Digital identity is now on the verge of a major transformation into one that is more secure, privacy-respecting, and portable. Identity was not fundamentally built into the internet, which has resulted in companies building singular relationships with each of us. The development of these separate accounts, each stored in central databases owned by different companies, has led to an increased risk of security and privacy breaches. Simply digitizing a business process or physical ID doesn’t reduce these risks. We need an identity system that brings our identity together, owned by the individual, and makes digital identities portable in a way that is trusted and secure.

To illustrate, consider a plastic driver license. Digitizing a driver license replaces a plastic card with a digital card in your smartphone wallet, for example. If you want to use your license to prove your age, a digital license makes it convenient to share with retailers and service providers, but at the same time, it also becomes easier for companies to see all the information printed on your ID, such as birthdate and gender, thus opening the door to tracking and privacy concerns. When done right though it can improve privacy and security. Instead of simply digitizing the license and moving all the information printed on your ID to an image on a phone, a decentralized approach where you own the identity and can show the information was verified, allows you to share the information that is necessary from your driver’s license and revoke it when needed.

Let’s go through some of the differences between digitization and decentralization of credentials.

Security and your digital identity

Digitizing an identity simply makes a digital representation of an asset, but it doesn’t necessarily mean that it has the same assurance level as the original file or document. While it may be digitized and issued by an official source, the verifier could make a digital copy and store it, which you don’t have control over. Attributes of the credential are often relied on by apps, which are also susceptible to data breaches. To solve for proving the person is who they say they are, we’ve leaned on authentication methods such as usernames and passwords. When an account is hacked, a person is at the mercy of the company to reclaim their account and personal data that is rightfully theirs. With decentralization, you can prove the person is the genuine owner of the real-world identity by verifying their digital signed credentials. Individuals can use a secure, encrypted wallet to store their identity data and easily control access to it. A decentralized identity could replace the need for usernames and passwords altogether and work with other forms of authentication to provide the required level of attestation.

Privacy and data protection

With the increase in digitization, privacy concerns are front and center. People are increasingly aware of the amount of data organizations are collecting and profiting from them, causing some people to turn to VPNs or share false information to devalue the data collected from them.² Data protection laws, such as General Data Protection Regulation (GDPR), aim to put more control into the hands of users to see and manage their information, but it doesn’t solve the problem entirely. Rather than companies taking copies of your identity data, they could gain permission from the individual to access the required information and verify the data digitally without storing it. New standardized concepts being developed include zero-knowledge proofs, where one party can prove to another party that a given statement is true or false, such as proving your age or citizenship. This limits the data shared to only what is needed. For organizations, it can reduce the burden of managing personally identifiable information (PII) by providing users with complete control over what they share and becoming the stewards of their own data. We believe selective disclosure and minimizing data travel are critical requirements for decentralizing identity.

Portability and visibility

Remember sharing copies of documents through email, before you could store them in the cloud? It created multiple copies of the same document, making it hard to keep track of changes and which one was the most recent file. With decentralization, people can store the original piece of identity data as a credential on their own device, cryptographically signed with their own private key, and share the record with any organization. Then the organization can verify that it came from an authoritative source with a simple check on the ledger. The user retains visibility of how that information was used and for how long the organization has access to it. The use of open standards specifications, such as verifiable credentials from the World Wide Web Consortium (W3C), make it easy for people and companies to receive and present credentials across platforms and services. It allows people to build relationships with organizations that are mutually beneficial.

Next Steps

Turning credentials into digital form isn’t new, but decentralizing identity goes beyond that. It gives individuals the ability to verify their credentials once and use them anywhere as proof of attestation. With the nexus of control shifting to users, they can manage exactly what they want to share and for how long, and safeguard their data locked in their own digital wallet.

Standards for decentralization are still being formalized and tested but it’s not too early to start exploring use cases. Think of areas where the benefits of decentralization can help your business, such as onboarding employees and contractors quickly, or to provide extra assurance for granting access to high-value applications, or recovering an account. With the momentum around decentralization of the internet, currency, assets, and more, we see a decentralized identity system as a crucial component to enable trust and security for the future.

Learn more about Microsoft’s decentralized identity solutions.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

¹IDC FutureScape Webcast: Worldwide Digital Transformation 2022 Predictions, Shawn Fitzgerald, Robert Parker, IDC. November 2021.

²What Are Data Brokers – And What Is Your Data Worth?, WebFX Team, WebFX. March 16, 2020.

