Single Sign On (SSO) Technologies

Hello for business

Windows Hello for Business – no more Passwords in 2019?

Windows Hello for Business – no more Passwords in 2019? 1914 859 Greenlight Managed IT Support Services | Sydney | Melbourne

In the US, businesses are projected to spend more than $65 billion on cybersecurity solutions. With good reason too. Cyberattacks may have abated from 2017’s high of 1.6 billion, but they still remain quite elevated in this ever-connected digital world.

Fortunately, new security solutions such as Windows Hello for Business can help make companies more secure. IT managers will be happy to know that solutions like this don’t need to eat up a big part of the tech budget either.

What is Windows Hello for Business?

Microsoft has stated that it is, “committed to its vision of a world without passwords.” While this may seem counterintuitive to the need for increased security, the company’s no-password world relies on other security measures that address the inherent weaknesses of passwords. Passwords can be:

  • Difficult to remember, leading users to write them down in an unsecure location or to use the same password on multiple sites
  • At risk for phishing attacks and replay attacks
  • Easily exposed in server breaches

With Windows 10 devices, users can now use Microsoft’s new Windows Hello service, designed to help address these password flaws. The business version of this innovation replaces passwords with stronger authentication based on a device and a biometric or a pin. Windows Hello for Business delivers maximum protection through the combination of biometric authentication, Group Policy or mobile device management (MDM) and key- and certification-based authentication.

With this new type of credential, users can gain secure access to an Active Directory or Azure Active Directory.

How Does Hello for Business Get Rid of Passwords?

During enrollment, users will have to complete an initial two-step verification. After this step, they won’t have to perform this step again. To finish set-up, users will then have to set a gesture. The gesture can be a biometric or a pin.

A biometric is a way to sign in based on fingerprint matching, iris scan or facial recognition. Your Windows 10 device must have a way to read these biometric indicators, such as a fingerprint scanner or infrared-capable camera (to differentiate a human face in person from a photograph). Increasingly, devices are coming standard with these features, or they can be purchased separately. Note that with current technology, iris scans work best on mobile devices, so enterprise solutions may want to focus on fingerprints and facial recognition.

It’s important to note that this biometric data is stored locally so it’s not as if a central location storing all the biometric data could be hacked.

A pin might not sound much different than a password, but it is more secure. A pin is tied to the specific hardware, so it is not useful to a hacker unless he has the hardware. As with biometric data, pins aren’t transmitted anywhere.

A pin is more secure than a password because it creates an asymmetric key pair for authentication. As an administrator, you can set policies for pins – for example, characters that aren’t allowed or lock out periods after brute-force attempts to gain access. As a standard, the service does not allow pins that have a constant delta (rate of change) from one digit to the next.

What is Multi-factor Authentication?

Multi-factor authentication is used to describe security measures that rely on three factors:

  • Something you have
  • Something you know
  • Something you are

Windows Hello for Business can satisfy all of these requirements if you have the right equipment. The thing you have is the private key or token that is protected by your device’s security. The thing you know is the pin you set up. The thing you are is your fingerprint, iris or face, aka the biometric gesture you use.

Although you only really need two of these factors to unlock your device, you can set up your device to require an additional factor in order to access your desktop.

Given these extra layers, multi-factor authentication is more secure than other measures of protection. Biometric data, in particular, is difficult to hack. An attacker would not only have to get your device but would also need you present in order to scan your finger, face or eye.


How Does Windows Hello Integrate with Third-Party Authentication?

If you already have a third-party authentication system set up, you can still benefit from this new Windows service. Windows Hello for Business can be configured to work with third-party authenticators in Active Directory Federation Services (AD FS). Currently, Microsoft lists twelve outside offerings that work with Hello for Business.

These offerings include services such as:

You can also build your own custom authentication method.

What are the Basic Technical Requirements?

Beyond a Windows 10 device – either desktop or mobile – fingerprint sensors and software or facial recognition devices with infrared sensors and software, the basic technical requirements will vary based on your deployment strategy.

If you are doing a cloud-only deployment, then you’ll need:

  • Windows 10, version 1511 or later
  • Microsoft Azure Account
  • Azure Active Directory
  • Azure Multi-factor authentication

Modern Management and Azure AD Premium subscription are optional in cloud deployments.

