Avoid password mess: Get #passwordless using E-Visor Teams App

Cristian Mora
CEO & Founder | Synergy Advisors

Hello Everyone!

Yes, password mess is real and I am sure it hits all kinds of individuals and organizations. We are in such a critical point in the identity perspective and decisions to be made are even more relevant now that many organizations have decided to let users work remotely, not just temporarily, but permanently:

Let’s start with a simple exercise: get a piece of paper and start counting the apps and identities a single user has across business and non-business

Personal

    • Entertainment and social media (from movies, TV, hobbies, to all kinds of trendy social media options)
    • Services credentials (power, water, banking, garbage, your neighborhood, Smart Devices, etc.)

I personally did the test with a few friends and some of them never realized how many credentials they had until they had to get a new mobile device installed “from scratch”.  They realized the amount of user accounts and passwords they have among all their “beloved apps”.  Some of the members of my informal focus group found anywhere between 15 and 35 different credentials.  This sounds unreal, but give it a try and you will see yourself needing extra fingers/sticky notes to keep track of the number! Yes I am sure you may not be that far away… though hopefully not beyond 😊

Business

    • Many organizations have the unfortunate situation of having a hybrid identity challenge that hasn’t been fixed on-premises and is now expanding in an accelerated pace in the cloud, generating all kinds of risk, starting from multiple identities, shadow IT services (unmanaged services that people subscribe to and IT does not monitor or audit), unmonitored data management, and many others risks.

The interesting part of consolidating users is on the business side: as organizations reduce the number of passwords per user, the risk factor increases as now a single compromised password can be used across multiple, and maybe ALL, resources a user accesses.  That’s why Multi-factor authentication (MFA) becomes a critical functionality, but how can you increase protection while reducing user friction and support cases?

If you went over my previous MFA blog post where we explained how to optimize your identity protection beyond just traditional MFA methods, WELCOME!!! You are at the right place; let’s walk through a passwordless strategy together!

Passwordless Journey - Overview

Let me start by saying that Identity and Access Management/Governance is certainly a journey. There is no magic bullet that can fix this issue all at once (though app code modifications, retiring legacy protocols, and improving user education come to mind almost immediately), HOWEVER this does not mean we cannot significantly improve and get quick wins, specifically with the imminent need to protect user identities through simplified, modern, and more robust authentication mechanisms.

As presented in the following table, we recommend considering the following stages to strengthen both end-user and services identity protection through stronger authentication capabilities beyond username + password. Many of them are one click away and you may be licensed already to use them!

Identity Optimization Journey using [Passwordless]

StageDescriptionActions

Crawl Stage
E-Visor Teams App - Improved Passwordless/Multi-Factor Experience within [My personal information]: Get to know what you have/status and recommendation		If you are concerned about making a big change, I promise the following step will NOT hurt; it will actually make things super simple for both IT and end-users:

  • The more you enable your applications to leverage AAD single sign-on (SSO), the faster they can benefit from passwordless/MFA and other security features!

  • Enable MFA! Check our last post and see how easy it is to enable and get users familiar with it!

  • The Microsoft Authenticator app can be the easiest way to start this passwordless journey. Then users can also protect their personal email and social media leveraging this tool!

SaaS
Implement AAD SSO using standard methods


End-User
Implement AADP MFA
Start your passwordless journey using Microsoft Authenticator

Walk Stage
E-Visor Teams App - Improved Passwordless/Multi-Factor Experience within [My Sign-Ins]: Simplified Application Access		While users start working with their multi-factor, you can start optimizing your infrastructure as presented in the following bullets:

  • Yes, AADP has so many other services that leverage your user access requests! For example, you can configure MFA to only request a second authentication as needed, according to your security baseline. Furthering the example, consider using MFA only when accessing an app from a non-corporate device. This approach provides a less intrusive experience for your end users while still protecting the organization in riskier scenarios.

