Zen & the Art of Enterprise Authentication: A Practitioner’s Viewpoint on Finding

Balance

Laura E. Hunter Identity Management Architect Microsoft IT @adfskitteh

But Security is No Laughing Matter…

It’s All About Managing Expectations

“Why Can’t I Use Facebook to Log Onto Payroll?”

“Employees Must Use Smart Cards At All Times!”

“We Don’t Allow Personal Devices On Our Network.”

Physical Smart Cards @ Microsoft Today

u Walk into Building 92

u Present your driver’s license/passport

u Get your picture taken

u Pick a PIN

u Walk out with a smart card

u Don’t live in Redmond? We’ll mail it to your address of record. u What’s that? You’re travelling? Uhh…too bad, so sad?

We need to make access easy and secure!

Multi-Factor Authentication Using Any Phone

•  Works with the user’s existing phone, anywhere in the world

•  Offers out-of-band protection from malware threats •  Verifies user logins, financial transactions, and more •  Features built-in support for leading on-premises

applications and cloud services

•  Streamlines user management and enrollment •  Backed by a scalable cloud service

What Microsoft IT Has Learned So Far…

u Policy before technology u  “What is the assurance level of Phone Factor?”

u OOB registration experience == username & password

u Existing strong authenticators – physical/virtual smart cards

u  “So how do we proof the phone number?”

u Security – Physical smart card

u Usability – “Nobody likes to use smart cards!”

Example of a “Balanced” Policy

“Immutable Laws of Phone Authentication”

u The user must be expecting the challenge

u Otherwise, the user gets trained to always succeed the auth, thus defeating the point of strong auth entirely

u Corollary: the user must not be subjected to numerous auth requests in a row

“Immutable Laws of Phone Authentication”

u The calling system must be reasonably assured of the user’s identity before initiating Phone Authentication u Phone Authentication is a secondary

authenticator, not primary, otherwise it’s trivial for an attacker to make a victim’s phone ring at 3:00 AM knowing only his or her username

Other Fun Factors

u Be sure that “2FA” means what you think it means u Soft phones

u Call forwarding

u PIN protection

u  Think about international costs u Free in the US, inbound/outbound charges elsewhere

u Phone call vs data plan vs SMS

About Those Pesky Twitter Accounts…

Passwords Aren’t Quite Dead Yet…

u  How does the user authenticate to the portal?

u  Single-factor vs Dual-factor

u  Dual-factor does not prevent phishing, but mitigates the results of a successful phish

u  Who controls the password?

u  “What do you mean you’ve taken FaceBook off my phone?”

u  “Why do I have to give my Twitter password to IT?”

u  “@adfskitteh isn’t corporate, it’s mine!”

Looking Ahead…

u Now that strong auth is easy(-ier), enforce it more broadly

u Client support “shims” where needed…

u Get rid of that “bag of passwords” u Or at least ask really nicely…

u  Focus on device protection u Registration, health, “device as smart card”

THANK YOU! @ADFSKITTEH

© 2010 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.