Prior to Microsoft’s Ignite conference I was able to talk with the company’s CISO Bret Arsenault about some key elements that we all should be doing to keep Windows networks secure. He talks about four pillars of security: passwordless identity management, patch management, device control and security benchmarks.
1. Passwordless identity management
Arsenault’s recommendations start with using multi-factor authentication (MFA) and moving to passwordless identity management. Based on the 2020 Verizon Data Breach Investigations Report, stolen credentials are behind 80% of cyberattacks. It’s a key reason why Microsoft emphasizes getting rid of normal passwords and focuses on passwordless techniques.
You have three main passwordless options for Windows deployments. The first is using Windows Hello for Business, which includes biometric authentication. To support Windows Hello for Business for cloud-only deployments, you need Windows 10 version 1511 or later, a Microsoft Azure Account, Azure Active Directory (AD), Azure Multi-factor Authentication, Modern Management (Intune or supported third-party MDM). Optionally, you could have an Azure AD Premium subscription for automatic MDM enrollment when the device joins Azure AD. For hybrid deployments, you need Windows 10 version 1511 or later and be Hybrid Azure AD joined or Azure AD joined.
The next option, and one that I use, is the Microsoft Authenticator app. (You can also use the Google Authenticator app for two-factor verification, but you will need Microsoft Authenticator for passwordless implementation.) This may be a viable option for you if your applications support the Authenticator app and your users can use the same platform for multiple cloud applications. As noted in Microsoft’s documentation, the technology used is similar to Windows Hello. To deploy it you need Azure Multi-Factor Authentication with push notifications allowed as a verification method. Then you need the latest version of Microsoft Authenticator installed on devices running iOS 8.0 or greater or Android 6.0 or greater.
Finally, you can implement passwordless solutions with FIDO 2.0 security keys. You need something like Yubikey, which supports a resident key, client PIN, HMAC-secret and multiple accounts per relying party (RP).