  • Scope Expansion

    • Some people think AADP is just for web-based apps, NOPE! We have deployed all kinds of VPN concentrators directly with AADP and the best part of this is:

      • Less infrastructure is needed as the devices speak with the identity service in the cloud and, of course, can “request MFA”
      • Beyond that, you can implement all the amazing conditional access policies that can make user access criteria much richer than the combination of username+Pwd+MFA; transcend your identity posture by checking on device state, location, and many other rules provided by the service


  • From the devices coverage perspective, expand beyond accessing remote resources by implementing Windows Hello for business! Protect your Windows 10 devices using it and note the new authentication methods you can use; from fancy biometrics to PIN-based protection: I guarantee you Windows Hello can reduce the use of passwords in your organization with your existing devices

  • Lastly for this phase, get started protecting high-privilege accounts using FIDO2 security keys. Remember that those who can perform significant changes to your services will be the focus of attacks as hackers are always looking to quickly get control of your organization. Mitigate such actions by protecting your admins and operators with Security Keys, but that is not all…check the next stage as we want to make sure your entire organization is protected

SaaS & Enterprise Apps
Implement AADP Conditional Access
Integrate On-Premises Applications, VPN and Remote Desktop Services to AADP


End-User
Expand your Passwordless journey using Windows Hello for business and protect key administrators using FIDO2 Keys

Run Stage
E-Visor Teams App - Improved Passwordless/Multi-Factor Experience within [My Sign-Ins]: Simplified Application Access		Once you have protected cloud, remote access, on-premises applications, and user devices using Microsoft AAD and FIDO Keys what else can you do? Do not miss the fun; there are so many other things you can do to continue optimizing your identity posture.

You can even further fine-tune when to request MFA. Yes, how about requesting a second authentication based on risk! For example, configure MFA so that accessing one or more applications does not always request a second authentication. Instead, only initiate MFA requests due to some anomalous activity, such as access from unusual times or locations. Trust but verify! Let AADP mitigate risky sign-ins and go beyond static parameter protection. Only perform MFA when necessary!

Scope Expansion

  • Now it is time to go after all your apps. Yes, it’s as simple as that: why not enable your applications to leverage MSAL and get not only “modern”, but also start leveraging a consistent user experience and risk management, using AADP Conditional Access, MFA etc.

    • We have helped multiple organizations and you can start seeing benefits right away. App access just works; access is consistent regardless of device type and app. Simplified access + Passwordless: what a terrific combination to mitigate phishing attacks and other risks in your organization.

      Notice that this is not a .NET development story. We are using Angular, Java, and many others. Rather than reinvent the identity wheel for each new app, all are integrated and consolidated using MSAL. Interested? Let’s talk! info@synergyadvisors.biz


    • Now, close the gap and protect everyone, yes EVERYONE. Any of your employees can be the way an attacker gets into your organization. Ideally, passwordless using Authenticator + Windows Hello + FIDO2 Keys should be as standard as possible across your organization. Do not let this effort be diminished for what you consider a potential future; at least consider FIDO2 expansion beyond Admins to Execs! Perhaps next target users who deal with sensitive data and then keep going until you cover your entire organization. Remember this is a journey!

      On the technical side, 20/25 years ago you had to worry about token/smart card drivers; I can tell you now, based on the newest standards, that you can configure and use those keys very simply: USB, Bluetooth, NFC make it sooo easy.

SaaS & Enterprise Apps (Cont.)
Implement Conditional Access + Identity Protection (Machine Learning + Artificial Intelligence)
Modernize your on-premises applications using MSAL


End-User
Expand Passwordless throughout the organization using FIDO2 Keys
Replace legacy OTP/PKI/Certificate-based using FIDO2
  • Note that the following E-Visor Teams App + AADP #passwordless capabilities that will be presented in the next section require:
    • Customer to have AADP or sign-up for a trial
    • Customer to have E-Visor Teams app Basic (or higher!) deployed and configured

 

Let’s get into the details about how we can walk this identity optimization journey together!

CRAWL STAGE – E-Visor Teams App – Improved Passwordless/Multi-Factor​ Experience within:

[My personal information]: Get to know what you have/status and recommendations​​

See the end-to-end status of your MFA configuration using the E-Visor Teams App, while also getting recommendations about how to improve the configuration

 

We have also provided details about Self-Service password reset, completing the entire lifecycle of the identities – from the end user perspective – so you can keep your users productive!

