Microsoft Exec on Why FIDO Authentication Beats CertificatesMicrosoft's Libby Brown on How FIDO Passwordless Authentication Cuts Complications
Moving from certificate-based to FIDO authentication dramatically reduces overhead and complications for large enterprises looking to move away from using passwords, says Microsoft's Libby Brown.
FIDO allows organizations to adopt strong passwordless authentication by simply buying a FIDO key and turning it on in their Azure Active Directory, says Brown, senior product manager for identity at Microsoft. This means they can eschew the complicated setup associated with trusted root certificates. FIDO uses public key infrastructure, meaning that users can create and store their credentials securely without having a centralized place to store them, she says (see: How FIDO2 Can Streamline Passwordless Tech, Account Recovery).
"It's something that any user can have some instructions and set it up," Brown says. "Any organization can help their users set it up. It is so much more simple."
In this video interview with Information Security Media Group from the FIDO Alliance's Authenticate 2022 conference, Brown also discusses:
- The biggest passwordless challenges at large enterprises;
- Best practices for implementing identity verification;
- Balancing phishing resistance and ease of use for small to midsized businesses.
Brown is responsible for driving Microsoft's Azure Active Directory features and scenarios and championing passwordless technologies. She also has product, program and/or release manager roles within Microsoft Learning, Office Live Small Business, Office 365, Azure Commerce Platform and Universal Store. Outside of work, you can find Brown answering product questions on Twitter as @TruBluDevil.
Michael Novinson: Hello, this is Michael Novinson with Information Security Media Group. I'm joined today by Libby Brown. She is the senior product manager for Microsoft Identity. Good morning, Libby. How are you?
Libby Brown: Good morning. I'm fine. Thank you.
Novinson: I appreciate you taking the time today. I wanted to get into - I know you at Microsoft work with some of the largest and most sophisticated organizations in the world. How and why do you see them adopting passwordless technology?
Brown: That's right. I work for Azure Active Directory, which we have, the mom and pop shops, all the way up to some of the largest organizations in the world. And it's just a range of customer needs and customer adoption and technical skills, large organizations, they are the fortune 500s, they're security minded. It's always fun to work with them and drive them toward the strongest authentication possible.
Novinson: So, what have been some of the drivers for those large businesses that are widely booked toward passwordless?
Brown: They definitely have gotten the memo about the threats on the information technology landscape, the phishing that is out there, the bad actors. They are under attack, and it is real and painful for them. Moving to passwordless gives them that ability to stay more secure to get their passwords out of their organization to scramble them. Many of our organizations are actually already passwordless with certificate-based authentication. And now they're looking to back out some of that infrastructure and move toward FIDO authentication.
Novinson: What benefits will the organization see if they're able to back out some of that infrastructure?
Brown: One of my colleagues, Alex Simons always likes to say, "For those five to 10 companies that have managed to set up certificate-based authentication, it works great for them." But it is just a massive amount of overhead and complications. With the FIDO standards, we are seeing a lot of organizations be able to move ahead with that strong passwordless authentication without having to have those certificates of Root of Trust and those complicated setups. You can literally just buy a FIDO key, turn it on in your Azure Active Directory tenant and you're good to go.
Novinson: Why is the FIDO standard so much simpler than the more traditional route companies are taking with certificates?
Brown: It again comes down to the level of infrastructure and management required with the FIDO standards using PKI, where you have that ability to have the user create a credential and store it securely, but not have that centralized store credentials. It's just something that any user can have some instructions and set it up. Any organization can help their user set it up. It is so much more simple. What are some of the unique issues that folks have to grapple with if you are a large enterprise? You're global, you're multisite, have remote workers, on-premises workers, maybe you've had some M&A. How does all that affect how passwordless is set up? What are some of the unique challenges in that large enterprise space with passwordless? We've definitely seen some challenges as the world moves more remote. We, at Microsoft, require customers to have set up MFA already in order to set up this additional strong authentication. And so for a large body of our customers, they didn't already have MFA. And how do we go from a password to stronger authentication, we've made that capable on our end through a temporary access pass, which allows a user now to go from a password and their temporary access pass to a strong authentication credential. So, really, it's now a question of how does that organization know who's behind the cred? And identity verification is that next challenge that I'm looking forward to in this conference to figure out how the industry is talking about and what we're going to do to solve that.
Novinson: So tell me a little bit more about identity verification. Why is it such a vexing issue for the industry? And what are some strategies or best practices you're seeing folks adopt around it?