The post Why decentralization is the future of digital identities appeared first on Microsoft Security Blog.

1. Preparing your organization for passwordless authentication

Today, the technology exists to make sign-ins simpler and more secure. Two protocols, WebAuthn and CTAP2, form what is known as the FIDO2 standard—which enables organizations to upgrade their authentication methods to strong hardware-backed multifactor authentication options that don’t rely on passwords at all. Instead, you can use a physical key, laptop, or mobile app as your credential. Two questions customers often ask are which method do I choose and how do I get started?

I recently published an update to our Passwordless Protection whitepaper, which breaks down the different authentication methods, adoption strategies, and use cases. This guide gives you a great starting point for thinking through your strategy and a foundational understanding of how passwordless authentication works and the requirements for each of the options.

10 reasons to love passwordless

This year, my colleagues also created a series of blog posts 10 reasons to love passwordless, which expands on many of the concepts in the whitepaper.

1. FIDO2-based credentials developed and adopted by the industry.
2. Compliance with the National Institute of Standards and Technology (NIST) Authenticator Assurance Levels 2 and 3 (AAL2 and AAL3).
3. Biometric authentication stored locally to uniquely and securely identify users.
4. Faster sign-ins with Windows Hello built into your PC.
5. Portable security keys in a variety of form factors that work across platforms.
6. Helpdesk savings from password reset requests.
7. Convenient sign-ins with Microsoft Authenticator app on your smartphone.
8. Phishing-resistant credentials that reduce risk of compromise by over 99.9 percent.
9. Easy setup and recovery of passwordless credentials with Temporary Access Pass.
10. No passwords needed for users to be productive and secure.

2. Planning your passwordless deployment

Check out the passwordless authentication deployment guide, which goes in-depth into how to plan the project, deploy different methods, and manage policies for passwordless authentication based on what we’ve learned from thousands of implementations with customers. Use the passwordless recommendations tool in the Microsoft admin console to help you choose the right method for each of your audiences.

You can also get a hands-on tour of passwordless capabilities in Microsoft Azure Active Directory from the video Microsoft Mechanics with Joy Chik, Corporate Vice President, Identity and Network Access, and host Jeremy Chapman.

3. Learning from experts

Data is useful, but sometimes you want to hear from people with experience. Watch the Your Passwordless Future Starts Now digital event on-demand, where you’ll learn more about passwordless authentication and best practices for adopting an organization-wide passwordless strategy.

You’ll learn how to:

• Reduce your security risk. Alex Simons, Corporate Vice President, Identity Program Management, Alex Weinert, Director of Identity Security, and Pamela Dingle, Director of Identity Standards, will cover the challenges of passwords that customers have faced and the benefits of moving to passwordless technologies. Passwordless methods like biometrics make it much simpler for people to sign in—and much harder for attackers to implement a successful phishing campaign. Developers also have a role in reducing the risk of passwords, which is why Mike Hanley, the Chief Security Officer at GitHub, will share how they’ve adopted passwordless for app development.
• Deploy to your organization. If organization-wide passwordless authentication sounds too good to be true, you’ll want to hear from Mark Russinovich, Azure Chief Technology Officer, and Bret Arsenault, Microsoft Chief Security Officer. In this joint session, they will talk about lessons learned from adopting a passwordless strategy at Microsoft and testing the limits on how far passwordless can extend into your hybrid environment.
• Help make it a smooth transition for users. Transitioning to a passwordless organization isn’t just about the right technology, it’s also about getting people to adopt something new. Charles Duhigg, New York Times bestselling author of The Power of Habit and Smarter, Faster, Better will explain why humans have such a hard time getting passwords right—and why we should stop expecting them to. He will explain the psychology behind password habits and look at history for insights on how cybersecurity leaders can help people be more secure.
• Make the first step on your Zero Trust journey. You’ll also learn from the host of the event, Vasu Jakkal, Corporate Vice President, Security, Compliance, and Identity, on why passwordless is a necessary component of a Zero Trust security strategy, which starts with the premise that you must explicitly verify every access request. There are financial and human costs with cyberattacks, and she advises on the steps to take to fortify your digital security.

Learn more

For additional resources and the latest customer stories, visit the Microsoft passwordless web page.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post 3 key resources to accelerate your passwordless journey appeared first on Microsoft Security Blog.

