Microsoft’s guide for going password-less 9/12/2018 3:33 PM THR2259 Microsoft’s guide for going password-less Karanbir Singh Senior Program Manager karans@microsoft.com Twitter: @_karanbir © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Session objectives and takeaways Tech Ready 15 9/12/2018 Session objectives and takeaways Session objectives Password-less - Why? Our strategy Password-less technologies available today What’s coming Demos Takeaways Microsoft’s commitment to enabling a world without passwords Strategy and tangible next steps on how to take your enterprise password-less © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

TURBULENT TIMES 160 MILLION customer records compromised 9/12/2018 3:33 PM TURBULENT TIMES 160 MILLION customer records compromised 229 DAYS between infiltration and detection $3 MILLION of cost/business impact per breach © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

“ “ The hits keep on coming… 9/12/2018 3:33 PM Equifax data breach may affect half US population “ Thieves stole customer names, Social Security numbers, birthdates and addresses in a hack that stretched from mid-May and July. The data taken affected as many as 143 million people… Alfred Ng, CNET September 7 2017 “ The hits keep on coming… Source: https://www.cnet.com/news/equifax-data-leak-hits-nearly-half-of-the-us-population/ © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Nobody likes passwords 9/12/2018 3:33 PM John Doe lllllll Nobody likes passwords Alpha-numeric passwords are hard for humans to remember and easy for computers to guess. On mobile devices entering passwords is impossible. Credential reuse across multiple services increases attack surfaces. Even the strongest passwords are easily phishable. © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Nobody likes passwords 9/12/2018 3:33 PM John Doe lllllll Nobody likes passwords #1 COST for Enterprise IT departments For Microsoft account, in the month of July 686K forgotten passwords $12M+ spent on forgotten passwords © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Nobody likes passwords 9/12/2018 3:33 PM Nobody likes passwords Passwords + 2FA is more secure, but also more complicated and difficult to use. 2FA verification code: 020987 MESSAGES John Doe lllllll + 2FA Passwords © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Passwords + standard 2FA The search for better High Security Passwords + standard 2FA ? 2FA verification code: 020987 MESSAGES Inconvenient Convenient John Doe lllllll Passwords Low Security

Passwords Insecure Inconvenient Expensive Build 2015 9/12/2018 3:33 PM Passwords Expensive Inconvenient Insecure Human generated symmetric secrets © 2015 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Passwords Human generated symmetric secrets Insecure Compatible Build 2015 9/12/2018 3:33 PM Passwords Easy to provision Portable Compatible Expensive Inconvenient Insecure Human generated symmetric secrets © 2015 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

What does password-less mean to us? Build 2015 9/12/2018 3:33 PM What does password-less mean to us? User promise End-users never have to deal with passwords in their day-to-day lives. Security promise User credentials cannot be cracked, breached, or phished. © 2015 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Strategy 4. Eliminate pwds from identity directory Build 2015 9/12/2018 3:33 PM Strategy Achieve End-User Promise Achieve Security Promise 1. Develop and deploy pwd-replacement offerings 2. Reduce user-visible pwd surface area 3. Transition users & devices into using machine generated key based solutions 4. Eliminate pwds from identity directory © 2015 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

What’s available today? Build 2015 9/12/2018 3:33 PM What’s available today? SmartCard only MSA password-less opt in Windows Hello App Passwords Smart Card for Interactive Login WHFB for mainstream scenarios Enlightened inbox apps Modern Authentication libraries Policies to disable password credential provider 1. Develop and deploy pwd-replacement offerings 2. Reduce user-visible pwd surface area 3. Transition users & devices into using machine generated key based solutions 4. Eliminate pwds from identity directory Windows Hello for Business Authenticator app © 2015 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

UTILIZE FAMILIAR DEVICES 9/12/2018 Windows Hello USER CREDENTIAL An asymmetrical key pair Provisioned via PKI or created locally via Windows 10 UTILIZE FAMILIAR DEVICES SECURED BY HARDWARE © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION

Windows Hello Adoption 9/12/2018 3:33 PM [Windows 10] Windows Hello Adoption 37M active Windows Hello users 200+ enterprises have deployed Windows Hello for Business >25K Largest customer enterprise deployment BRK2076: Windows Hello for Business: What’s new in 2017 BRK2075: Extending Windows Hello with trusted signals © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Extending Windows Hello… Devices & Sensors Environmental awareness Behavioral patterns Better Trust Decisions

Microsoft Account Phone sign-in using Microsoft Authenticator 9/12/2018 3:33 PM Microsoft Account Phone sign-in using Microsoft Authenticator Password-less authentication Public / Private key exchange ## people using/Growth data if we have it New Data on- Andrew Pickering over a $1million, will get the data…One we publish top requests for enterprises. © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Azure Active Directory 9/12/2018 3:33 PM Modern Authentication Azure Active Directory Microsoft account Web Account Manager Microsoft Auth Library (MSAL) Insert relevant session #1 Insert relevant session #2 © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Demo: E2E OOBE(?) + Windows Hello + SSO + Recovery 9/12/2018 3:33 PM Demo: E2E OOBE(?) + Windows Hello + SSO + Recovery © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

What you can do today! Guide for going password-less Build 2015 9/12/2018 3:33 PM What you can do today! Guide for going password-less Stay tuned Lots more coming… Disable Password credential provider Upgrade LOB and web apps to modern authentication Identify & phase out legacy workflows 1. Deploy pwd-replacement offerings 2. Reduce user-visible pwd surface area 3. Simulate password-less on your devices 4. Eliminate pwds from identity directory Deploy Windows Hello for Business Authenticator app © 2015 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Just around the bend…

Azure Active Directory 9/12/2018 3:33 PM Azure Active Directory Phone sign-in using Microsoft Authenticator Password-less authentication Public / Private key exchange © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Windows 10 Device unlock Web-Auth FIDO 2.0 compliant 9/12/2018 3:33 PM Windows 10 Device unlock Web-Auth FIDO 2.0 compliant POC ready (cloud-only) © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

9/12/2018 3:33 PM Fast IDentity Online 2.0 Standards-based, interoperable authentication 2.0 Works with the same devices people use every day Based on public key cryptography Biometrics and keys never leave the device Protects against phishing, man-in-the-middle and replay attacks © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

FIDO Alliance board members …and hundreds of industry partners

The roadmap to no more passwords 9/12/2018 3:33 PM The roadmap to no more passwords Windows 10 or other OS Microsoft Edge or other browser Any device Microsoft Authenticator Device + Biometric Biometric on device + On-premises app Web app SaaS service Microsoft account Azure Active Directory © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

In review: session objectives and takeaways Tech Ready 15 9/12/2018 In review: session objectives and takeaways Go password-less today! Deploy Windows Hello for Business, Authenticator app, FIDO Upgrade LOB and web apps to modern authentication Disable password credential provider Identify & phase out legacy workflows Report gaps so we can address them! Stay tuned! There is a lot more coming! © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Ignite Resources BRK2017: Saying goodbye to passwords Tech Ready 15 9/12/2018 Ignite Resources BRK2017: Saying goodbye to passwords BRK2076: Windows Hello for Business: What’s new in 2017 BRK2075: Extending Windows Hello with trusted signals BRK2077: Credential protection in Windows: An Overview THR2259: Microsoft’s guide for going password-less © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Please evaluate this session Tech Ready 15 9/12/2018 Please evaluate this session From your Please expand notes window at bottom of slide and read. Then Delete this text box. PC or tablet: visit MyIgnite https://myignite.microsoft.com/evaluations Phone: download and use the Microsoft Ignite mobile app https://aka.ms/ignite.mobileapp Your input is important! © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

9/12/2018 3:33 PM Thank you © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.