WEBVTT 1 00:00:00.000 --> 00:00:01.710 Michael Novinson: Hello, this is Michael Novinson with 2 00:00:01.710 --> 00:00:04.860 Information Security Media Group. I'm joined today by Libby 3 00:00:04.860 --> 00:00:08.670 Brown. She is the senior product manager for Microsoft Identity. 4 00:00:09.210 --> 00:00:10.260 Good morning, Libby. How are you? 5 00:00:10.320 --> 00:00:11.520 Libby Brown: Good morning. I'm fine. Thank you. 6 00:00:12.360 --> 00:00:14.160 Michael Novinson: I appreciate you taking the time today. I 7 00:00:14.670 --> 00:00:17.550 wanted to get into - I know you at Microsoft work with some of 8 00:00:17.550 --> 00:00:19.860 the largest and most sophisticated organizations in 9 00:00:19.860 --> 00:00:23.550 the world. How and why do you see them adopting passwordless 10 00:00:23.550 --> 00:00:24.270 technology? 11 00:00:24.990 --> 00:00:27.660 Libby Brown: That's right. I work for Azure Active Directory, 12 00:00:27.660 --> 00:00:31.560 which we have, the mom and pop shops, all the way up to some of 13 00:00:31.560 --> 00:00:36.090 the largest organizations in the world. And it's just a range of 14 00:00:36.090 --> 00:00:39.300 customer needs and customer adoption and technical skills, 15 00:00:40.140 --> 00:00:44.130 large organizations, they are the fortune 500s, they're 16 00:00:44.130 --> 00:00:47.910 security minded. It's always fun to work with them and drive them 17 00:00:47.910 --> 00:00:50.070 toward the strongest authentication possible. 18 00:00:51.150 --> 00:00:53.280 Michael Novinson: So, what have been some of the drivers for 19 00:00:53.280 --> 00:00:55.920 those large businesses that are widely booked toward 20 00:00:55.920 --> 00:00:56.730 passwordless? 21 00:00:57.090 --> 00:01:00.420 Libby Brown: They definitely have gotten the memo about the 22 00:01:00.420 --> 00:01:04.350 threats on the information technology landscape, the 23 00:01:04.350 --> 00:01:07.290 phishing that is out there, the bad actors. They are under 24 00:01:07.290 --> 00:01:10.320 attack, and it is real and painful for them. Moving to 25 00:01:10.320 --> 00:01:13.530 passwordless gives them that ability to stay more secure to 26 00:01:13.530 --> 00:01:16.890 get their passwords out of their organization to scramble them. 27 00:01:17.100 --> 00:01:20.520 Many of our organizations are actually already passwordless 28 00:01:20.520 --> 00:01:22.650 with certificate-based authentication. And now they're 29 00:01:22.650 --> 00:01:27.090 looking to back out some of that infrastructure and move toward 30 00:01:27.090 --> 00:01:28.230 FIDO authentication. 31 00:01:29.330 --> 00:01:31.280 Michael Novinson: What benefits will the organization see if 32 00:01:31.280 --> 00:01:33.200 they're able to back out some of that infrastructure? 33 00:01:34.530 --> 00:01:36.840 Libby Brown: One of my colleagues, Alex Simons always 34 00:01:36.840 --> 00:01:39.540 likes to say, "For those five to 10 companies that have managed 35 00:01:39.540 --> 00:01:41.790 to set up certificate-based authentication, it works great 36 00:01:41.790 --> 00:01:44.730 for them." But it is just a massive amount of overhead and 37 00:01:44.730 --> 00:01:49.260 complications. With the FIDO standards, we are seeing a lot 38 00:01:49.260 --> 00:01:51.930 of organizations be able to move ahead with that strong 39 00:01:51.930 --> 00:01:54.960 passwordless authentication without having to have those 40 00:01:56.340 --> 00:01:59.820 certificates of Root of Trust and those complicated setups. 41 00:01:59.910 --> 00:02:03.450 You can literally just buy a FIDO key, turn it on in your 42 00:02:03.450 --> 00:02:06.300 Azure Active Directory tenant and you're good to go. 43 00:02:07.320 --> 00:02:09.300 Michael Novinson: Why is the FIDO standard so much simpler 44 00:02:09.300 --> 00:02:11.790 than the more traditional route companies are taking with 45 00:02:11.790 --> 00:02:12.570 certificates? 