Brown: I think, like I said, this is the next challenge for identity professionals to solve. When I go out and talk to customers, and they say, "Well, how do we do this?", I say, "Well, what do you do today, when someone calls the help desk and says, I lost my password." And oftentimes I get a very blank stare or "we should reconsider that." So it really depends on the organization, their maturity level. Even at Microsoft, we require manager involvement. We're hearing some companies are bringing video play into maybe a Skype call or a Zoom with the employee to make sure verifiable credentials is next on the horizon. I'm really excited to see where that goes.
Novinson: I know we've talked a lot about it, the work of large enterprises because I know you've mentioned before, you work all the way down to mom and pop shops. What's different about adopting passwordless technology as a mid-sized business or as a small business versus as a fortune 500 company?
Brown: So with those large organizations, they've got large IT departments, a smaller shop, maybe sub 500, sub 100, they are just a person trying to do their job and also manage new technology. They might not be aware of those threats. They certainly aren't, you know, MFA and identity experts. So getting those organizations to go beyond a password and be more secure, we need to make it as simple as possible as an industry so that we can reduce that amount of phishing and the level of phishing attacks. With FIDO, that is one step to make it super simple. One of my favorite studies coming out of the FIDO Alliance is Yahoo, Japan. And they had an excellent study on just the simple use of FIDO reducing the time of a user trying to log into their account, as well as speeding it up and making it more secure over traditional passwords or even SMS passwordless. It really is showing itself to be that way to move the industry forward for every organization.
Novinson: In terms of folks who aren't even doing MFA yet, what is the experience like trying to simultaneously adopt both MFA as well as passwordless? And how can you help organizations through that?
Brown: We definitely would like to make sure everyone has all the credentials they need in order to retain access to their account, whether that means they fall back to a password, an SMS OTP code is still better than just a password alone. But I'm super excited about the rise of passkeys and the promise that brings where you can have that strong phishing resistant credential. But it does come with some consumer grade features, including the ability to use it across all your devices and a backup and restore component. I think that is what moves the bulk of our organizations users ahead in their strong authentication story.
Novinson: In terms of striking the right balance between phishing resistance and ease of use, especially for those smaller businesses, what's your thought behind that? How do you find the appropriate middle ground?
Brown: That's an excellent question. And I think as an industry, we're trying to make that balance. We do have those organizations that are going to say no to passkeys, they want that single device, they want the control of, "I gave my user this key and that's the only key they can use" versus "Hey, please go be more secure, do whatever it takes," you know, end user. And so finding that balance, as you pointed out, between security and ease of use, will depend on the organization and their risk tolerance structure I think.
Novinson: Returning back to passkeys here, why are you so excited about passkeys? Why do you feel they offer so much potential for the industry?
Brown: I think that is the right way to get the vast majority of all account holders moving forward and moving away from passwords. The promise of passkeys is that anyone can use them, anyone with a mobile device. And they're so simple to use. And I expect within the next three years, it's going to be such a ubiquitous gesture that everyone's just going to ask, "Hey, where's my passkey?"
Novinson: When talking about the state of passwordless today, if we're looking at adoption at large enterprises versus small businesses, do you see a pretty large gap in terms of uptake? Get the large companies versus the small ones? Do you feel adoption has been fairly equal, regardless of business size?
Brown: For FIDO's credentials in general, it's been fairly equal. Again, those organizations that are maybe a little more technologically advanced or have an IT department to push those deployments forward, we're definitely seeing larger growth. But I also have a long tail of customers that are trying it, they are getting a key, they are registering it, they're testing it out. I expect in the next two to three years, we're just going to see FIDO as the way forward.
Novinson: Interesting. Let me ask you here finally, what do you see coming down the pipe? I know you said identity verification scenario, the industry needs to work on? What are the practices, some other central topics in 2023?
Brown: That's an interesting question. I definitely think there's going to be a return to looking at identity federation, especially as more and more accounts are relying on these consumer-backed passkeys. So why would you create an account for your subway app versus using your Apple account in the subway app. Those are some sorts of scenarios that I think, especially in that B2C space, we'll start to see more questions and hopefully get some answers next year.
Novinson: Interesting stuff to chew on. Libby, thank you so much for the time.
Brown: My pleasure. Thank you.
Novinson: We've been speaking with Libby Brown. She is a senior product manager for Microsoft Identity. For Information Security Media Group, this is Michael Novinson. Have a nice day.