post

Microsoft becomes first Fortune 500 company to adopt password-less authentication

Howdy folks,

I’m so excited to share today’s news! We just turned on the ability to securely sign in with your Microsoft account using a standards-based FIDO2 compatible device—no username or password required! FIDO2 enables users to leverage standards-based devices to easily authenticate to online services—in both mobile and desktop environments.

This combination of ease of use, security, and broad industry support is going to be transformational both at home and in the modern workplace. Every month, more than 800 million people use a Microsoft account to create, connect, and share from anywhere to Outlook, Office, OneDrive, Bing, Skype, and Xbox Live for work and play. And now they can all benefit from this simple user experience and greatly improved security.

Starting today, you can use a FIDO2 device or Windows Hello to sign in to your Microsoft account using the Microsoft Edge browser.

Watch this quick video showing how it works:

Microsoft has been on a mission to eliminate passwords and help people protect their data and accounts from threats. As a member of the Fast Identity Online (FIDO) Alliance and the World Wide Web Consortium (W3C), we’ve been working with others to develop open standards for the next generation of authentication. I’m happy to share that Microsoft is the first Fortune 500 company to support password-less authentication using the the WebAuthn and FIDO2 specifications, and Microsoft Edge supports the widest array of authenticators compared to other major browsers.

If you want to know more details on how it works and how to get started, keep reading on.

Get started

To sign in with your Microsoft Account using a FIDO2 security key:

  1. If you haven’t already, make sure you update to Windows 10 October 2018.
  2. Go to the Microsoft account page on Microsoft Edge and sign in as you normally would.
  3. Select Security More security options and under Windows Hello and security keys, you’ll see instructions for setting up a security key. (You can purchase a security key from one of our partners, including Yubico and Feitian Technologies that support the FIDO2 standard.*)
  4. Next time you sign in, you can either click More Options > Use a security key or type in your username. At that point, you’ll be asked to use a security key to sign in.

And as a reminder, here’s how to sign in with your Microsoft account using Windows Hello:

  1. Make sure you’ve updated to Windows 10 October 2018.
  2. If you haven’t already, you’ll need to set up Windows Hello. If you have Windows Hello set up, you’re good to go!
  3. Next time you sign in on Microsoft Edge, you can either click More Options > Use Windows Hello or a security key or type in your username. At that point, you’ll be asked to use Windows Hello or a security to sign in.

If you need more help, check out our detailed help article about how to get set up.

*There are a couple of optional features in the FIDO2 spec that we believe are fundamental to security, so only keys that have implemented those features will work. Read What is a Microsoft-compatible security key? to learn more.

How does it work?

Under the covers, we implemented the WebAuthn and FIDO2 CTAP2 specifications into our services to make this a reality.

Unlike passwords, FIDO2 protects user credentials using public/private key encryption. When you create and register a FIDO2 credential, the device (your PC or the FIDO2 device) generates a private and public key on the device. The private key is stored securely on the device and can only be used after it has been unlocked using a local gesture like biometric or PIN. Note that your biometric or PIN never leaves the device. At the same time that the private key is stored, the public key is sent to the Microsoft account system in the cloud and registered with your user account.

When you later sign in, the Microsoft account system provides a nonce to your PC or FIDO2 device. Your PC or device then uses the private key to sign the nonce. The signed nonce and metadata is sent back to the Microsoft account system, where it is verified using the public key. The signed metadata as specified by the WebAuthn and FIDO2 specs provides information, such as whether the user was present, and verifies the authentication through the local gesture. It’s these properties that make authentication with Windows Hello and FIDO2 devices not “phishable” or easily stolen by malware.

How do Windows Hello and FIDO2 devices implement this? Based on the capabilities of your Windows 10 device, you will either have a built-in secure enclave, known as a hardware trusted platform module (TPM) or a software TPM. The TPM stores the private key, which requires either your face, fingerprint, or PIN to unlock it. Similarly, a FIDO2 device, like a security key, is a small external device with its own built-in secure enclave that stores the private key and requires the biometric or PIN to unlock it. Both options offer two-factor authentication in one step, requiring both a registered device and a biometric or PIN to successfully sign in.

Check out this article on our Identity Standards blog, which goes into all the technical details around the implementation.

What’s next

We have tons of great things coming out as part of our efforts to reduce and even eliminate the use of passwords. We are currently building the same sign-in experience from a browser with security keys for work and school accounts in Azure Active Directory. Enterprise customers will be able to preview this early next year, where they will be able to allow their employees to set up their own security keys for their account to sign in to Windows 10 and the cloud.