46 00:02:13.440 --> 00:02:16.140 Libby Brown: It again comes down to the level of infrastructure 47 00:02:16.140 --> 00:02:20.550 and management required with the FIDO standards using PKI, where 48 00:02:20.550 --> 00:02:24.420 you have that ability to have the user create a credential and 49 00:02:24.420 --> 00:02:26.970 store it securely, but not have that centralized store 50 00:02:26.970 --> 00:02:30.630 credentials. It's just something that any user can have some 51 00:02:30.630 --> 00:02:34.230 instructions and set it up. Any organization can help their user 52 00:02:34.230 --> 00:02:36.720 set it up. It is so much more simple. 53 00:02:38.190 --> 00:03:14.730 What are some of the unique issues that folks have to 54 00:02:57.290 --> 00:03:00.240 We've definitely seen some challenges as the world moves 55 00:03:00.293 --> 00:03:03.612 more remote. We, at Microsoft, require customers to have set up 56 00:03:03.665 --> 00:03:06.458 MFA already in order to set up this additional strong 57 00:03:06.510 --> 00:03:09.514 authentication. And so for a large body of our customers, 58 00:03:09.567 --> 00:03:12.833 they didn't already have MFA. And how do we go from a password 59 00:03:12.886 --> 00:03:15.942 to stronger authentication, we've made that capable on our 60 00:03:14.910 --> 00:03:20.100 grapple with if you are a large enterprise? You're global, 61 00:03:15.995 --> 00:03:19.314 end through a temporary access pass, which allows a user now to 62 00:03:19.367 --> 00:03:22.265 go from a password and their temporary access pass to a 63 00:03:20.100 --> 00:03:26.280 you're multisite, have remote workers, on-premises workers, 64 00:03:22.318 --> 00:03:25.163 strong authentication credential. So, really, it's now 65 00:03:25.216 --> 00:03:28.272 a question of how does that organization know who's behind 66 00:03:26.280 --> 00:03:28.530 maybe you've had some M&A. How does all that affect how 67 00:03:28.325 --> 00:03:30.854 the cred? And identity verification is that next 68 00:03:28.530 --> 00:03:34.650 passwordless is set up? What are some of the unique challenges in 69 00:03:30.907 --> 00:03:34.015 challenge that I'm looking forward to in this conference to 70 00:03:34.068 --> 00:03:37.177 figure out how the industry is talking about and what we're 71 00:03:35.940 --> 00:03:37.980 that large enterprise space with passwordless? 72 00:03:37.230 --> 00:03:38.600 going to do to solve that. 73 00:03:38.000 --> 00:03:41.030 Michael Novinson: So tell me a little bit more about identity 74 00:03:41.030 --> 00:03:43.850 verification. Why is it such a vexing issue for the industry? 75 00:03:43.850 --> 00:03:46.550 And what are some strategies or best practices you're seeing 76 00:03:46.550 --> 00:03:47.540 folks adopt around it? 77 00:03:47.990 --> 00:03:51.380 Libby Brown: I think, like I said, this is the next challenge 78 00:03:51.380 --> 00:03:55.430 for identity professionals to solve. When I go out and talk to 79 00:03:55.430 --> 00:03:57.530 customers, and they say, "Well, how do we do this?", I say, 80 00:03:57.530 --> 00:03:59.780 "Well, what do you do today, when someone calls the help desk 81 00:03:59.780 --> 00:04:03.920 and says, I lost my password." And oftentimes I get a very 82 00:04:03.920 --> 00:04:10.820 blank stare or "we should reconsider that." So it really 83 00:04:10.820 --> 00:04:13.640 depends on the organization, their maturity level. Even at 84 00:04:13.640 --> 00:04:17.420 Microsoft, we require manager involvement. We're hearing some 85 00:04:17.420 --> 00:04:21.530 companies are bringing video play into maybe a Skype call or 86 00:04:21.530 --> 00:04:25.370 a Zoom with the employee to make sure verifiable credentials is 87 00:04:25.370 --> 00:04:27.890 next on the horizon. I'm really excited to see where that goes. 88 00:04:27.000 --> 00:04:27.750 Michael Novinson: I know we've talked a lot about it, the work 89 00:04:27.750 --> 00:04:29.610 of large enterprises because I know you've mentioned before, 90 00:04:29.610 --> 00:04:36.690 you work all the way down to mom and pop shops. What's different 91 00:04:36.690 --> 00:04:39.900 about adopting passwordless technology as a mid-sized 92 00:04:39.900 --> 00:04:44.100 business or as a small business versus as a fortune 500 company? 