NOTE: If you want more details along all the stages/statuses of the MFA configuration, check our previous blog post Optimized MFA and SSPR using E-Visor Teams app and AADP

The following picture shows you details on each box for the status of those two services; note that this includes:

MFA

  • Passwordless
    • Ana has configured Microsoft Authenticator: she can receive app notifications and perform approvals using the app.  She can also leverage Authenticator’s one time passcode to perform strong authentication
    • Ana also has a Security Key (Fido2) configured and that’s why we see the blue color
  • Optimization and changes
    • She can see details of this device from the app as well and (one click away) then change her overall MFA configuration

 

In E-Visor, it is not enough to just configure a service; let us help you optimize it and get your users up to their optimal configuration!

WALK/RUN STAGE – E-Visor Teams App – Improved Passwordless/Multi-Factor Experience within:

[My Sign-Ins]: Simplified Application Access

See the end-to-end status of your MFA configuration using the E-Visor Teams App, while also getting recommendations about how to improve the configuration

 

We have also provided details about Self-Service password reset, completing the entire lifecycle of the identities – from the end user perspective – so you can keep your users productive!

My Sign-Ins Status

Here the user can find in a single page/section access and configuration for

  • Sign-ins
    Check on their access (successful/failed)
        
  • Multi-Factor Authentication Used
    Validate when MFA was requested (MFA Used box)
    Validate the kind of MFA used for accessing a specific application
  • Conditional Access Used
    When conditional access policies were applied and, if access was not granted or limited, identify the reason, then get to a resolution
  • Risk Events Count
    Identify and learn about risk events preventing user access to services or getting additional security validation
          •  

In summary, here you can see what it is going on with a couple of clicks and corresponding details. Users leveraging the app are saving so much time for themselves and $ for IT and the organization due to the self-service and optimized information that can quickly identify what is happening and what just happened!

 

 

Single Factor Windows Hello
Single Factor Fido2 Security Key
Multi Factor Password Microsoft Authenticator app
Multi Factor OATH
Previous
Next

Not E-Visor? Of course you can use all these Microsoft AADP/Passwordless capabilities; however, while these security controls are amazing, do the exercise I mentioned at the start of this post: how many portals does the end user have to use? Does IT validate access, user experience, and security issues in each? We simplified all of that in our app.

 Once again, consider the E-Visor Teams app your journey partner.  Wherever your passwordless journey takes you, we not only tell you where you are, but how to get better! It is not just informational; the user can self-serve through the MFA portal, easily diagnose and fix issues, and get in the best shape possible with a few clicks.

If this journey sound daunting, or even if you just need an action plan to get started, we are here to help.  Our range of services goes beyond the E-Visor Teams app; we provide consulting to help organizations design, deploy, use, and extend Microsoft identity, security, and productivity services.  For organizations that need ongoing support, we offer managed services that can help you monitor and optimize your IT implementations.  Our E-Visor in PowerBI solution can also help administrators view the usage and configuration of your Microsoft services, while highlighting events that matter most to your organization. We can even help you procure Microsoft licenses.  To talk to one of our solution engineers and see if we can help you, email us at info@synergyadvisors.biz

Summary

In this blog, we presented how much the E-Visor Teams app and AADP can accelerate your #passwordless adoption journey:

  • Microsoft provides all these technologies, where you can crawl, walk, and run
  • We give you a hand through our simplified end user view with recommendations and actionable tasks immediately available from users’ daily collaboration tool using E-Visor Teams App
    • Color-based status
    • Best practices recommendations
    • MFA and passwordless usage details
    • Quick links to portals to configure the services

Go ahead and download the E-Visor Teams Apps HERE and follow the steps to configure the app HERE:

  • NOTE: the E-Visor Teams App Entry version does NOT have the AADP capabilities; please contact us HERE to see how we can potentially facilitate E-Visor to a subset of your users, leveraging the Microsoft FastTrack Ready Program.
 
 

Before wrapping up for today, do not miss our next blog post around effective productivity using the E-Visor Teams App

Register for more here!

    Cheers!

    Categories

    Recent Posts