Furthermore, as more browsers and platforms start supporting the WebAuthn and FIDO2 standards, the password-less experience—available on Microsoft Edge and Windows today—will be hopefully available everywhere!

Stay tuned for more details early next year!

Best Regards,
Alex Simons (@Twitter: @Alex_A_Simons)
CVP of Program Management
Microsoft Identity Division

post

Brad Smith on the Paris Call: An important step toward peace and security in the digital world

Today, French President Emmanuel Macron launched a global effort among governments, businesses and civil society to protect and defend against threats to the digital infrastructure that runs our daily lives. We’re proud to be one of the 370 signatories of The Paris Call for Trust and Security in Cyberspace. This includes 51 governments from around the world, including all 28 members of the European Union and 27 of the 29 NATO members. It also includes key governments from other parts of the world, including Japan, South Korea, Mexico, Colombia and New Zealand.

The Paris Call is an important step on the path toward digital peace, creating a stronger foundation for progress ahead. It calls for strong commitments in support of clear principles and strong norms to protect citizens and civilian infrastructure from systemic or indiscriminate cyberattacks. Similarly, it calls for governments, tech companies and nongovernmental organizations (NGOs) to work together to protect our democracies and electoral processes from nation-state cyberthreats.

The Paris Call breaks new ground by bringing together to support these steps an unprecedented and broad array of supporters. Its signatories include more than 200 companies and business associations, including leading tech companies such as Microsoft, Google, Facebook, Intel, Ericsson, Samsung, Accenture, Fujitsu, SAP, Salesforce and Hitachi. Importantly, it also includes leading financial services institutions such as Citigroup, Mastercard, Visa, Deutsche Bank, as well as industrial leaders such as Nestle, Lufthansa and Schneider Electric. And it includes almost 100 critical NGOs that span groups across civil society.

All of this is important for a reason. Success in advancing cybersecurity requires an approach that is not only multinational, but multistakeholder in nature. This is because cyberspace, unlike the traditional planes of warfare like land, sea and air, is typically privately owned. Cyberspace in fact consists of concrete elements in the real world, such as datacenters, undersea cables, and laptops and mobile devices. These are designed and manufactured by private companies. And often they are owned and operated by tech companies and others in the private sector.

While the tech sector has the first and highest responsibility to protect this technology and the people who rely upon it, this is an issue that requires that governments, companies and civil society come together. That is the only effective way to protect people from what at times have become military-grade cybersecurity threats.

Increasingly, it is apparent that the people of the world appreciate this as well. This morning in Paris I announced that more than 100,000 individuals from more than 130 countries have now signed the petition calling for Digital Peace Now, spearheaded with Global Citizen. And like the signatories to the Paris Call, this number is continuing to grow.

Today’s announcements came as part of the Paris Peace Forum, an event commemorating the centennial of the Armistice that brought an end to the First World War. As was the case a century ago, the nature of technology and warfare is changing. A century ago, governments and human institutions failed to adapt to the changing world. This century, we need to do better. With the help of clear principles, strong protection and a growing multistakeholder coalition, we can build on today’s milestones and continue to provide the world the strong cybersecurity it deserves.

Tags: , ,

post

Top 10 security steps in Microsoft 365 that political campaigns can take today

The increasing frequency of cyberattacks make clear that more must be done to protect key democratic institutions from cyber-enabled interference. With just a few weeks left before the U.S. midterm elections and early voting under way, campaigns must stay vigilant in protecting against cyberattacks to their online collaboration tools, including email. Microsoft recommends taking action today to protect against phishing, malware, account compromise, and other threats—see Top 10 ways to secure Office 365 and Microsoft 365 Business plans from cyberthreats. These recommendations are tailored for small to mid-sized political campaigns and election-focused stakeholders using Office 365 or Microsoft 365. Any organization—especially those without full-time IT security staff—can benefit from taking these actions.

This guidance provides step-by-step instructions for using 10 high-impact security capabilities. These actions help you implement many of the best practices recommended in the Cybersecurity Campaign Playbook, created by the Defending Digital Democracy program at Harvard Kennedy School’s Belfer Center for Science and International Affairs.