93 00:04:44.490 --> 00:04:46.740 Libby Brown: So with those large organizations, they've got large 94 00:04:46.740 --> 00:04:52.500 IT departments, a smaller shop, maybe sub 500, sub 100, they are 95 00:04:52.740 --> 00:04:55.650 just a person trying to do their job and also manage new 96 00:04:55.650 --> 00:04:58.770 technology. They might not be aware of those threats. They 97 00:04:58.770 --> 00:05:02.520 certainly aren't, you know, MFA and identity experts. So getting 98 00:05:02.520 --> 00:05:06.540 those organizations to go beyond a password and be more secure, 99 00:05:06.630 --> 00:05:10.140 we need to make it as simple as possible as an industry so that 100 00:05:10.140 --> 00:05:12.630 we can reduce that amount of phishing and the level of 101 00:05:12.630 --> 00:05:17.100 phishing attacks. With FIDO, that is one step to make it 102 00:05:17.100 --> 00:05:19.950 super simple. One of my favorite studies coming out of the FIDO 103 00:05:19.950 --> 00:05:23.490 Alliance is Yahoo, Japan. And they had an excellent study on 104 00:05:23.640 --> 00:05:28.950 just the simple use of FIDO reducing the time of a user 105 00:05:28.950 --> 00:05:31.800 trying to log into their account, as well as speeding it 106 00:05:31.800 --> 00:05:35.010 up and making it more secure over traditional passwords or 107 00:05:35.010 --> 00:05:39.570 even SMS passwordless. It really is showing itself to be that way 108 00:05:39.570 --> 00:05:42.540 to move the industry forward for every organization. 109 00:05:43.250 --> 00:05:46.460 Michael Novinson: In terms of folks who aren't even doing MFA 110 00:05:46.460 --> 00:05:49.760 yet, what is the experience like trying to simultaneously adopt 111 00:05:49.760 --> 00:05:53.390 both MFA as well as passwordless? And how can you 112 00:05:53.420 --> 00:05:54.830 help organizations through that? 113 00:05:54.000 --> 00:05:57.060 Libby Brown: We definitely would like to make sure everyone has 114 00:05:57.121 --> 00:06:01.038 all the credentials they need in order to retain access to their 115 00:06:01.099 --> 00:06:05.016 account, whether that means they fall back to a password, an SMS 116 00:06:05.077 --> 00:06:08.750 OTP code is still better than just a password alone. But I'm 117 00:06:08.811 --> 00:06:12.544 super excited about the rise of passkeys and the promise that 118 00:06:12.605 --> 00:06:16.033 brings where you can have that strong phishing resistant 119 00:06:16.094 --> 00:06:19.338 credential. But it does come with some consumer grade 120 00:06:19.399 --> 00:06:22.888 features, including the ability to use it across all your 121 00:06:22.949 --> 00:06:26.866 devices and a backup and restore component. I think that is what 122 00:06:26.927 --> 00:06:29.987 moves the bulk of our organizations users ahead in 123 00:06:30.049 --> 00:06:32.130 their strong authentication story. 124 00:06:32.000 --> 00:06:34.550 Michael Novinson: In terms of striking the right balance 125 00:06:34.550 --> 00:06:36.890 between phishing resistance and ease of use, especially for 126 00:06:36.890 --> 00:06:40.640 those smaller businesses, what's your thought behind that? How do 127 00:06:40.640 --> 00:06:42.200 you find the appropriate middle ground? 128 00:06:43.020 --> 00:06:44.820 Libby Brown: That's an excellent question. And I think as an 129 00:06:44.820 --> 00:06:48.390 industry, we're trying to make that balance. We do have those 130 00:06:48.390 --> 00:06:53.100 organizations that are going to say no to passkeys, they want 131 00:06:53.100 --> 00:06:55.980 that single device, they want the control of, "I gave my user 132 00:06:55.980 --> 00:07:00.150 this key and that's the only key they can use" versus "Hey, 133 00:07:00.540 --> 00:07:03.600 please go be more secure, do whatever it takes," you know, 134 00:07:03.600 --> 00:07:04.830 end user. And so finding that balance, as you pointed out, 135 00:07:04.830 --> 00:07:06.840 between security and ease of use, will depend on the 136 00:07:06.960 --> 00:07:14.430 organization and their risk tolerance structure I think. 