Protecting identities is vital to cybersecurity. Bad actors use compromised identities to gain a foothold in an organization, avoiding detection for an average of 100 days.² Historically, organizations have relied on passwords to safeguard identities, but passwords alone aren’t enough. Eighty percent of hacking related breaches can be attributed to weak or compromised passwords, according to Verizon’s 2019 Data Breach Investigations Report. MFA reduces risk because it’s significantly harder to compromise two or more authentication factors.

Beyond passwords, there are several different authentication factors that organizations can implement to better protect their identities. Basic MFA augments passwords with SMS, one-time passwords (OTP), and codes generated by a mobile device. Strong MFA utilizes high assurance factors such as FIDO security keys and smart cards to authenticate users. Fingerprint scans, facial scans, and other biometrics are secure authentication methods that can simplify sign-in for users. Sixty-four percent of the executives in the survey use basic MFA. Forty-three percent use strong MFA. Biometrics was cited by 11 percent of respondents.

But things are changing fast. Ninety-one percent of executives plan to evolve their MFA implementation in the coming year. Twenty-two percent want to move to strong MFA. Another 13 percent will migrate toward biometrics. Better security is the primary driver of these changes.

2020 is the year to prioritize MFA. You can significantly reduce your risk of identity compromise by augmenting or replacing passwords with other authentication factors. Learn how organizations are using MFA.

¹Pulse Q&A Inc. conducted research for Microsoft in October 2019 with 100 Security and IT executives in North America representing 17 industry sectors.

²The median number of days an organization is compromised before discovering a breach in 2017 is 101 days in comparison to 99 in 2016. Source: FireEye M-Trends 2018 Report

The post IT executives prioritize Multi-Factor Authentication in 2020 appeared first on Microsoft Security Blog.

Common vulnerabilities

In a recent paper from the SANS Software Security Institute, the most common vulnerabilities include:

• Business email compromise, where an attacker gains access to a corporate email account, such as through phishing or spoofing, and uses it to exploit the system and steal money. Accounts that are protected with only a password are easy targets.
• Legacy protocols can create a major vulnerability because applications that use basic protocols, such as SMTP, were not designed to manage Multi-Factor Authentication (MFA). So even if you require MFA for most use cases, attackers will search for opportunities to use outdated browsers or email applications to force the use of less secure protocols.
• Password reuse, where password spray and credential stuffing attacks come into play. Common passwords and credentials compromised by attackers in public breaches are used against corporate accounts to try to gain access. Considering that up to 73 percent of passwords are duplicates, this has been a successful strategy for many attackers and it’s easy to do.

What you can do to protect your company

You can help prevent some of these attacks by banning the use of bad passwords, blocking legacy authentication, and training employees on phishing. However, one of the best things you can do is to just turn on MFA. By providing an extra barrier and layer of security that makes it incredibly difficult for attackers to get past, MFA can block over 99.9 percent of account compromise attacks. With MFA, knowing or cracking the password won’t be enough to gain access. To learn more, read Your Pa$$word doesn’t matter.

MFA is easier than you think

According to the SANS Software Security Institute there are two primary obstacles to adopting MFA implementations today:

1. Misconception that MFA requires external hardware devices.
2. Concern about potential user disruption or concern over what may break.

Matt Bromiley, SANS Digital Forensics and Incident Response instructor, says, “It doesn’t have to be an all-or-nothing approach. There are different approaches your organization could use to limit the disruption while moving to a more advanced state of authentication.” These include a role-based or by application approach—starting with a small group and expanding from there. Bret Arsenault shares his advice on transitioning to a passwordless model in Preparing your enterprise to eliminate passwords.

Take a leap and go passwordless

Industry protocols such as WebAuthn and CTAP2, ratified in 2018, have made it possible to remove passwords from the equation altogether. These standards, collectively known as the FIDO2 standard, ensure that user credentials are protected end-to-end and strengthen the entire security chain. The use of biometrics has become more mainstream, popularized on mobile devices and laptops, so it’s a familiar technology for many users and one that is often preferred to passwords anyway. Passwordless authentication technologies are not only more convenient for people but are extremely difficult and costly for hackers to compromise. Learn more about Microsoft passwordless authentication solutions in a variety of form factors to meet user needs.

Convince your boss

Download the SANS white paper Bye Bye Passwords: New Ways to Authenticate to read more on guidance for companies ready to take the next step to better protect their environments from password risk. Remember, talk is easy, action gets results!

The post One simple action you can take to prevent 99.9 percent of attacks on your accounts appeared first on Microsoft Security Blog.