FIDO 2: Zero Trust in Action with Passwordless Phishing Resistant Authentication

I'm Sara Fre from Terra. I'm part of the identity and access management team and lead activities with our key technical partners. I'm very happy to, to present this session with Thomas Thomas that's now from Microsoft. I let you introduce yourself.
Sit on. Yeah. Hi guys. My name is Thomas. I am work at the Identity Network, access division at Microsoft Product Manager there. And yeah, it's great to see a couple of familiar faces and we hope we're running on time to get you to lunch on time.
Let's try. Yeah. Good. Objective. We partner for a long time on password less authentication and we would like in decisions, share our recommendation around our organization can enable fishing resistant authentication to, to achieve zero trust approach. So let's start with very key insights coming from, from Thomas and Microsoft.
Thank you Sarah. So yeah, why should you care in 2023 still about, you know, fish resistance, right? You know, we, we should be, we should be further along. Turns out we published a report end of last year and yeah, as you can see from the charts, phishing is still on the rise. So we see about 60% year over year increase in phishing and which translates to around about 700 million emails being blocked or phishing emails being blocked. And that translates to roughly about 1300 of those per second. So that gives you a rough idea of, you know, the problem says space that we are still talking about. So fishing is still the number one entry point. And alongside that we also see, you know, an uptake in, you know, further sophistication of course and more targeting to MFA based attacks as well, which, you know, ultimately calls for a stronger authentication for fish resistant credentials. Ultimately.
So how do we, how do we defend against those attacks at Microsoft to use a combination of AI based modeling alongside with human intervention and human analytics. And we believe we're in a rather unique position there because the Microsoft ecosystem spreads from consumer all the way to enterprise from gaming all the way to the cloud platform across the globe. So we get a lot of signals every single day. As you see from the numbers is we talk about like 65 trillion signals a day. There's a lot of data that we process and yeah, our analysts also are busy with analyzing those, those signals every day. So we have about 8,500 security researchers in the different organizations also argumenting the models and improving the ar the models and detections every day.
So ultimately as, as I mentioned, you know, Phish is still number one and you know, password based attacks are the number one vector. So in, in the ideal case, we would all turn on MFA and the problem goes away, right? That would be the, the ultimate and ideal case. And we found in research even before covid, that that that this is a very effective method. However, as we also saw in the report that there is more and more, you know, sophistication and targeting to NFA based attacks. That's why many organizations now opted their strategy in including in in their zero trust strategy for phish resistant credentials. So, which is great to see and you know, we're going to see more of that from Sarah later on from the Microsoft identity platform point of view. We give you also the controls, what we call the standard access policy. So if you're working with partners in a B2B scenario, we have controls that you can turn on and protect also these external user scenarios, including fish resistant credentials and that could become from the public cloud as well as from the server cloud offerings that we have for the identity platform.
Microsoft is, you know, investing in and and advocating for zero trust for almost a decade now. So it's not a new, a new paradigm for us and it was great to see that about two years ago the US government has issued a executive order to call specifically US government agency for up-leveling their investments and protection for zero trust, sorry for cybersecurity and US government, but that had also wider implications on our side. So we level up our investments for zero trust and fish resistant credentials. And also we see across the globe more and more organizations picking up that. So specifically here for Europe, the European Unions Cybersecurity Agency also added that to their standards and callouts for upleveling security.
In addition, we partnered very, very closely with the National Institute of Standards and Technology, also known as nist. So some of you made that for TO at NIST and we very recently updated the guidance there on how do you achieve, for example, authentication assurance levels. So AAL levels that you, some of you may be familiar with and how do you achieve, for example, NIST AAL level three, go and have a look at a kms NIST compliance again, we call, we updated it about two weeks ago. So if you haven't seen that, go have a look. Most zero trust frameworks, and I guess you guys heard a couple of them during this the last two days already, maybe call out for a centralized access management system. And alongside that also, you know, in integration with fish resistant MFA and strong protection of your credentials and ideally you also couple that with device-based access controls from our side that would be condition access and we'll look at that a bit later. But yeah, I wanna also give the, the hand to Sarah, like what, what other options do we have available for fish resistant credentials?
Thank you Thomas. Two cybersecurity agencies. So CISA in the US cybersecurity Agency in the US and NSA published recently a report with recommendation for IM administrators. So they classify the authentication methods for categories from the weakest to the strongest and they confirm that the two fishing resistant authentication methods are Fido and pki public key infrastructure are certificate based authentication. So they really uses, they they huge organizations to, to deploy fishing resistant authentication when they can as soon as they can and go to Fido as a modern authentication method for modern application. And when it's not possible because you have legacy resources to protect our use case to, to go to certificate based authentication.