137 00:07:15.180 --> 00:07:17.070 Michael Novinson: Returning back to passkeys here, why are you so 138 00:07:17.070 --> 00:07:19.440 excited about passkeys? Why do you feel they offer so much 139 00:07:19.440 --> 00:07:20.580 potential for the industry? 140 00:07:21.120 --> 00:07:25.830 Libby Brown: I think that is the right way to get the vast 141 00:07:25.830 --> 00:07:29.100 majority of all account holders moving forward and moving away 142 00:07:29.100 --> 00:07:33.810 from passwords. The promise of passkeys is that anyone can use 143 00:07:33.810 --> 00:07:37.500 them, anyone with a mobile device. And they're so simple to 144 00:07:37.500 --> 00:07:40.140 use. And I expect within the next three years, it's going to 145 00:07:40.140 --> 00:07:43.380 be such a ubiquitous gesture that everyone's just going to 146 00:07:43.380 --> 00:07:45.000 ask, "Hey, where's my passkey?" 147 00:07:45.690 --> 00:07:47.400 Michael Novinson: When talking about the state of passwordless 148 00:07:47.400 --> 00:07:49.500 today, if we're looking at adoption at large enterprises 149 00:07:49.500 --> 00:07:52.500 versus small businesses, do you see a pretty large gap in terms 150 00:07:52.500 --> 00:07:55.380 of uptake? Get the large companies versus the small ones? 151 00:07:55.410 --> 00:07:58.740 Do you feel adoption - it's been fairly equal, regardless of 152 00:07:58.740 --> 00:07:59.490 business size, 153 00:07:59.880 --> 00:08:02.760 Libby Brown: For FIDO's credentials in general, it's 154 00:08:02.760 --> 00:08:06.060 been fairly equal. Again, those organizations that are maybe a 155 00:08:06.060 --> 00:08:08.370 little more technologically advanced or have an IT 156 00:08:08.370 --> 00:08:10.440 department to push those deployments forward, we're 157 00:08:10.440 --> 00:08:13.830 definitely seeing larger growth. But I also have a long tail of 158 00:08:13.830 --> 00:08:16.980 customers that are trying it, they are getting a key, they are 159 00:08:16.980 --> 00:08:20.070 registering it, they're testing it out. I expect in the next two 160 00:08:20.070 --> 00:08:24.180 to three years, we're just going to see FIDO as the way forward. 161 00:08:24.900 --> 00:08:26.670 Michael Novinson: Interesting. Let me ask you here finally, 162 00:08:28.800 --> 00:08:30.900 what do you see coming down the pipe? I know you said identity 163 00:08:30.900 --> 00:08:33.480 verification scenario, the industry needs to work on? What 164 00:08:33.480 --> 00:08:37.110 are the practices, some other central topics in 2023? 165 00:08:37.600 --> 00:08:39.160 Libby Brown: That's an interesting question. I 166 00:08:39.160 --> 00:08:42.880 definitely think there's going to be a return to looking at 167 00:08:42.880 --> 00:08:46.990 identity federation, especially as more and more accounts are 168 00:08:46.990 --> 00:08:52.810 relying on these consumer-backed passkeys. So why would you 169 00:08:52.810 --> 00:08:57.730 create an account for your subway app versus using your 170 00:08:57.730 --> 00:09:00.430 Apple account in the subway app. Those are some sorts of 171 00:09:00.430 --> 00:09:03.820 scenarios that I think, especially in that B2C space, 172 00:09:03.820 --> 00:09:07.540 we'll start to see more questions and hopefully get some 173 00:09:07.540 --> 00:09:08.200 answers next year. 174 00:09:08.810 --> 00:09:10.460 Michael Novinson: Interesting stuff to chew on. Libby, thank 175 00:09:10.460 --> 00:09:11.510 you so much for the time. 176 00:09:11.540 --> 00:09:12.380 Libby Brown: My pleasure. Thank you. 177 00:09:12.680 --> 00:09:14.240 Michael Novinson: We've been speaking with Libby Brown. She 178 00:09:14.240 --> 00:09:17.450 is a senior product manager for Microsoft Identity. For 179 00:09:17.450 --> 00:09:20.270 Information Security Media Group, this is Michael Novinson. 180 00:09:20.570 --> 00:09:21.380 Have a nice day.