If you are doing an on-premise deployment, then you’ll need:

  • Windows 10, version 1703 or later
  • Windows Server 2016 Schema
  • Windows Server 2008 R2 Domain/Forest functional level
  • Windows Server 2016 Domain Controllers
  • Windows Server 2012 or later Certificate Authority
  • Windows Server 2016 AD FS with KB4088889 update
  • AD FS with Azure MFA Server, or AD FS with 3rd Party MFA Adapter

In this deployment, an Azure Account is optional for Azure MFA billing.

Hybrid deployments are more complicated.

Is it Right for My Business?

Most businesses, especially those that still rely on cumbersome and cyberattack-prone passwords, would probably benefit from implementing Windows Hello for Business. It is a relatively cost-effective and easy way to increase your security. It will require some set-up and perhaps some initial investments in hardware for biometric scans, but the long-run gains in security will likely outweigh these set up costs.

2019 may be too early to declare the end of passwords. However, technology seems to be headed in that direction and adopting Windows Hello for Business may help you stay ahead of this technological shift.

Resources:

https://www.computerworld.com/article/3220967/microsoft-windows/windows-hello-for-business-next-gen-authentication-for-windows-shops.html

https://support.microsoft.com/en-us/help/17215/windows-10-what-is-hello

https://docs.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-identity-verification

Single Sign On (SSO)

How Single Sign-On Technologies can Improve Your Teams Productivity

How Single Sign-On Technologies can Improve Your Teams Productivity 1000 667 Greenlight Managed IT Support Services | Sydney | Melbourne

If you’re like most businesses in Melbourne or Sydney, you’re likely looking for ways to optimize your workflow to keep your workforce engaged and increase productivity. Single sign-on (SSO) technologies can help you accomplish this by providing you and your employees with a way to save time while reducing costs and strengthening your network security.

How does single sign-on work?

SSO is an authentication service that allows the user to use one set of logins to access several applications. Once signed on, users will have access to all of their productivity applications and utilities without having to authenticate more than once. Software applications – including web apps – are housed in a secure cloud and behind a firewall.

SSO is also helpful for monitoring user accounts and activity, always a helpful tool when managing a large or remote workforce.

Once the user logs in to their single sign-on portal they can access everything they need to get the job done. Two-factor or multi-factor authentication can be enabled as well. Further security policies can be configured to limit user access to sensitive or confidential documents, so only those users with appropriate authority can open or modify.

Credentials are handled by a policy server, which authenticates each user based on their configured access. The administrator can configure several levels of user access,

Once signed in, users won’t have to log in a second time in order to use any supported apps or services.

More benefits of single sign-on

Deploy apps across the entire network at once

Another bonus of SSO is having the ability to roll out new applications to your entire workforce at once. Since the software lives in the cloud, once it’s deployed, everybody on your network with the appropriate credentials will have access to it.

Enhanced security

Your IT department or administrator can easily enforce security policies and manage users from a single dashboard. They will also have the ability to oversee what subscriptions are attributable to a specific user account.

The SSO system can be configured to lock out users after a set number of failed login attempts or to lock out accounts if login attempts are originating from a suspicious external network or source.

Platform and device agnostic

Users can sign in to access all network apps, regardless of what type of device or computer operating system they are working on.

Save time with multiple login functionalities

Multiple logins can be implemented to streamline your workflow, which is very helpful if you work in multiple environments. If you are a web designer, for example, and are working on several WordPress sites, you can set up multiple logins to give you access to all of your sites without logging out and back in again. In other scenarios, a design company who stages and produces on separate platforms will be able to continue working without interruption, and marketing professionals will be able to use it to access all of their social media accounts from within the portal.

Better reporting, better compliance

Along with a centralized dashboard for configuration, SSO offers centralized access logs that can help you determine how your users are spending their time. For industries that deal with a lot of confidential or personal information, such as healthcare or the legal industry, such reports can be helpful for compliance with data privacy and security policy and regulation.

Potential drawbacks debunked

As critics of SSO are so quick to point out, a security breach on a user account could be a disastrous and disruptive event. However, when using an SSO, the risks are considerably reduced, as people and companies who do not use single sign-in often recycle the same passwords for multiple sites and applications, and frequently store these passwords in unsafe areas.

Are you ready for single sign-on? Call Greenlight today!

In conclusion, SSO can help your team’s productivity by allowing them to focus on the task at hand without the distractions of having to use several different logins and security protocols. It helps your IT team become more efficient as well, as system configuration, user activity, and reports can be accessed from a centralized dashboard.

If you are thinking about migrating to a single sign-on environment, call Greenlight today. One of our technicians will be happy to answer any questions you have and help you choose the SSO provider that’s right for what you do.