4veOFsSaq&75“? Striking the right balance between security and user-friendliness is an ever ongoing challenge within IT environments. Not in the least on the level of user identity. However, with the introduction of cloud identities and the use of biometrics, the road to passwordless authentication has been paved – with good intentions indeed. Maybe you’ve considered it already? If so, great. More and more platforms are allowing the elimination of passwords. But be sure to tread softly on this path. Xylos guides organizations towards passwordless work environments and in this article we’d love to share some salient points with you.
Say goodbye to passwords?
First of all: why consider passwordless authentication?
Your work environment is about your end users, a.k.a. your people. And people get frustrated when they have to come up with, remember, type in and periodically change complex passwords – just to login to their device. Understandably so. People have jobs to do. Very common results: the re-use of passwords, the use of predictable patterns, the creation of documents or post-its (that get lost)… or for some, who try really hard to do everything the way they are supposed to: simply forgetting the password. Without a doubt, the password reset ticket is still the number one for most service desks. Not only is there an efficiency cost here. Service desks become so acquainted with the task of resetting passwords that a form of automaticity seeps in – and important additional checks are forgotten.
End users, the IT department and your CISO alike will benefit from implementing additional identity security features like multi-factor authentication (MFA), Windows Hello for Business and self-service solutions.
The goal is to drastically improve security while making the login experience far more convenient. That seemingly unattainable balance between security and convenience? It’s a misunderstanding. Evolving towards passwordless environments is a win-win for both the end users and the security officers.
What are the alternatives to a password?
As futuristic as no longer basing your identity security on passwords might sound to some, a combination of solutions that is likely already available within your Microsoft license.
As a central identity solution, Xylos primarily uses Microsoft’s cloud-based identity platform Azure Active Directory in combination with the on premises Active Directory. That allows us to use all the identity security features without having to change the on-premises identity platform. By allowing modern authentication in combination with legacy on premises authentication, it is also possible to improve security for the on-premises services.
Multi-factor authentication (MFA)
Most people are familiar with multi-factor authentication from receiving a text message or using an authenticator app to logon to services. But there are multiple forms of multi-factor authentication. In basic terms, MFA is a process in which a user is prompted during the sign-in process for an additional form of identification. This comes in forms such as a authenticating via a trusted device, a fingerprint, face recognition, a pin code, a text message, an approval, a usb key or a phone call. Know that just implementing multi-factor authentication can already block over 99.9 percent of account compromise attacks.
Two-factor authentification with Windows Hello for Business
Windows Hello for Business replaces passwords with strong two-factor authentication on PCs and mobile devices. This is unique to the device on which it is set up but it is possible to reset it from the cloud. Windows Hello for Business allows the user to use a pin code, fingerprint or face recognition to authenticate – which makes the login process much easier and faster compared to entering a password every time you return to you device.
The diversity of authentication features also provides the user with alternatives during logon in case he or she is not able to authenticate with one or the other. It also allows for a reset procedure to create a new pin without any necessary intervention from service desk. How? thanks to Azure Active Directory self-service password reset. If a user’s account is locked, simply following the prompts will unlock the access. Back to work in no time and no unnecessary time loss for the service desk.
How to implement additional authentication layers?
When clients approach us, the primary step for them is getting a clear and complete view of the current identity setup. That allows us to evaluate and determine the right steps towards the implementation of identity security features. There are multiple possibilities in providing an extra authentication layer.
The most common is the use of a mobile phone and the authenticator app but this is not suitable for every profile. Therefore, it is important to gather the identity profiles within your organization and to see how we can secure the identity without compromising usability and flexibility. For this we can look at secure keys, biometrics, conditional access and more.
Don’t forget about user adoption.
Apart from determining the suitable identity security design for each profile it is important to develop a user adoption strategy. On most work floors there are generation and experience gaps when it comes to digital maturity. When it comes to identity security, you cannot afford a few slip-ups here and there. You need to get it right, right away. Therefore, it is important to provide every end user with the appropriate communication and training.
At Xylos we always develop a concrete plan of action that entails communication and learning paths. The plan allows for your organization to take on the further practical enrollment of the identity security (or to have them carried out by Xylos – depending on the competencies that are available in-house).
Types of questions that need to be addressed in order to develop an accurate plan:
- What are the most important user groups within your organisation? How will we classify them?
- Should different training courses be provided for management and employees?
- What groups should be informed first? E.g. Starting with a demo session for the management.
- What languages are relevant? For the training sessions and for the documentation.
- What type of devices do they use? Laptop, desktop, tablet, smartphone, etc.
- Where are they located?
More about Xylos and the implementation of identity security
Xylos is authorized by Microsoft as FastTrack Ready Partner (FRP) to deliver the FastTrack Benefit on behalf of Microsoft. There are only 300 Partners Globally acknowledged as FRP (closed set of elite Microsoft 365 partners).
Microsoft provides the FastTrack service to help customers successfully deploy and drive user adoption of Microsoft 365 solutions. When customers purchase eligible Microsoft 365 licenses, the FastTrack benefit is included at no additional cost for the life of their subscriptions.
Interested in an Identity Security Workshop?
Our Identity Security Workshop is a multi-step engagement that Xylos can offer to help a customer get an understanding of the Microsoft Identity Security story. We focus on improving the Identity security while improving the end user experience.
As a FastTrack Ready Partner, we are approved by Microsoft to provide the FastTrack benefit to your organization, which includes best practice guidance and deployment support for MEM. Customers with eligible subscriptions can use this service at no additional cost.