The very nature of authentication requires something that will protect the entire threat landscape. Approaches such as Windows Hello for Business do a fine job, but they only do a fraction of the job. That is bad news for CISOs but great news for attackers
One of the most fundamental truths in security strategy is the weak link. When securing a building, for example, installing thick steel doors with high-security deadbolts is a fine tactic, but it’s pointless to add more defenses to the door given that potential attackers have already decided to enter through a window. In other words, half-measures don’t work.
Nowhere is this more evident than in authentication. If you add robust authentication to 32 percent of your applications or other data entry points, that doesn’t ultimately help much. It just redirects attackers to more vulnerable entrances.
I bring this up because a lot of companies we work with have been asking about Windows Hello for Business. Microsoft’s WHfB is a fine authentication offering, but it is so limited that it really is akin to putting those high-security deadbolts on a door, but the door for only one entrance. What’s the point if it doesn’t protect every entry point?
Windows Hello for Business handles Windows desktops and SaaS applications, but it doesn’t protect legacy systems,.. And it often doesn’t fully handle employees when they work from home, depending on the device being used.
Microsoft excludes quite a few apps and services beyond that, including self-managed on-prem software (e.g., Oracle, SAP, other line-of-business apps), custom-developed apps, and network services like VPN, RDP, VNC, SSH, and VDI.
WHfB’s product description talks about how it is “phish-resistant” and that “it circumvents phishing and brute force attacks” because “no passwords are used.”
But that’s not how phishing works. As long as passwords are still active in the system –and that is because they are still used in many corners of your threat landscape–the phishing threat exists. Some companies have stopped accepting passwords , but no one bothered to wipe out the PW database. As long as they exist somewhere in the environment, they are a security threat. Users still have to maintain, protect, and use passwords, which means the threat surface is just as hospitable for attackers.
Don’t forget that phishing is only one way that passwords are accessed by attackers. If they have old and yet-still-active credentials, they’re in. If they have stolen older and yet still active credentials from a data breach at some other company, they are in. If they find it for sale on the dark web, they are in.
These protection holes are deal-killing authentication limitations. They are candidly bigger issues than Microsoft will admit and it forces customers to accept limited coverage, inconsistent user experience and extensive phishing risks. As long as user-managed directory credentials still exist, the system is–despite what Microsoft marketing says–not passwordless.
One counter to this argument is that we are attacking the good because we are holding out for perfection. But that is not a valid comparison. The truth is that a universal authentication approach that entirely eliminates passwords and can cover all systems, including legacy, cloud, mobile, remote, contractor, partner and even customers, is not only practical but we do it for global customers every day.
All it takes is looking at authentication as fundamental to the business, which means that it is a single authentication mechanism that covers the entire threat landscape and specifically protects every single point of access. If a bad guy can break in via any entry point, why would you deliberately opt for an approach that leaves many access points unprotected?
Security via convenience is a bad idea, but making security convenient is perfect. That is why our authentication approach can protect everything without changing any of your infrastructure.
That is because SDO’s approach does not need your team to build up PKI infrastructure to do away with repeat-use credentials. Instead, we integrate with all leading directories and access management packages without interrupting your existing identity workflows. Achieve better security, improve user experience and lower cost with our universal approach.
This is the approach that your compliance regulators will love–and one that you would never get from Microsoft.