Top 10 cybersecurity recommendations:

  1. Set up two-step verification for all staff.
  2. Train campaign staff to quickly identify phishing attacks.
  3. Use dedicated accounts for administration.
  4. Raise the level of malware protection in mail.
  5. Protect against ransomware.
  6. Prevent emails auto-forwarding outside of the campaign.
  7. Increase encryption for sensitive emails.
  8. Protect your email from phishing attacks.
  9. Protect against malicious attachments in email.
  10. Protect against phishing attacks that include malicious website links in email or other files.

Read Top 10 ways to secure Office 365 and Microsoft 365 Business plans from cyberthreats for details on how to implement each action.

These recommendations are provided as part of Microsoft’s ongoing commitment to the Defending Democracy Program. Qualifying organizations using Office 365 can also take advantage of Microsoft AccountGuard for additional protection to leverage Microsoft’s state-of-the-art threat detection and notification in case of targeted nation-state cyberattacks.

post

Building the security operations center of tomorrow—harnessing the law of data gravity

This post was coauthored by Diana Kelley, Cybersecurity Field CTO, and , EMEA Chief Security Advisor, Cybersecurity Solutions Group.

You’ve got a big dinner planned and your dishwasher goes on the fritz. You call the repair company and are lucky enough to get an appointment for that afternoon. The repairperson shows up and says, “Yes, it’s broken, but to figure out why I will need to run some tests.” They start to remove your dishwasher from the outlet. “What are you doing?” you ask. “I’m taking it back to our repair shop for analysis and then repair,” they reply. At this point, you’re annoyed. You have a big party in three hours, and taking the dishwasher all the way back to the shop for analysis means someone will be washing dishes by hand after your party—why not test it right here and right now so it can be fixed on the spot?

Now, imagine the dishwasher is critical business data located throughout your organization. Sending all that data to a centralized location for analysis will give you insights, eventually, but not when you really need it, which is now. In cases where the data is extremely large, you may not be able to move it at all. Instead it makes more sense to bring services and applications to your data. This at the heart of a concept called “data gravity,” described by Dave McCrory back in 2010. Much like a planet, your data has mass, and the bigger that mass, the greater its gravitational pull, or gravity well, and the more likely that apps and services are drawn to it. Gravitational movement is accelerated when bandwidth and latency are at a premium, because the closer you are to something the faster you can process and act on it. This is the big driver of the intelligent cloud/intelligent edge. We bring analytics and compute to connected devices to make use of all the data they collect in near real-time.

But what might not be so obvious is what, if anything, does data gravity have to do with cybersecurity and the security operations center (SOC) of tomorrow. To have that discussion, let’s step back and look at the traditional SOCs, built on security information and event management (SIEM) solutions developed at the turn of the century. The very first SIEM solutions were predominantly focused on log aggregation. Log information from core security tools like firewalls, intrusion detection systems, and anti-virus/malware tools were collected from all over a company and moved to a single repository for processing.

That may not sound super exciting from our current vantage point of 2018, but back in 2000 it was groundbreaking. Admins were struggling with an increasing number of security tools, and the ever-expanding logs from those tools. Early SIEM solutions gave them a way to collect all that data and apply security intelligence and analytics to it. The hope was that if we could gather all relevant security log and reporting data into one place, we could apply rules and quickly gather insights about threats to our systems and security situational awareness. In a way this was antidata gravity, where data moved to the applications and services rather than vice versa.

After the initial “hype” for SIEM solutions, SOC managers realized a few of their limitations. Trying to write rules for security analytics proved to be quite hard. A minor error in a rule led to high false positives that ate into analyst investigative time. Many companies were unable to get all the critical log data into the SIEM, leading to false negatives and expensive blind spots. And one of the biggest concerns with traditional SIEM was the latency. SIEM solutions were marketed as “real-time” analytics, but once an action was written to a log, collected, sent to the SIEM, and then parsed through the SIEM analytics engine, quite a bit of latency was introduced. When it comes to responding to fast moving cyberthreats, latency is a distinct disadvantage.

Now think about these challenges and add the explosive amounts of data generated today by the cloud and millions of connected devices. In this environment it’s not uncommon that threat campaigns go unnoticed by an overloaded SIEM analytics engine. And many of the signals that do get through are not investigated because the security analysts are overworked. Which brings us back to data gravity.

What was one of the forcing factors for data gravity? Low tolerance for latency. What was the other? Building applications by applying insights and machine learning to data. So how can we build the SOC of tomorrow? By respecting the law of data gravity. If we can perform security analytics close to where the data already is, we can increase the speed of response. This doesn’t mean the end of aggregation. Tomorrow’s SOC will employ a hybrid approach by performing analytics as close to the data mass as possible, and then rolling up insights, as needed, to a larger central SOC repository for additional analysis and insight across different gravity wells.