So this is on, on this point where today many organization have solution. You have many organizations who already have invested into PKI and already use PKI for different use cases and they are looking right now at solution to leverage this enlarge and solve some limitations they can face on how to use it on on mobile phones, how to to use it for modern use case like cloud application. Just perhaps if you can go to the next slide. Thank you. So for this organization really the, the approach should be hybrid and they need to combine the two authentication protocols, PKI and Fido. They can do it by deploying ivory authenticators that combine the two. And in this case they benefit from many things. They benefit from multiple use cases, they can maintain the use cases they have already extensively deployed and that Fido won't be able to replace digital signage, email encryption for example. And they can add additional use cases, protect web apps, modern web apps, access, use it on multiple devices including mobile devices. They can combine also with other use cases like physical control access and in this case give the end users, employee or partners the way to use only one single authenticator for multiple devices.
So this is really, there is no one size fits all approach for for the organization really for in order to achieve zero trust, what we recommend is to right size the authentication methods and the privilege given to users. So we recommend to build such map, such graph on the right hand side you list your application with a level of sensitivity and the type of users who access to those applications. And on the left hand side, okay, you position your authentication method on to access security user convenience, which are quite traditionally used for sure if you look at the blue, white blue box, it's all the authentication method that are fishing resistant. So really important for I privilege users VIPs to equip them, enable such authentication methods to access sensitive resources. But it's true that there are some situation in organization we know where it won't be compatible. You have some blocking finances and if we follow the recommendation from cisa in this case you can go to maintain or stay with mobile push notification, but you can enhance the security on this. And what is recommended is to enhance with number matching for example in order to protect again bombing attacks for example.
So in conclusion, further takeaways to achieve the request with phishing resistant authentication. What we recommend is we recommend everybody is aware about is now MFAs immersed but it's not enough anymore regarding the complexity of attacks. You need to rightsize authentication methods to the, use the context of your user, the device where they access the resources and enable phishing resistant MFA when you can, where you can
And how you can do that from the, you know, Azure ID point of view. We have recently announced the traditional access authentication methods. So as you can see here, we've already grouped them into fish resistant credentials and non fish resistant credential. York, you also can create your own ones. So if you're not happy with the Microsoft choices, create your new one or if a new one's coming out, we'll add them here too. Enable, as Sarah mentioned, enable five two and phone sign for your security conscious users today ideally or tomorrow and or next we get latest when you're coming back and yeah they, they can be also outside of the IT department. So we have seen a lot of use cases where you know, you partner with other business units and you find those individual key players and help you, you know, spreading the message and and getting more adoption. Ultimately we want you to go for passwordless. So that's also was great to see that Martin Cooper call that out too is this is should be your north star, right? So we want you to have a better user security experience and a stronger authentication stack ultimately. And lastly,
Yeah use, I will approach and bridge the different protocol like PKI and fis. This will really full fire passwordless fishing resistant authentication journey. So thank you very much. You are very happy. We'll be very happy to fulfill the discussion. Don't hesitate to come at Microsoft and Tebo, we are really neighbors so you can find us exactly. Quick questions, level one. Well
Thank you very much. It was really, really insightful and kind of practical presentation. However, I do have one really provocative question from the online audience. Again, go for it. Like basically to shorten it down, like why do we have to trust you as vendors? Is there a formal way to prove that your methods are indeed fish and resistant?
Well you can choose the, the fish resistant method of your choice and as we show an unconditional access, you can integrate the method that you want. If you don't trust us, you can federate, you can still like use your on-premises idp. That's still possible even though we don't recommend it. But you know, if you don't trust it then go for that solution.
And just, this was the ID why we included some, some analysis and report from cybersecurity agencies that are not vendor related, like seasoned nsa, like the topic. If we look, look at cybersecurity agencies, look at the report, look at what the US government request to federal agency, look at Anisa report, what they recommend in term of authentication method. So it's coming from there.
Thank you. So just actually for, for yourself at Microsoft, could you maybe just reiterate what your position is regarding allowing third party MFA solutions to work with your platform? Because there've been some changes in the past.
Sorry, I guess you're referring to custom controls in conditional access. Yeah, so there, there's work in progress on that. So we're actually working on improving that story. So to integrate the question, you know, how do you integrate another third party or non-Microsoft MFA provider, the answer today is use custom controls, which is kind of hard we understand. But yeah, happy to partner with you. There is a private preview coming up very soon. So yeah, come again to our booth and we'll happy to, to work with you guys.
Okay, awesome. Thanks a lot.
Good, thank you.