Does this sound like an intriguing idea? We think so. Being practitioners, though, we most appreciate when great theories can be turned into real-world implementations. Please stay tuned for part 2 of this blog series, where we take the concept of tomorrow’s SOC and data gravity into practice for today.

post

Seattle Times: Microsoft releases new security tools for political campaigns to combat hacking attempts

Microsoft is offering new security tools to political campaigns — some measures with a level of technology usually reserved for government and big corporate customers — as it expands its efforts to stifle hacking attempts from foreign entities.

The Redmond company announced late Monday a new set of tools, called AccountGuard,  that will closely watch hacking attacks and attempts made against campaigns, and notify their staff when threats occur. Microsoft will also offer training for staffers on how to make accounts more secure, and let them test new security tools “on a par” with the features Microsoft sells to government and corporate clients.

The AccountGuard services will be included for free to campaigns, candidates, think tanks and other political groups that are Office 365 customers. The service is the newest part of Microsoft’s Defending Democracy program announced this spring, which aims to make elections secure.

Microsoft pointed to the need to expand security efforts, saying it seized six website domains last week, with the help of a court order, that belonged to hacking group Fancy Bear. The group is believed to have ties to the Russian government and was behind the 2016 hack against the Democratic Party.

Most Read Business Stories

Unlimited Digital Access. $1 for 4 weeks.

That group and others like it use domains such as senate.group and office365-onedrive.com to give the appearance of a trusted organization when they send out phishing emails. The emails could be used to obtain passwords and infiltrate political organizations.

So far, Microsoft has shut down 84 of these fake domains set up by Fancy Bear in the past two years. The company also revealed last month that it thwarted two attempts last fall by hackers trying to get inside two Senate candidate campaigns, including Missouri Democrat Sen. Claire McCaskill’s.

The number of hacking attempts has ticked up as midterm election campaigns get underway, Microsoft President Brad Smith wrote in a blog post Monday. It’s widely believed the threats aren’t as numerous as they were during the 2016 elections, but cybersecurity executives say they are still serious.

“We can only keep our democratic societies secure if candidates can run campaigns and voters can go to the polls untainted by foreign cyberattacks,” Smith wrote.

post

Attending Black Hat USA 2018? Here’s what to expect from Microsoft

Black Hat USA 2018 brings together professionals at all career levels, encouraging growth and collaboration among academia, world-class researchers, and leaders in the public and private sectors. This is an exciting time as our Microsoft researchers, partners, and security experts will showcase the latest collaborations in defense strategies for cybersecurity, highlight solutions for security vulnerabilities in applications, and bring together an ecosystem of intelligent security solutions. Our objective is to arm business, government, and consumers with deeply integrated intelligence and threat protection capabilities across platforms and products.

Security researchers play an essential role in Microsoft’s security strategy and are key to community-based defense. To show our appreciation for their hard work and partnership, each year at Black Hat USA, the Microsoft Security Response Center (MSRC) highlights the contributions of these researchers through the list of “Top 100” security researchers reporting to Microsoft (either directly or through a third party) during the previous 12 months. While one criterion for the ranking is volume of fixed reports a researcher has made, the severity and impact of the reports is very important to the ranking also. Given the number of individuals reporting to Microsoft, anyone ranked among the Top 100 is among some of the top talent in the industry.

In addition to unveiling the Top 100 and showcasing Microsoft security solutions at Booth #652, there are a number of featured Microsoft speakers and sessions:

Join us at these sessions during the week of August 4-9, 2018 in Las Vegas and continue the discussion with us in Booth #652, where we will have product demonstrations, theatre presentations, and an opportunity to learn more about our Top 100 and meet with some of Microsoft’s security experts and partners.

post

Microsoft gives parents peace of mind with new family features across devices

We live in a time of both great opportunity and great responsibility. Our children have access to more information, entertainment and more ways to connect than ever before, but with that comes plenty of new things that parents like you and I need to worry about and new ways to distract their attention. Today, we are excited to introduce new features that make it easier and safer for families to interact with technology and, each other, across devices and platforms.

Woman sitting at table with two little girls working on a PC.

Creating tools and features that empower both parents and kids has always been an important part of our work and is becoming increasingly vital, not only to us as a business, but to us as individuals – parents, aunts and uncles, siblings and friends. As a mother to a young and curious daughter, I deeply understand the need for tools to help balance the use of technology in the home as well as out of the home. It’s especially near and dear to me as leader of a team building experiences for mobile devices. We emphasize the idea of transparency as a guiding principle for these new experiences. Today, I am happy to share new features that will help create greater transparency between parent and child, as well as between Microsoft and parents in what to expect from our tools.

We’re bringing new features to the popular Microsoft Launcher app for Android with two new mobile experiences, currently in preview, that give parents more peace of mind for their family and a look at your child’s activity across their devices – Windows 10 PCs, Xbox One devices, and now their Android phone.

With Microsoft Launcher installed on your family’s Android devices and a Microsoft family group of accounts set up, parents can:

  • Stay up to date on kids’ whereabouts. At home and on the go, you can use Microsoft Launcher to get an update on your kids’ location and rest easier knowing they are safely where they should be. You can see your child’s (or children’s) last known location and time.
  • Be aware of which apps your kids are using. Check in on your kids’ app activity on their Android device, including which apps are accessed and time spent on each app. With Xbox One or a Windows 10 PC set up in your family portal, you can also view their activities on those devices through Microsoft Launcher.

Microsoft Launcher is the only launcher that gives parents this visibility across Android, Windows 10, and Xbox One devices. Children and parents always have the option to toggle features off and on at any time and, best of all, it’s free. If you have a Microsoft family group, you can install Microsoft Launcher on your family’s Android devices. If you don’t have a family group set up yet, it’s easy – here’s how.

Microsoft Microsoft Launcher for Android

With Microsoft Edge, the ability to allow or block websites has always existed on your PCs. Now, we are extending this feature to you and your family’s Android devices. If you have set up a Microsoft family group, any websites you have already tagged as allowed or blocked for your kid(s) will carry the same settings as they try to access websites in Microsoft Edge on their Android devices. The update will begin rolling out today.

A site blocked in Microsoft Edge for Android

We are also excited to announce MSN Kids, currently in preview, a curated news site created specifically for children in the elementary and middle school age group. We saw a need for a place for kids to learn about the world in a safe, trustworthy and fun environment. The site offers editorially curated, age-appropriate news and features from partner publishers such as Time for Kids, Popular Science, Sports Illustrated for Kids, National Geographic, and USA TODAY.

MSN Kids brings curated, kid-friendly news to the web

MSN Kids brings curated, kid-friendly news to the web

Content is kid-friendly and helps children find things of interest to stay engaged, learn, and have fun – with no sponsored content or advertising. Kids can learn about animals, the world around them, kids like them doing interesting things around the globe and more. When using Microsoft Edge, kids can also use pen and read aloud to engage with puzzles or assist with reading articles. Check out the preview today at msnkids.com.

These new experiences are the next step in a long history of creating products, features, and settings with families in mind, spanning gaming to mobile to PC and the web.

  • Family safety settings in Windows 10 and Xbox One:  With families today owning more personal devices than ever, including kids at increasingly younger ages, we’ve invested in family settings that work across devices and platforms. A core set of family safety settings – including the ability to block mature content and apps, set screen time limits, and review kids’ purchase requests – have long been available for Windows 10 PCs and Xbox One devices. These settings help parents keep kids safer, while also fostering independence and letting kids do homework, research, and be creative, using technology as a powerful learning tool.
  • Safer online spending with Ask a parent:  One especially useful setting, called Ask a parent, lets parents avoid surprise spending on Xbox or the Microsoft Store by receiving notifications when kids want to make a purchase. Parents can decide whether to approve based on the maturity level, cost, and whether it fits within screen time allowed. From the kids’ perspective, it’s a good way to let Mom or Dad know what cool new game they want. From the parents’ perspective, it’s a good way to help kids manage temptations (such as in-app purchases) and make good choices.
  • Shared family notebook in OneNote: Earlier this month we released the new family notebook in OneNote. We know families are busier than ever and with a family notebook your whole family can stay in sync and organized – from shopping lists to vacation planning, the whole family can share, edit and access information in one place.

These are just some of the many great features across our devices and services that empower families with peace of mind, tools to learn, grow and, of course, have fun. More information can be found at this page. Please download Microsoft Launcher and Microsoft Edge for Android and give the new features a try. We look forward to hearing your feedback so we can empower you with the best tools to create the safest, most productive and fun experiences for our families.

Microsoft gives parents peace of mind with new family features across devices

Tweet This